Cannot authorize users other than default "John Doe"
Brian Hogans
brianhogans at gmail.com
Sun Jul 2 02:28:38 CEST 2017
First is a failed test. (couldn’t exactly tell where it began and ended, might have copied too much text). Seems like they are both using EAP-PEAP but maybe I’m mistaken. Not sure by reading what I’m missing.
rad_recv: Access-Request packet from host 192.168.1.1 port 50039, id=0, length=121
User-Name = "test"
NAS-IP-Address = 192.168.1.1
Called-Station-Id = "04a151235d3c"
Calling-Station-Id = "b853ac7af8af"
NAS-Identifier = "04a151235d3c"
NAS-Port = 45
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020000090174657374
Message-Authenticator = 0xd6876568d04adfae1a8dc597d5f170ab
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "test", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 0 length 9
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
[sql] expand: %{User-Name} -> test
[sql] sql_set_user escaped user --> 'test'
rlm_sql (sql): Reserving sql socket id: 18
[sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'test' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'test' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'test' ORDER BY priority
rlm_sql (sql): Released sql socket id: 18
++[sql] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 0 to 192.168.1.1 port 50039
EAP-Message = 0x0101001604100bb6fcfca6af7dc22064ddd5a982c685
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x56c5e83956c4ec1059e8fcd700a9cbe3
Finished request 30.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.1 port 50039, id=0, length=138
Cleaning up request 30 ID 0 with timestamp +408
User-Name = "test"
NAS-IP-Address = 192.168.1.1
Called-Station-Id = "04a151235d3c"
Calling-Station-Id = "b853ac7af8af"
NAS-Identifier = "04a151235d3c"
NAS-Port = 45
Framed-MTU = 1400
State = 0x56c5e83956c4ec1059e8fcd700a9cbe3
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020100080319152b
Message-Authenticator = 0x569958b8550134d78cc687d9a04c21ba
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "test", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 1 length 8
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
[sql] expand: %{User-Name} -> test
[sql] sql_set_user escaped user --> 'test'
rlm_sql (sql): Reserving sql socket id: 17
[sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'test' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'test' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'test' ORDER BY priority
rlm_sql (sql): Released sql socket id: 17
++[sql] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/peap
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 0 to 192.168.1.1 port 50039
EAP-Message = 0x010200061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x56c5e83957c7f11059e8fcd700a9cbe3
Finished request 31.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.1 port 50039, id=0, length=257
Cleaning up request 31 ID 0 with timestamp +408
User-Name = "test"
NAS-IP-Address = 192.168.1.1
Called-Station-Id = "04a151235d3c"
Calling-Station-Id = "b853ac7af8af"
NAS-Identifier = "04a151235d3c"
NAS-Port = 45
Framed-MTU = 1400
State = 0x56c5e83957c7f11059e8fcd700a9cbe3
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0202007f19800000007516030100700100006c030159583c4fba968d39fc410de8eec268d5b0f4f6d440667e95e3136ca9b790054d00002000ffc024c023c00ac009c008c028c027c014c013c012003d003c0035002f000a01000023000a00080006001700180019000b000201000005000501000000000012000000170000
Message-Authenticator = 0x707833097727ab3ae61d8e452f65508f
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "test", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 2 length 127
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 117
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 0070], ClientHello
[peap] TLS_accept: unknown state
[peap] >>> TLS 1.0 Handshake [length 0039], ServerHello
[peap] TLS_accept: unknown state
[peap] >>> TLS 1.0 Handshake [length 02c4], Certificate
[peap] TLS_accept: unknown state
[peap] >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange
[peap] TLS_accept: unknown state
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: unknown state
[peap] TLS_accept: unknown state
[peap] TLS_accept: Need to read more data: unknown state
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 0 to 192.168.1.1 port 50039
EAP-Message = 0x0103040019c0000004601603010039020000350301e112e771ea49e667c178ce6b8894ceaead602b518eb6450b867e04312ea3c7b600c01400000dff01000100000b00040300010216030102c40b0002c00002bd0002ba308202b63082019ea003020102020900e5e53bd18a4a5609300d06092a864886f70d01010b050030133111300f06035504030c087261646975737069301e170d3137303633303030303333345a170d3237303632383030303333345a30133111300f06035504030c08726164697573706930820122300d06092a864886f70d01010105000382010f003082010a0282010100dfe1c10be65401d289225a9db9f689531529e7a4
EAP-Message = 0x93b519b66b02f0c2b9dce87d0a62a2c778915193da4112f2d22ebf223cfb9ccdbeb331f1cf47f274586e42df0408fc99446f4be2714c1cd2db4e0f585faac4c4aa5ed60767de82ad6e2071dc04ee77ce1e0d07b13b76404ff4f702d8e92642e4e7fb26271c5ddc9cdd0a9fa9462ed200da9f1eefc1598d2e9223a8571a752da003f8dc0feb4c5689420aa070a6dfd817ff4a230adb91fd462457d28cc184c713740de6c68273f089d2cdb3da2c087946278ce742eea6c0c79db71604f9f737548dc70d4b0395faf74efb6685083dfedd9d576fdedecaf6f989cb47ba5f480c88693bf9667d551f9371cbf2490203010001a30d300b30090603551d1304
EAP-Message = 0x023000300d06092a864886f70d01010b05000382010100356db2051726585975dd0817ab5829b0ddaf98c1a6093e6b9cfc1ac9303092ce7a36814b9c175290d85ed2ba723fbd222c35a33e8dd44fbfd5e6748e7f9965db830b2b8e1f1187c901c839e817843e557e417fac27662b57f07c0866ddfd7839c05cdf3300ecac6a613dbea38c05c679bdfc9de0f9746654b878b8164c2e0fbebd90e79f4613c54de9b6bc8cd546ea641441cc8eaa50d24a7ee877477996087acb3a0526cb19055fd445567201ee0e9aa3a27185aca7b238aaf03e09c0e48625361d1362d8ab34790de8f75964b0ea804d60f3a612db2135b1656ee135b133162fb5a7144979
EAP-Message = 0xc4f5629f56b2d2ad877c9f0e95d0dbc889df503804f256a9f15c160301014b0c0001470300174104bd770cf7d9bb493664451bacadde85508ad7b7a1eb7dacb26d0d907764aae3f3e33cf0827e16faf6738ca263120c18cb04b1ee384e10c0a7002ea550266aa0b601009795255e9efc8c5bfc511935cfb99160d3c6ec6b01d6a7390c238f251d03aa2a0767293e45775738c09ee4fc0719666c47f3d429c79719399a85af66feac6e0045a04de7791a652521a624da12e1e6345387377368fe89d1e3103ef2a585e6aea8742f209bbd123b9cbe2de99a3b6dc80dbdb5446aabfcca71e8aba8619e64ea22d8c0cc731638b845e50361bddb95f5021ab0
EAP-Message = 0x40d8598eb5021fe8d452b8d2
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x56c5e83954c6f11059e8fcd700a9cbe3
Finished request 32.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.1 port 50039, id=0, length=136
Cleaning up request 32 ID 0 with timestamp +408
User-Name = "test"
NAS-IP-Address = 192.168.1.1
Called-Station-Id = "04a151235d3c"
Calling-Station-Id = "b853ac7af8af"
NAS-Identifier = "04a151235d3c"
NAS-Port = 45
Framed-MTU = 1400
State = 0x56c5e83954c6f11059e8fcd700a9cbe3
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020300061900
Message-Authenticator = 0x421ecc297169cf1e8a55bb5f6f9d5ec6
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "test", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 3 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 0 to 192.168.1.1 port 50039
EAP-Message = 0x01040070190003208396d20e3bef19b658a5296891ff3463d22a42d15d345d740d45b07d5906f75e6b5ba836416f6840bf0561e97a3f6a6062a839fb925aeec02ed1b7ff77a5c0231d3f8bb855737c865f7989d82fd813bc7b2cd446a609928a33532c0afc47b516030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x56c5e83955c1f11059e8fcd700a9cbe3
Finished request 33.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.1 port 50039, id=0, length=274
Cleaning up request 33 ID 0 with timestamp +408
User-Name = "test"
NAS-IP-Address = 192.168.1.1
Called-Station-Id = "04a151235d3c"
Calling-Station-Id = "b853ac7af8af"
NAS-Identifier = "04a151235d3c"
NAS-Port = 45
Framed-MTU = 1400
State = 0x56c5e83955c1f11059e8fcd700a9cbe3
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0204009019800000008616030100461000004241042b0f0d744287c8baf011c5d4f3f02c33cd755f3dca6191ed52c8591e384e13a7303dc29a512503b48a78f1781bee725f529ac20a750c88e11cb33cdb3c5f05c514030100010116030100302b3003fe0220ebdff2b8823a05f3c213462163d0a5145937b0430031e95d7fdc827a82dea60cc89bceb16e5738663603
Message-Authenticator = 0x57a0d4dc6abb5d513c5cfd21aadee2e3
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "test", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 4 length 144
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 134
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange
[peap] TLS_accept: unknown state
[peap] TLS_accept: unknown state
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: unknown state
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: unknown state
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: unknown state
[peap] TLS_accept: unknown state
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 0 to 192.168.1.1 port 50039
EAP-Message = 0x0105004119001403010001011603010030c8765a080582e00ae18a20328f7d0317ca987085de00803ee1fd0e0bd54352397890a577486d8c11b3e34bfe7ecc56a9
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x56c5e83952c0f11059e8fcd700a9cbe3
Finished request 34.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.1 port 50039, id=0, length=136
Cleaning up request 34 ID 0 with timestamp +408
User-Name = "test"
NAS-IP-Address = 192.168.1.1
Called-Station-Id = "04a151235d3c"
Calling-Station-Id = "b853ac7af8af"
NAS-Identifier = "04a151235d3c"
NAS-Port = 45
Framed-MTU = 1400
State = 0x56c5e83952c0f11059e8fcd700a9cbe3
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020500061900
Message-Authenticator = 0xe1d254510fb825e6e0f7909cf3c23e33
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "test", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 5 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state TUNNEL ESTABLISHED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 0 to 192.168.1.1 port 50039
EAP-Message = 0x0106002b19001703010020c18e27bd09b1381d6e2b7279225abd611c041091b59b5a927eb2cf7fe1c67eeb
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x56c5e83953c3f11059e8fcd700a9cbe3
Finished request 35.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.1 port 50039, id=0, length=173
Cleaning up request 35 ID 0 with timestamp +408
User-Name = "test"
NAS-IP-Address = 192.168.1.1
Called-Station-Id = "04a151235d3c"
Calling-Station-Id = "b853ac7af8af"
NAS-Identifier = "04a151235d3c"
NAS-Port = 45
Framed-MTU = 1400
State = 0x56c5e83953c3f11059e8fcd700a9cbe3
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0206002b190017030100203a8f919da04ebc373fa4fd60286ebeadd3a1cb953fcd9a3514eb042ac79736ba
Message-Authenticator = 0xe41b96134553d063a4f78831390a0145
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "test", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 6 length 43
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state WAITING FOR INNER IDENTITY
[peap] Identity - test
[peap] Got inner identity 'test'
[peap] Setting default EAP type for tunneled EAP session.
[peap] Got tunneled request
EAP-Message = 0x020600090174657374
server {
[peap] Setting User-Name to test
Sending tunneled request
EAP-Message = 0x020600090174657374
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "test"
server inner-tunnel {
# Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
+group authorize {
++[chap] = noop
++[mschap] = noop
[suffix] No '@' in User-Name = "test", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
++update control {
++} # update control = noop
[eap] EAP packet type response id 6 length 9
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
++[expiration] = noop
++[logintime] = noop
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+group authenticate {
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] = handled
+} # group authenticate = handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message = 0x0107001e1a0107001910d8d6a5029ef8e0ce8690cb31534e903574657374
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xe3a53b0ee3a22103e80c239114094b7a
[peap] Got tunneled reply RADIUS code 11
EAP-Message = 0x0107001e1a0107001910d8d6a5029ef8e0ce8690cb31534e903574657374
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xe3a53b0ee3a22103e80c239114094b7a
[peap] Got tunneled Access-Challenge
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 0 to 192.168.1.1 port 50039
EAP-Message = 0x0107003b1900170301003030ba75f4a66fae8c6773a4d53af411a1201e26b71a9afb000b665738ce05e75edcc832e52c8e282797c17d5cf6b70752
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x56c5e83950c2f11059e8fcd700a9cbe3
Finished request 36.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.1 port 50039, id=0, length=221
Cleaning up request 36 ID 0 with timestamp +408
User-Name = "test"
NAS-IP-Address = 192.168.1.1
Called-Station-Id = "04a151235d3c"
Calling-Station-Id = "b853ac7af8af"
NAS-Identifier = "04a151235d3c"
NAS-Port = 45
Framed-MTU = 1400
State = 0x56c5e83950c2f11059e8fcd700a9cbe3
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0207005b190017030100500ea54a4586f96bacad82fa8cb728c056e5f1a28ed8bb4d602bb532f4778ad25c052ae4e66a4e41496e71a2c34ebc5827c4f5ed2bb7530a63ce4abe16807ef5d364a84d0aec84e882e3cb75aacf5ca6cc
Message-Authenticator = 0x814ac94db845338cedd9d99d3a14e07c
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "test", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 7 length 91
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message = 0x0207003f1a0207003a31147a3a58b9bb60c90e6abe9c2fe6b7ee0000000000000000e72e88852562339873cf5e5867f2c17bc5f5fba4dea79cb70074657374
server {
[peap] Setting User-Name to test
Sending tunneled request
EAP-Message = 0x0207003f1a0207003a31147a3a58b9bb60c90e6abe9c2fe6b7ee0000000000000000e72e88852562339873cf5e5867f2c17bc5f5fba4dea79cb70074657374
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "test"
State = 0xe3a53b0ee3a22103e80c239114094b7a
server inner-tunnel {
# Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
+group authorize {
++[chap] = noop
++[mschap] = noop
[suffix] No '@' in User-Name = "test", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
++update control {
++} # update control = noop
[eap] EAP packet type response id 7 length 63
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
++[expiration] = noop
++[logintime] = noop
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
[mschapv2] +group MS-CHAP {
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Creating challenge hash with username: test
[mschap] Client is using MS-CHAPv2 for test, we need NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] = reject
+} # group MS-CHAP = reject
[eap] Freeing handler
++[eap] = reject
+} # group authenticate = reject
Failed to authenticate the user.
Using Post-Auth-Type REJECT
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+group REJECT {
[attr_filter.access_reject] expand: %{User-Name} -> test
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
} # server inner-tunnel
[peap] Got tunneled reply code 3
MS-CHAP-Error = "\007E=691 R=1"
EAP-Message = 0x04070004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code 3
MS-CHAP-Error = "\007E=691 R=1"
EAP-Message = 0x04070004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 0 to 192.168.1.1 port 50039
EAP-Message = 0x0108002b19001703010020df30d157fb2bb8719d02c4294eb2e34cf622c8e77e89e98db4d1fe17780b26c9
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x56c5e83951cdf11059e8fcd700a9cbe3
Finished request 37.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.1 port 50039, id=0, length=173
Cleaning up request 37 ID 0 with timestamp +408
User-Name = "test"
NAS-IP-Address = 192.168.1.1
Called-Station-Id = "04a151235d3c"
Calling-Station-Id = "b853ac7af8af"
NAS-Identifier = "04a151235d3c"
NAS-Port = 45
Framed-MTU = 1400
State = 0x56c5e83951cdf11059e8fcd700a9cbe3
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0208002b19001703010020abcd2f4c2b9f8cb9ed842ec21e8fdc8f3e5f6ebacba2b991f0252f9246e99ec8
Message-Authenticator = 0xe37e33b2b2647dce1fdad3d6e133479c
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "test", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 8 length 43
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state send tlv failure
[peap] Received EAP-TLV response.
[peap] The users session was previously rejected: returning reject (again.)
[peap] *** This means you need to read the PREVIOUS messages in the debug output
[peap] *** to find out the reason why the user was rejected.
[peap] *** Look for "reject" or "fail". Those earlier messages will tell you.
[peap] *** what went wrong, and how to fix the problem.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] = invalid
+} # group authenticate = invalid
Failed to authenticate the user.
Using Post-Auth-Type REJECT
# Executing group from file /etc/freeradius/sites-enabled/default
+group REJECT {
[sql] expand: %{User-Name} -> test
[sql] sql_set_user escaped user --> 'test'
[sql] expand: %{User-Password} ->
[sql] ... expanding second conditional
[sql] expand: %{Chap-Password} ->
[sql] expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'test', '', 'Access-Reject', '2017-07-01 20:20:32')
rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'test', '', 'Access-Reject', '2017-07-01 20:20:32')
rlm_sql (sql): Reserving sql socket id: 16
rlm_sql (sql): Released sql socket id: 16
++[sql] = ok
[attr_filter.access_reject] expand: %{User-Name} -> test
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
Delaying reject of request 38 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 38
Sending Access-Reject of id 0 to 192.168.1.1 port 50039
EAP-Message = 0x04080004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 4.9 seconds.
Cleaning up request 38 ID 0 with timestamp +409
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.1.1 port 36006, id=13, length=69
User-Name = "00:22:58:7d:fd:7d"
NAS-Port = 1
NAS-Port-Type = Wireless-802.11
User-Password = "testing123"
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "00:22:58:7d:fd:7d", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] No EAP-Message, not doing EAP
++[eap] = noop
[sql] expand: %{User-Name} -> 00:22:58:7d:fd:7d
[sql] sql_set_user escaped user --> '00:22:58:7d:fd:7d'
rlm_sql (sql): Reserving sql socket id: 15
[sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '00:22:58:7d:fd:7d' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = '00:22:58:7d:fd:7d' ORDER BY priority
rlm_sql (sql): Released sql socket id: 15
[sql] User 00:22:58:7d:fd:7d not found
++[sql] = notfound
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] = noop
+} # group authorize = ok
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user
Failed to authenticate the user.
Using Post-Auth-Type REJECT
# Executing group from file /etc/freeradius/sites-enabled/default
+group REJECT {
[sql] expand: %{User-Name} -> 00:22:58:7d:fd:7d
[sql] sql_set_user escaped user --> '00:22:58:7d:fd:7d'
[sql] expand: %{User-Password} -> testing123
[sql] expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '00:22:58:7d:fd:7d', 'testing123', 'Access-Reject', '2017-07-01 20:21:34')
rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '00:22:58:7d:fd:7d', 'testing123', 'Access-Reject', '2017-07-01 20:21:34')
rlm_sql (sql): Reserving sql socket id: 14
rlm_sql (sql): Released sql socket id: 14
++[sql] = ok
[attr_filter.access_reject] expand: %{User-Name} -> 00:22:58:7d:fd:7d
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
Delaying reject of request 39 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
________________________________________________________________________________________________________________________________________________
Heres a successful test.
rad_recv: Access-Request packet from host 192.168.1.1 port 50039, id=0, length=129
User-Name = "John Doe"
NAS-IP-Address = 192.168.1.1
Called-Station-Id = "04a151235d3c"
Calling-Station-Id = "b853ac7af8af"
NAS-Identifier = "04a151235d3c"
NAS-Port = 45
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0200000d014a6f686e20446f65
Message-Authenticator = 0x7a79937b215e3edbd56d0a283edd1ee0
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "John Doe", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 0 length 13
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
[sql] expand: %{User-Name} -> John Doe
[sql] sql_set_user escaped user --> 'John Doe'
rlm_sql (sql): Reserving sql socket id: 31
[sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'John Doe' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'John Doe' ORDER BY priority
rlm_sql (sql): Released sql socket id: 31
[sql] User John Doe not found
++[sql] = notfound
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 0 to 192.168.1.1 port 50039
EAP-Message = 0x010100160410bbe0563ca46d98903186aae04d0ecf6e
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x2cbc36db2cbd32dda40dc75c373a2704
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.1 port 50039, id=0, length=142
Cleaning up request 0 ID 0 with timestamp +25
User-Name = "John Doe"
NAS-IP-Address = 192.168.1.1
Called-Station-Id = "04a151235d3c"
Calling-Station-Id = "b853ac7af8af"
NAS-Identifier = "04a151235d3c"
NAS-Port = 45
Framed-MTU = 1400
State = 0x2cbc36db2cbd32dda40dc75c373a2704
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020100080319152b
Message-Authenticator = 0xff6cb93ab2439ddd9fa9351616f62018
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "John Doe", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 1 length 8
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
[sql] expand: %{User-Name} -> John Doe
[sql] sql_set_user escaped user --> 'John Doe'
rlm_sql (sql): Reserving sql socket id: 30
[sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'John Doe' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'John Doe' ORDER BY priority
rlm_sql (sql): Released sql socket id: 30
[sql] User John Doe not found
++[sql] = notfound
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/peap
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 0 to 192.168.1.1 port 50039
EAP-Message = 0x010200061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x2cbc36db2dbe2fdda40dc75c373a2704
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.1 port 50039, id=0, length=261
Cleaning up request 1 ID 0 with timestamp +25
User-Name = "John Doe"
NAS-IP-Address = 192.168.1.1
Called-Station-Id = "04a151235d3c"
Calling-Station-Id = "b853ac7af8af"
NAS-Identifier = "04a151235d3c"
NAS-Port = 45
Framed-MTU = 1400
State = 0x2cbc36db2dbe2fdda40dc75c373a2704
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0202007f19800000007516030100700100006c030159583d388d9a6c7e077e3a220c0bc6c54d76ceabfdbae16ed8618c2d2abd0c2d00002000ffc024c023c00ac009c008c028c027c014c013c012003d003c0035002f000a01000023000a00080006001700180019000b000201000005000501000000000012000000170000
Message-Authenticator = 0xea28a029c063909831f3570ed5947f35
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "John Doe", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 2 length 127
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 117
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 0070], ClientHello
[peap] TLS_accept: unknown state
[peap] >>> TLS 1.0 Handshake [length 0039], ServerHello
[peap] TLS_accept: unknown state
[peap] >>> TLS 1.0 Handshake [length 02c4], Certificate
[peap] TLS_accept: unknown state
[peap] >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange
[peap] TLS_accept: unknown state
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: unknown state
[peap] TLS_accept: unknown state
[peap] TLS_accept: Need to read more data: unknown state
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 0 to 192.168.1.1 port 50039
EAP-Message = 0x0103040019c00000046016030100390200003503019679275650baa9cb32ac07d36763e6c19ba146ee87a800d3517903a213559bac00c01400000dff01000100000b00040300010216030102c40b0002c00002bd0002ba308202b63082019ea003020102020900e5e53bd18a4a5609300d06092a864886f70d01010b050030133111300f06035504030c087261646975737069301e170d3137303633303030303333345a170d3237303632383030303333345a30133111300f06035504030c08726164697573706930820122300d06092a864886f70d01010105000382010f003082010a0282010100dfe1c10be65401d289225a9db9f689531529e7a4
EAP-Message = 0x93b519b66b02f0c2b9dce87d0a62a2c778915193da4112f2d22ebf223cfb9ccdbeb331f1cf47f274586e42df0408fc99446f4be2714c1cd2db4e0f585faac4c4aa5ed60767de82ad6e2071dc04ee77ce1e0d07b13b76404ff4f702d8e92642e4e7fb26271c5ddc9cdd0a9fa9462ed200da9f1eefc1598d2e9223a8571a752da003f8dc0feb4c5689420aa070a6dfd817ff4a230adb91fd462457d28cc184c713740de6c68273f089d2cdb3da2c087946278ce742eea6c0c79db71604f9f737548dc70d4b0395faf74efb6685083dfedd9d576fdedecaf6f989cb47ba5f480c88693bf9667d551f9371cbf2490203010001a30d300b30090603551d1304
EAP-Message = 0x023000300d06092a864886f70d01010b05000382010100356db2051726585975dd0817ab5829b0ddaf98c1a6093e6b9cfc1ac9303092ce7a36814b9c175290d85ed2ba723fbd222c35a33e8dd44fbfd5e6748e7f9965db830b2b8e1f1187c901c839e817843e557e417fac27662b57f07c0866ddfd7839c05cdf3300ecac6a613dbea38c05c679bdfc9de0f9746654b878b8164c2e0fbebd90e79f4613c54de9b6bc8cd546ea641441cc8eaa50d24a7ee877477996087acb3a0526cb19055fd445567201ee0e9aa3a27185aca7b238aaf03e09c0e48625361d1362d8ab34790de8f75964b0ea804d60f3a612db2135b1656ee135b133162fb5a7144979
EAP-Message = 0xc4f5629f56b2d2ad877c9f0e95d0dbc889df503804f256a9f15c160301014b0c000147030017410444f21266e2ef76f24b49a2d1298ba0fb9b8b4ab237bc3192cfe14cd9b483945bf0fb140c76e3d6b8373fe6cf35f196d80dbb6ab518ce607d7188352b54bb7e430100884a4627d70245b449cf3b47f8fd92966a406ecd73851012f6653c38d3ca0f103ba8becb7a4efc8bd96479b4b5000d3fb61c92f4e47c600a5627cb15db3c85fc6966ef134c2960148f6eaf5957d88f931eb9d54059095e17f578692c2636446141d7f90f71e83983842b03c26bf97e1e479ea05f22fccd8e810a7e980002ec5caf760b076f6808c223b8e6383df607999688f1
EAP-Message = 0x9c9f2dd70a6808508cafd093
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x2cbc36db2ebf2fdda40dc75c373a2704
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.1 port 50039, id=0, length=140
Cleaning up request 2 ID 0 with timestamp +25
User-Name = "John Doe"
NAS-IP-Address = 192.168.1.1
Called-Station-Id = "04a151235d3c"
Calling-Station-Id = "b853ac7af8af"
NAS-Identifier = "04a151235d3c"
NAS-Port = 45
Framed-MTU = 1400
State = 0x2cbc36db2ebf2fdda40dc75c373a2704
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020300061900
Message-Authenticator = 0xcbe89a2a0ba23b8d1d86cf093be70f71
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "John Doe", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 3 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 0 to 192.168.1.1 port 50039
EAP-Message = 0x010400701900df6c1cb9c1b759665131bfae9073ef3ad48ce782a606e291da4e01b99ca31ba98eae76a2debb30500de88d8d501ab51cd644dc7024b49d898ca66093a1f3e77c3b927649b2888bd626b5fc9d872f991f8eeb7fbcbca6681f9e5f5f9fb9f7105f5d16030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x2cbc36db2fb82fdda40dc75c373a2704
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.1 port 50039, id=0, length=278
Cleaning up request 3 ID 0 with timestamp +25
User-Name = "John Doe"
NAS-IP-Address = 192.168.1.1
Called-Station-Id = "04a151235d3c"
Calling-Station-Id = "b853ac7af8af"
NAS-Identifier = "04a151235d3c"
NAS-Port = 45
Framed-MTU = 1400
State = 0x2cbc36db2fb82fdda40dc75c373a2704
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020400901980000000861603010046100000424104b66d9b6ab00da45b063d9cb5513da3c2cfc93889ea938d1089767ab4179a43c2d6df6643a1a80d9dfcd6d90ba7f910207139ed6eb3d80a02a519347e02c782d414030100010116030100309391156011db0e96ca5f5ceaf48655bf18b0b582bdeb51a7c6b1e29786386aa2e31f14d7d1893e956723584672faa544
Message-Authenticator = 0x4e7e100c4a3cd3c214daec066ef43a8e
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "John Doe", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 4 length 144
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 134
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange
[peap] TLS_accept: unknown state
[peap] TLS_accept: unknown state
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: unknown state
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: unknown state
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: unknown state
[peap] TLS_accept: unknown state
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 0 to 192.168.1.1 port 50039
EAP-Message = 0x01050041190014030100010116030100305ec45bfac387fd2caeb10e58160c7b3cfa6b7006d2efc8f4fdaac7d2355e62423509048ac61185f3bbc608bcd7d5b3b5
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x2cbc36db28b92fdda40dc75c373a2704
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.1 port 50039, id=0, length=140
Cleaning up request 4 ID 0 with timestamp +25
User-Name = "John Doe"
NAS-IP-Address = 192.168.1.1
Called-Station-Id = "04a151235d3c"
Calling-Station-Id = "b853ac7af8af"
NAS-Identifier = "04a151235d3c"
NAS-Port = 45
Framed-MTU = 1400
State = 0x2cbc36db28b92fdda40dc75c373a2704
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020500061900
Message-Authenticator = 0x9a3a385138a93fc79a810aca891342d3
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "John Doe", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 5 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state TUNNEL ESTABLISHED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 0 to 192.168.1.1 port 50039
EAP-Message = 0x0106002b190017030100204ed57ceeb6222f6ce784070d88311c2fa826741a70b374395cba4dc419a320ef
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x2cbc36db29ba2fdda40dc75c373a2704
Finished request 5.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.1 port 50039, id=0, length=177
Cleaning up request 5 ID 0 with timestamp +25
User-Name = "John Doe"
NAS-IP-Address = 192.168.1.1
Called-Station-Id = "04a151235d3c"
Calling-Station-Id = "b853ac7af8af"
NAS-Identifier = "04a151235d3c"
NAS-Port = 45
Framed-MTU = 1400
State = 0x2cbc36db29ba2fdda40dc75c373a2704
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0206002b190017030100202da6b49225db08f9af496625c49dd02f91c325a48e23f77a8a0976112121b0c8
Message-Authenticator = 0x4956f1952466c46aad3bc602953ea5a5
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "John Doe", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 6 length 43
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state WAITING FOR INNER IDENTITY
[peap] Identity - John Doe
[peap] Got inner identity 'John Doe'
[peap] Setting default EAP type for tunneled EAP session.
[peap] Got tunneled request
EAP-Message = 0x0206000d014a6f686e20446f65
server {
[peap] Setting User-Name to John Doe
Sending tunneled request
EAP-Message = 0x0206000d014a6f686e20446f65
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "John Doe"
server inner-tunnel {
# Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
+group authorize {
++[chap] = noop
++[mschap] = noop
[suffix] No '@' in User-Name = "John Doe", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
++update control {
++} # update control = noop
[eap] EAP packet type response id 6 length 13
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
[files] users: Matched entry John Doe at line 90
[files] expand: Hello, %{User-Name} -> Hello, John Doe
++[files] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+group authenticate {
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] = handled
+} # group authenticate = handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
Reply-Message = "Hello, John Doe"
EAP-Message = 0x010700221a0107001d1022248ca453e8f76ed2b3a3e2e4abbfca4a6f686e20446f65
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x277ade67277dc4d2c79f13f3806da1b3
[peap] Got tunneled reply RADIUS code 11
Reply-Message = "Hello, John Doe"
EAP-Message = 0x010700221a0107001d1022248ca453e8f76ed2b3a3e2e4abbfca4a6f686e20446f65
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x277ade67277dc4d2c79f13f3806da1b3
[peap] Got tunneled Access-Challenge
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 0 to 192.168.1.1 port 50039
EAP-Message = 0x0107004b19001703010040fb652c4ea7ddfe1e476b9f0f6e15f1da76efe99daceeaf6c08e00a6909318acbf0bf3a6695ab22844b5e4fe13e83f22d2cba465d072ab9e130631e5cb94c1089
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x2cbc36db2abb2fdda40dc75c373a2704
Finished request 6.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.1 port 50039, id=0, length=241
Cleaning up request 6 ID 0 with timestamp +25
User-Name = "John Doe"
NAS-IP-Address = 192.168.1.1
Called-Station-Id = "04a151235d3c"
Calling-Station-Id = "b853ac7af8af"
NAS-Identifier = "04a151235d3c"
NAS-Port = 45
Framed-MTU = 1400
State = 0x2cbc36db2abb2fdda40dc75c373a2704
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0207006b1900170301006051acaec17ba88679526186d1c88d976dcd1c63c4f97bca573a65c91f43d3a7f363d469d61085e2cebe26e3864eb231c92fe535115a36de1db188b175a82214a0e53b022065a59ebccd9b03889034034d860fb9a83889c5689d2a0fa58d0bee85
Message-Authenticator = 0xb7f6a3d2a313ce13b9df084acc27649e
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "John Doe", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 7 length 107
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message = 0x020700431a0207003e313730cb5300654e05eaeeaa8d640a0e0d00000000000000000207d42bc1f0727534f312ff980b07b0c4d572994b0def6a004a6f686e20446f65
server {
[peap] Setting User-Name to John Doe
Sending tunneled request
EAP-Message = 0x020700431a0207003e313730cb5300654e05eaeeaa8d640a0e0d00000000000000000207d42bc1f0727534f312ff980b07b0c4d572994b0def6a004a6f686e20446f65
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "John Doe"
State = 0x277ade67277dc4d2c79f13f3806da1b3
server inner-tunnel {
# Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
+group authorize {
++[chap] = noop
++[mschap] = noop
[suffix] No '@' in User-Name = "John Doe", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
++update control {
++} # update control = noop
[eap] EAP packet type response id 7 length 67
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
[files] users: Matched entry John Doe at line 90
[files] expand: Hello, %{User-Name} -> Hello, John Doe
++[files] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
[mschapv2] +group MS-CHAP {
[mschap] Creating challenge hash with username: John Doe
[mschap] Client is using MS-CHAPv2 for John Doe, we need NT-Password
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] = ok
+} # group MS-CHAP = ok
MSCHAP Success
++[eap] = handled
+} # group authenticate = handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
Reply-Message = "Hello, John Doe"
EAP-Message = 0x010800331a0307002e533d44313644303030334135304437343643354233423943464536463834343643374634464434343241
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x277ade672672c4d2c79f13f3806da1b3
[peap] Got tunneled reply RADIUS code 11
Reply-Message = "Hello, John Doe"
EAP-Message = 0x010800331a0307002e533d44313644303030334135304437343643354233423943464536463834343643374634464434343241
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x277ade672672c4d2c79f13f3806da1b3
[peap] Got tunneled Access-Challenge
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 0 to 192.168.1.1 port 50039
EAP-Message = 0x0108005b19001703010050e1d2d94cc6f03d0f088e359a933b203ec7231a1e8876f6a883a73d7688b6bece47bb79ab4fc069915e9aa828a8988b0c47b3bfe803120f54ce6f998a596f1b248a95f8e8d641c7db958611f8c4f9632b
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x2cbc36db2bb42fdda40dc75c373a2704
Finished request 7.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.1 port 50039, id=0, length=177
Cleaning up request 7 ID 0 with timestamp +25
User-Name = "John Doe"
NAS-IP-Address = 192.168.1.1
Called-Station-Id = "04a151235d3c"
Calling-Station-Id = "b853ac7af8af"
NAS-Identifier = "04a151235d3c"
NAS-Port = 45
Framed-MTU = 1400
State = 0x2cbc36db2bb42fdda40dc75c373a2704
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0208002b190017030100202bd8a62b61a412e286fc75415a50df7362211bea782fa1ffdcb2c640490881cb
Message-Authenticator = 0xdb1e577830c82fd3f04cee76286dcd7b
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "John Doe", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 8 length 43
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message = 0x020800061a03
server {
[peap] Setting User-Name to John Doe
Sending tunneled request
EAP-Message = 0x020800061a03
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "John Doe"
State = 0x277ade672672c4d2c79f13f3806da1b3
server inner-tunnel {
# Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
+group authorize {
++[chap] = noop
++[mschap] = noop
[suffix] No '@' in User-Name = "John Doe", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
++update control {
++} # update control = noop
[eap] EAP packet type response id 8 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
[files] users: Matched entry John Doe at line 90
[files] expand: Hello, %{User-Name} -> Hello, John Doe
++[files] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[eap] Freeing handler
++[eap] = ok
+} # group authenticate = ok
WARNING: Empty post-auth section. Using default return values.
# Executing section post-auth from file /etc/freeradius/sites-enabled/inner-tunnel
} # server inner-tunnel
[peap] Got tunneled reply code 2
Reply-Message = "Hello, John Doe"
MS-MPPE-Encryption-Policy = 0x00000001
MS-MPPE-Encryption-Types = 0x00000006
MS-MPPE-Send-Key = 0x058b95207a82d4a2a1ceb223e3ca00ef
MS-MPPE-Recv-Key = 0xcc842f46892378ed7a1224fd8758b728
EAP-Message = 0x03080004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "John Doe"
[peap] Got tunneled reply RADIUS code 2
Reply-Message = "Hello, John Doe"
MS-MPPE-Encryption-Policy = 0x00000001
MS-MPPE-Encryption-Types = 0x00000006
MS-MPPE-Send-Key = 0x058b95207a82d4a2a1ceb223e3ca00ef
MS-MPPE-Recv-Key = 0xcc842f46892378ed7a1224fd8758b728
EAP-Message = 0x03080004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "John Doe"
[peap] Tunneled authentication was successful.
[peap] SUCCESS
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 0 to 192.168.1.1 port 50039
EAP-Message = 0x0109002b190017030100208b133db85b6a423a1f73511128560ffeb919667bcf93d28ba64d9d32f069591e
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x2cbc36db24b52fdda40dc75c373a2704
Finished request 8.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.1 port 50039, id=0, length=177
Cleaning up request 8 ID 0 with timestamp +25
User-Name = "John Doe"
NAS-IP-Address = 192.168.1.1
Called-Station-Id = "04a151235d3c"
Calling-Station-Id = "b853ac7af8af"
NAS-Identifier = "04a151235d3c"
NAS-Port = 45
Framed-MTU = 1400
State = 0x2cbc36db24b52fdda40dc75c373a2704
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0209002b1900170301002011b49092f1de57876becec07cee215290108b267f2019129ae7873046f4f77e3
Message-Authenticator = 0x89092ff5a40a4e77f255fe33b1fdfc7d
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "John Doe", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 9 length 43
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state send tlv success
[peap] Received EAP-TLV response.
[peap] Success
[eap] Freeing handler
++[eap] = ok
+} # group authenticate = ok
# Executing section post-auth from file /etc/freeradius/sites-enabled/default
+group post-auth {
[sql] expand: %{User-Name} -> John Doe
[sql] sql_set_user escaped user --> 'John Doe'
[sql] expand: %{User-Password} ->
[sql] ... expanding second conditional
[sql] expand: %{Chap-Password} ->
[sql] expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'John Doe', '', 'Access-Accept', '2017-07-01 20:24:24')
rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'John Doe', '', 'Access-Accept', '2017-07-01 20:24:24')
rlm_sql (sql): Reserving sql socket id: 29
rlm_sql (sql): Released sql socket id: 29
++[sql] = ok
++[exec] = noop
+} # group post-auth = ok
Sending Access-Accept of id 0 to 192.168.1.1 port 50039
MS-MPPE-Recv-Key = 0x946ef363b21a7d1bbfa42cb5d45e23434493f1c464ae5005f1b8ae839803b0a8
MS-MPPE-Send-Key = 0x0ed0756c845db40fa6a544a824debc87485d003e09afed3b9536251fb6c18d9b
EAP-Message = 0x03090004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "John Doe"
Finished request 9.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 9 ID 0 with timestamp +25
Ready to process requests.
> On Jul 1, 2017, at 8:08 PM, Matthew Newton <matthew at newtoncomputing.co.uk> wrote:
>
> On Sat, Jul 01, 2017 at 11:52:04PM +0000, Brian Hogans wrote:
>> I'm sorry I'm still new at this. How would I get you the full
>> debug? Or where can I find the steps to do so?
>
> OK... same as you did before. Run FreeRADIUS like
>
> radiusd -X
>
> (or likely "freeradius -X" if it's Debian system). Then try and
> authenticate (both a successful and failed auth is best).
>
> The stop FreeRADIUS and send all the output.
>
> Easiest is to do something like
>
> radiusd -X | tee debuglog
>
> then when you Ctrl-C to quit the file "debuglog" will contain it
> all.
>
> The key is to try and authenticate otherwise the debug output
> doesn't show what's actually happening.
>
> But before you send it best to read the debug output through
> yourself. It will tell you exactly what the server is doing.
> Compare successful and failed and you'll hopefully see what's
> different and therefore what is going wrong.
>
> --
> Matthew
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list