TTLS + GTC Configuration -> No Error in log but cleint stuck on "connecting"
Alan Buxey
alan.buxey at gmail.com
Thu Sep 14 13:42:51 CEST 2017
client configured with GTC for EAP TTLS ? it looks like its not happy
responding to the GTC challenge..
alan
On 14 September 2017 at 10:32, Mark <mclarke4 at gmail.com> wrote:
> Hi all,
>
> I have a openldap server with hashed password and am attempting to set up
> WPA-Enterprise authentication. I have enabled the ldpap module and straight
> authentication usng ldap and pap works. i.e the proxy server authenticates
> without any problems.
>
> I have the client configured to use ttls and gtc. I have done the same with
> the eap configuration file. I don't get any error messages in the log file
> when trying to connect. (I regengerated the ssl certs as hinted at by a
> previous message but this took away the ssl cert warning but did not solve
> the problem.)
>
> Below is the debug log output. Trying to understand radius and the whole
> EAP protocol requires a large amount of effort. I have already understood a
> lot more than I did 3 days ago but am not at the end of my concpetual
> models ability to trouble shoot this problem. I have tried setting the
> Auth-Type: to LDAP in the gtc configuration in the eap conf file as well
> but the results are the same.
>
> Any help or hints appreciated. From the log file below it looks like the
> client is not responding to the final Access-Challenge. The only other idea
> I have is that the User-Password: field is not being passed to the eap
> process? Not sure how to fix that or if it is the problem.
>
> Thanks
>
> Ready to process requests
> (0) Received Access-Request Id 224 from 192.168.45.05:37339 to
> 192.168.45.74:1812 length 166
> (0) User-Name = "bob"
> (0) Called-Station-Id = "54-27-1E-4C-F9-E4:Jumping Bean"
> (0) NAS-Port-Type = Wireless-802.11
> (0) NAS-Port = 0
> (0) Calling-Station-Id = "60-FE-1E-A0-4F-C4"
> (0) Connect-Info = "CONNECT 0Mbps 802.11b"
> (0) Acct-Session-Id = "59B902E8-000000EA"
> (0) Framed-MTU = 1400
> (0) EAP-Message = 0x02270009016d61726b
> (0) Message-Authenticator = 0x4e878ddb529b319d77ea2abfb3131112
> (0) # Executing section authorize from file
> /etc/freeradius/3.0/sites-enabled/default
> (0) authorize {
> (0) policy filter_username {
> (0) if (&User-Name) {
> (0) if (&User-Name) -> TRUE
> (0) if (&User-Name) {
> (0) if (&User-Name =~ / /) {
> (0) if (&User-Name =~ / /) -> FALSE
> (0) if (&User-Name =~ /@[^@]*@/ ) {
> (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (0) if (&User-Name =~ /\.\./ ) {
> (0) if (&User-Name =~ /\.\./ ) -> FALSE
> (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
> (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
> FALSE
> (0) if (&User-Name =~ /\.$/) {
> (0) if (&User-Name =~ /\.$/) -> FALSE
> (0) if (&User-Name =~ /@\./) {
> (0) if (&User-Name =~ /@\./) -> FALSE
> (0) } # if (&User-Name) = notfound
> (0) } # policy filter_username = notfound
> (0) [preprocess] = ok
> (0) auth_log: EXPAND
> /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
> (0) auth_log: --> /var/log/freeradius/radacct/
> 192.168.45.05/auth-detail-20170914
> (0) auth_log:
> /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
> expands to /var/log/freeradius/radacct/192.168.45.05/auth-detail-20170914
> (0) auth_log: EXPAND %t
> (0) auth_log: --> Thu Sep 14 11:19:11 2017
> (0) [auth_log] = ok
> (0) [chap] = noop
> (0) [mschap] = noop
> (0) [digest] = noop
> (0) suffix: Checking for suffix after "@"
> (0) suffix: No '@' in User-Name = "bob", looking up realm NULL
> (0) suffix: No such realm "NULL"
> (0) [suffix] = noop
> (0) eap: Peer sent EAP Response (code 2) ID 39 length 9
> (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
> rest of authorize
> (0) [eap] = ok
> (0) } # authorize = ok
> (0) Found Auth-Type = eap
> (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (0) authenticate {
> (0) eap: Peer sent packet with method EAP Identity (1)
> (0) eap: Calling submodule eap_ttls to process data
> (0) eap_ttls: Initiating new EAP-TLS session
> (0) eap_ttls: [eaptls start] = request
> (0) eap: Sending EAP Request (code 1) ID 40 length 6
> (0) eap: EAP session adding &reply:State = 0xbdc37936bdeb6cdd
> (0) [eap] = handled
> (0) } # authenticate = handled
> (0) Using Post-Auth-Type Challenge
> (0) Post-Auth-Type sub-section not found. Ignoring.
> (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (0) Sent Access-Challenge Id 224 from 192.168.45.74:1812 to
> 192.168.45.05:37339 length 0
> (0) EAP-Message = 0x012800061520
> (0) Message-Authenticator = 0x00000000000000000000000000000000
> (0) State = 0xbdc37936bdeb6cdd84932144ea25780b
> (0) Finished request
> Waking up in 4.9 seconds.
> (1) Received Access-Request Id 225 from 192.168.45.05:37339 to
> 192.168.45.74:1812 length 339
> (1) User-Name = "bob"
> (1) Called-Station-Id = "54-27-1E-4C-F9-E4:Jumping Bean"
> (1) NAS-Port-Type = Wireless-802.11
> (1) NAS-Port = 0
> (1) Calling-Station-Id = "60-FE-1E-A0-4F-C4"
> (1) Connect-Info = "CONNECT 0Mbps 802.11b"
> (1) Acct-Session-Id = "59B902E8-000000EA"
> (1) Framed-MTU = 1400
> (1) EAP-Message =
> 0x022800a4150016030100990100009503030a1c1c168f1fe7ca21b8e5ee873c19ba1e777641a3b13e1cca092bfa7fe66fc100003cc02cc030009fc02bc02f009ec00ac024c014c0280039006bc009c023c013c02700330067c007c011009d009c0035003d002f003c00050004000a00ff01000030001700
> (1) State = 0xbdc37936bdeb6cdd84932144ea25780b
> (1) Message-Authenticator = 0xc6c693312fb56f022f47198c94f4c3c7
> (1) session-state: No cached attributes
> (1) # Executing section authorize from file
> /etc/freeradius/3.0/sites-enabled/default
> (1) authorize {
> (1) policy filter_username {
> (1) if (&User-Name) {
> (1) if (&User-Name) -> TRUE
> (1) if (&User-Name) {
> (1) if (&User-Name =~ / /) {
> (1) if (&User-Name =~ / /) -> FALSE
> (1) if (&User-Name =~ /@[^@]*@/ ) {
> (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (1) if (&User-Name =~ /\.\./ ) {
> (1) if (&User-Name =~ /\.\./ ) -> FALSE
> (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
> (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
> FALSE
> (1) if (&User-Name =~ /\.$/) {
> (1) if (&User-Name =~ /\.$/) -> FALSE
> (1) if (&User-Name =~ /@\./) {
> (1) if (&User-Name =~ /@\./) -> FALSE
> (1) } # if (&User-Name) = notfound
> (1) } # policy filter_username = notfound
> (1) [preprocess] = ok
> (1) auth_log: EXPAND
> /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
> (1) auth_log: --> /var/log/freeradius/radacct/
> 192.168.45.05/auth-detail-20170914
> (1) auth_log:
> /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
> expands to /var/log/freeradius/radacct/192.168.45.05/auth-detail-20170914
> (1) auth_log: EXPAND %t
> (1) auth_log: --> Thu Sep 14 11:19:11 2017
> (1) [auth_log] = ok
> (1) [chap] = noop
> (1) [mschap] = noop
> (1) [digest] = noop
> (1) suffix: Checking for suffix after "@"
> (1) suffix: No '@' in User-Name = "bob", looking up realm NULL
> (1) suffix: No such realm "NULL"
> (1) [suffix] = noop
> (1) eap: Peer sent EAP Response (code 2) ID 40 length 164
> (1) eap: Continuing tunnel setup
> (1) [eap] = ok
> (1) } # authorize = ok
> (1) Found Auth-Type = eap
> (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (1) authenticate {
> (1) eap: Expiring EAP session with state 0xbdc37936bdeb6cdd
> (1) eap: Finished EAP session with state 0xbdc37936bdeb6cdd
> (1) eap: Previous EAP request found for state 0xbdc37936bdeb6cdd, released
> from the list
> (1) eap: Peer sent packet with method EAP TTLS (21)
> (1) eap: Calling submodule eap_ttls to process data
> (1) eap_ttls: Authenticate
> (1) eap_ttls: Continuing EAP-TLS
> (1) eap_ttls: Got final TLS record fragment (158 bytes)
> (1) eap_ttls: WARNING: Total received TLS record fragments (158 bytes),
> does not equal indicated TLS record length (0 bytes)
> (1) eap_ttls: [eaptls verify] = ok
> (1) eap_ttls: Done initial handshake
> (1) eap_ttls: (other): before SSL initialization
> (1) eap_ttls: TLS_accept: before SSL initialization
> (1) eap_ttls: TLS_accept: before SSL initialization
> (1) eap_ttls: <<< recv TLS 1.2 [length 0099]
> (1) eap_ttls: TLS_accept: SSLv3/TLS read client hello
> (1) eap_ttls: >>> send TLS 1.2 [length 003d]
> (1) eap_ttls: TLS_accept: SSLv3/TLS write server hello
> (1) eap_ttls: >>> send TLS 1.2 [length 08d3]
> (1) eap_ttls: TLS_accept: SSLv3/TLS write certificate
> (1) eap_ttls: >>> send TLS 1.2 [length 014d]
> (1) eap_ttls: TLS_accept: SSLv3/TLS write key exchange
> (1) eap_ttls: >>> send TLS 1.2 [length 0004]
> (1) eap_ttls: TLS_accept: SSLv3/TLS write server done
> (1) eap_ttls: TLS_accept: Need to read more data: SSLv3/TLS write server
> done
> (1) eap_ttls: In SSL Handshake Phase
> (1) eap_ttls: In SSL Accept mode
> (1) eap_ttls: [eaptls process] = handled
> (1) eap: Sending EAP Request (code 1) ID 41 length 1004
> (1) eap: EAP session adding &reply:State = 0xbdc37936bcea6cdd
> (1) [eap] = handled
> (1) } # authenticate = handled
> (1) Using Post-Auth-Type Challenge
> (1) Post-Auth-Type sub-section not found. Ignoring.
> (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (1) Sent Access-Challenge Id 225 from 192.168.45.74:1812 to
> 192.168.45.05:37339 length 0
> (1) EAP-Message =
> 0x012903ec15c000000a75160303003d020000390303bfef2af615bb30a1795e1502febfbbcfaf0829baff49038576161b0bbe9082d500c030000011ff01000100000b0004030001020017000016030308d30b0008cf0008cc0003de308203da308202c2a003020102020101300d06092a864886f70d0101
> (1) Message-Authenticator = 0x00000000000000000000000000000000
> (1) State = 0xbdc37936bcea6cdd84932144ea25780b
> (1) Finished request
> Waking up in 4.9 seconds.
> (2) Received Access-Request Id 226 from 192.168.45.05:37339 to
> 192.168.45.74:1812 length 181
> (2) User-Name = "bob"
> (2) Called-Station-Id = "54-27-1E-4C-F9-E4:Jumping Bean"
> (2) NAS-Port-Type = Wireless-802.11
> (2) NAS-Port = 0
> (2) Calling-Station-Id = "60-FE-1E-A0-4F-C4"
> (2) Connect-Info = "CONNECT 0Mbps 802.11b"
> (2) Acct-Session-Id = "59B902E8-000000EA"
> (2) Framed-MTU = 1400
> (2) EAP-Message = 0x022900061500
> (2) State = 0xbdc37936bcea6cdd84932144ea25780b
> (2) Message-Authenticator = 0x5e81d512883c3437d5d7c4b1576509da
> (2) session-state: No cached attributes
> (2) # Executing section authorize from file
> /etc/freeradius/3.0/sites-enabled/default
> (2) authorize {
> (2) policy filter_username {
> (2) if (&User-Name) {
> (2) if (&User-Name) -> TRUE
> (2) if (&User-Name) {
> (2) if (&User-Name =~ / /) {
> (2) if (&User-Name =~ / /) -> FALSE
> (2) if (&User-Name =~ /@[^@]*@/ ) {
> (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (2) if (&User-Name =~ /\.\./ ) {
> (2) if (&User-Name =~ /\.\./ ) -> FALSE
> (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
> (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
> FALSE
> (2) if (&User-Name =~ /\.$/) {
> (2) if (&User-Name =~ /\.$/) -> FALSE
> (2) if (&User-Name =~ /@\./) {
> (2) if (&User-Name =~ /@\./) -> FALSE
> (2) } # if (&User-Name) = notfound
> (2) } # policy filter_username = notfound
> (2) [preprocess] = ok
> (2) auth_log: EXPAND
> /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
> (2) auth_log: --> /var/log/freeradius/radacct/
> 192.168.45.05/auth-detail-20170914
> (2) auth_log:
> /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
> expands to /var/log/freeradius/radacct/192.168.45.05/auth-detail-20170914
> (2) auth_log: EXPAND %t
> (2) auth_log: --> Thu Sep 14 11:19:11 2017
> (2) [auth_log] = ok
> (2) [chap] = noop
> (2) [mschap] = noop
> (2) [digest] = noop
> (2) suffix: Checking for suffix after "@"
> (2) suffix: No '@' in User-Name = "bob", looking up realm NULL
> (2) suffix: No such realm "NULL"
> (2) [suffix] = noop
> (2) eap: Peer sent EAP Response (code 2) ID 41 length 6
> (2) eap: Continuing tunnel setup
> (2) [eap] = ok
> (2) } # authorize = ok
> (2) Found Auth-Type = eap
> (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (2) authenticate {
> (2) eap: Expiring EAP session with state 0xbdc37936bcea6cdd
> (2) eap: Finished EAP session with state 0xbdc37936bcea6cdd
> (2) eap: Previous EAP request found for state 0xbdc37936bcea6cdd, released
> from the list
> (2) eap: Peer sent packet with method EAP TTLS (21)
> (2) eap: Calling submodule eap_ttls to process data
> (2) eap_ttls: Authenticate
> (2) eap_ttls: Continuing EAP-TLS
> (2) eap_ttls: Peer ACKed our handshake fragment
> (2) eap_ttls: [eaptls verify] = request
> (2) eap_ttls: [eaptls process] = handled
> (2) eap: Sending EAP Request (code 1) ID 42 length 1004
> (2) eap: EAP session adding &reply:State = 0xbdc37936bfe96cdd
> (2) [eap] = handled
> (2) } # authenticate = handled
> (2) Using Post-Auth-Type Challenge
> (2) Post-Auth-Type sub-section not found. Ignoring.
> (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (2) Sent Access-Challenge Id 226 from 192.168.45.74:1812 to
> 192.168.45.05:37339 length 0
> (2) EAP-Message =
> 0x012a03ec15c000000a75318c53693caf5cec07a26c179201b35044f8b0a36585e88ac8887724d038dace205f76b50f376be76dd9ebe975518e8d82a931d370995cd79469cd39278883b89faf674e3bc275747a253d0cab0004e8308204e4308203cca003020102020900acfa1c7c27c4f226300d06092a
> (2) Message-Authenticator = 0x00000000000000000000000000000000
> (2) State = 0xbdc37936bfe96cdd84932144ea25780b
> (2) Finished request
> Waking up in 4.9 seconds.
> (3) Received Access-Request Id 227 from 192.168.45.05:37339 to
> 192.168.45.74:1812 length 181
> (3) User-Name = "bob"
> (3) Called-Station-Id = "54-27-1E-4C-F9-E4:Jumping Bean"
> (3) NAS-Port-Type = Wireless-802.11
> (3) NAS-Port = 0
> (3) Calling-Station-Id = "60-FE-1E-A0-4F-C4"
> (3) Connect-Info = "CONNECT 0Mbps 802.11b"
> (3) Acct-Session-Id = "59B902E8-000000EA"
> (3) Framed-MTU = 1400
> (3) EAP-Message = 0x022a00061500
> (3) State = 0xbdc37936bfe96cdd84932144ea25780b
> (3) Message-Authenticator = 0x9fd121549085c6c53071b12b8b96285a
> (3) session-state: No cached attributes
> (3) # Executing section authorize from file
> /etc/freeradius/3.0/sites-enabled/default
> (3) authorize {
> (3) policy filter_username {
> (3) if (&User-Name) {
> (3) if (&User-Name) -> TRUE
> (3) if (&User-Name) {
> (3) if (&User-Name =~ / /) {
> (3) if (&User-Name =~ / /) -> FALSE
> (3) if (&User-Name =~ /@[^@]*@/ ) {
> (3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (3) if (&User-Name =~ /\.\./ ) {
> (3) if (&User-Name =~ /\.\./ ) -> FALSE
> (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
> (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
> FALSE
> (3) if (&User-Name =~ /\.$/) {
> (3) if (&User-Name =~ /\.$/) -> FALSE
> (3) if (&User-Name =~ /@\./) {
> (3) if (&User-Name =~ /@\./) -> FALSE
> (3) } # if (&User-Name) = notfound
> (3) } # policy filter_username = notfound
> (3) [preprocess] = ok
> (3) auth_log: EXPAND
> /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
> (3) auth_log: --> /var/log/freeradius/radacct/
> 192.168.45.05/auth-detail-20170914
> (3) auth_log:
> /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
> expands to /var/log/freeradius/radacct/192.168.45.05/auth-detail-20170914
> (3) auth_log: EXPAND %t
> (3) auth_log: --> Thu Sep 14 11:19:11 2017
> (3) [auth_log] = ok
> (3) [chap] = noop
> (3) [mschap] = noop
> (3) [digest] = noop
> (3) suffix: Checking for suffix after "@"
> (3) suffix: No '@' in User-Name = "bob", looking up realm NULL
> (3) suffix: No such realm "NULL"
> (3) [suffix] = noop
> (3) eap: Peer sent EAP Response (code 2) ID 42 length 6
> (3) eap: Continuing tunnel setup
> (3) [eap] = ok
> (3) } # authorize = ok
> (3) Found Auth-Type = eap
> (3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (3) authenticate {
> (3) eap: Expiring EAP session with state 0xbdc37936bfe96cdd
> (3) eap: Finished EAP session with state 0xbdc37936bfe96cdd
> (3) eap: Previous EAP request found for state 0xbdc37936bfe96cdd, released
> from the list
> (3) eap: Peer sent packet with method EAP TTLS (21)
> (3) eap: Calling submodule eap_ttls to process data
> (3) eap_ttls: Authenticate
> (3) eap_ttls: Continuing EAP-TLS
> (3) eap_ttls: Peer ACKed our handshake fragment
> (3) eap_ttls: [eaptls verify] = request
> (3) eap_ttls: [eaptls process] = handled
> (3) eap: Sending EAP Request (code 1) ID 43 length 699
> (3) eap: EAP session adding &reply:State = 0xbdc37936bee86cdd
> (3) [eap] = handled
> (3) } # authenticate = handled
> (3) Using Post-Auth-Type Challenge
> (3) Post-Auth-Type sub-section not found. Ignoring.
> (3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (3) Sent Access-Challenge Id 227 from 192.168.45.74:1812 to
> 192.168.45.05:37339 length 0
> (3) EAP-Message =
> 0x012b02bb158000000a750101ff040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e6f72672f6578616d706c655f63612e63726c300d06092a864886f70d01010b05000382010100e3995c54d00cee2fbbc14478b89b75b38a11643e5c1a51
> (3) Message-Authenticator = 0x00000000000000000000000000000000
> (3) State = 0xbdc37936bee86cdd84932144ea25780b
> (3) Finished request
> Waking up in 4.9 seconds.
> (4) Received Access-Request Id 228 from 192.168.45.05:37339 to
> 192.168.45.74:1812 length 307
> (4) User-Name = "bob"
> (4) Called-Station-Id = "54-27-1E-4C-F9-E4:Jumping Bean"
> (4) NAS-Port-Type = Wireless-802.11
> (4) NAS-Port = 0
> (4) Calling-Station-Id = "60-FE-1E-A0-4F-C4"
> (4) Connect-Info = "CONNECT 0Mbps 802.11b"
> (4) Acct-Session-Id = "59B902E8-000000EA"
> (4) Framed-MTU = 1400
> (4) EAP-Message =
> 0x022b0084150016030300461000004241047d7abad05d5661d82c204f0d953f0ce6f5b508de608abf44b528fc3897c2f548baacdb60f5cd867ea90d976f1ad767249c4fc28ba8a810d62bb1102d57fd00e514030300010116030300280000000000000000c227b6f946893e02d0eac613069cdc09d93578
> (4) State = 0xbdc37936bee86cdd84932144ea25780b
> (4) Message-Authenticator = 0xb50eb2de770b6149c3752e62afebe833
> (4) session-state: No cached attributes
> (4) # Executing section authorize from file
> /etc/freeradius/3.0/sites-enabled/default
> (4) authorize {
> (4) policy filter_username {
> (4) if (&User-Name) {
> (4) if (&User-Name) -> TRUE
> (4) if (&User-Name) {
> (4) if (&User-Name =~ / /) {
> (4) if (&User-Name =~ / /) -> FALSE
> (4) if (&User-Name =~ /@[^@]*@/ ) {
> (4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (4) if (&User-Name =~ /\.\./ ) {
> (4) if (&User-Name =~ /\.\./ ) -> FALSE
> (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
> (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
> FALSE
> (4) if (&User-Name =~ /\.$/) {
> (4) if (&User-Name =~ /\.$/) -> FALSE
> (4) if (&User-Name =~ /@\./) {
> (4) if (&User-Name =~ /@\./) -> FALSE
> (4) } # if (&User-Name) = notfound
> (4) } # policy filter_username = notfound
> (4) [preprocess] = ok
> (4) auth_log: EXPAND
> /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
> (4) auth_log: --> /var/log/freeradius/radacct/
> 192.168.45.05/auth-detail-20170914
> (4) auth_log:
> /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
> expands to /var/log/freeradius/radacct/192.168.45.05/auth-detail-20170914
> (4) auth_log: EXPAND %t
> (4) auth_log: --> Thu Sep 14 11:19:11 2017
> (4) [auth_log] = ok
> (4) [chap] = noop
> (4) [mschap] = noop
> (4) [digest] = noop
> (4) suffix: Checking for suffix after "@"
> (4) suffix: No '@' in User-Name = "bob", looking up realm NULL
> (4) suffix: No such realm "NULL"
> (4) [suffix] = noop
> (4) eap: Peer sent EAP Response (code 2) ID 43 length 132
> (4) eap: Continuing tunnel setup
> (4) [eap] = ok
> (4) } # authorize = ok
> (4) Found Auth-Type = eap
> (4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (4) authenticate {
> (4) eap: Expiring EAP session with state 0xbdc37936bee86cdd
> (4) eap: Finished EAP session with state 0xbdc37936bee86cdd
> (4) eap: Previous EAP request found for state 0xbdc37936bee86cdd, released
> from the list
> (4) eap: Peer sent packet with method EAP TTLS (21)
> (4) eap: Calling submodule eap_ttls to process data
> (4) eap_ttls: Authenticate
> (4) eap_ttls: Continuing EAP-TLS
> (4) eap_ttls: [eaptls verify] = ok
> (4) eap_ttls: Done initial handshake
> (4) eap_ttls: TLS_accept: SSLv3/TLS write server done
> (4) eap_ttls: <<< recv TLS 1.2 [length 0046]
> (4) eap_ttls: TLS_accept: SSLv3/TLS read client key exchange
> (4) eap_ttls: TLS_accept: SSLv3/TLS read change cipher spec
> (4) eap_ttls: <<< recv TLS 1.2 [length 0010]
> (4) eap_ttls: TLS_accept: SSLv3/TLS read finished
> (4) eap_ttls: >>> send TLS 1.2 [length 0001]
> (4) eap_ttls: TLS_accept: SSLv3/TLS write change cipher spec
> (4) eap_ttls: >>> send TLS 1.2 [length 0010]
> (4) eap_ttls: TLS_accept: SSLv3/TLS write finished
> (4) eap_ttls: (other): SSL negotiation finished successfully
> (4) eap_ttls: SSL Connection Established
> (4) eap_ttls: [eaptls process] = handled
> (4) eap: Sending EAP Request (code 1) ID 44 length 61
> (4) eap: EAP session adding &reply:State = 0xbdc37936b9ef6cdd
> (4) [eap] = handled
> (4) } # authenticate = handled
> (4) Using Post-Auth-Type Challenge
> (4) Post-Auth-Type sub-section not found. Ignoring.
> (4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (4) Sent Access-Challenge Id 228 from 192.168.45.74:1812 to
> 192.168.45.05:37339 length 0
> (4) EAP-Message =
> 0x012c003d1580000000331403030001011603030028471e30dc08a6d794f227f69ef0ae81d75a7082e5643ef6c65d9ee2604fcd4f7c55114fc65525a838
> (4) Message-Authenticator = 0x00000000000000000000000000000000
> (4) State = 0xbdc37936b9ef6cdd84932144ea25780b
> (4) Finished request
> Waking up in 4.8 seconds.
> (5) Received Access-Request Id 229 from 192.168.45.05:37339 to
> 192.168.45.74:1812 length 230
> (5) User-Name = "bob"
> (5) Called-Station-Id = "54-27-1E-4C-F9-E4:Jumping Bean"
> (5) NAS-Port-Type = Wireless-802.11
> (5) NAS-Port = 0
> (5) Calling-Station-Id = "60-FE-1E-A0-4F-C4"
> (5) Connect-Info = "CONNECT 0Mbps 802.11b"
> (5) Acct-Session-Id = "59B902E8-000000EA"
> (5) Framed-MTU = 1400
> (5) EAP-Message =
> 0x022c00371500170303002c0000000000000001595cecb3de730e899e84a9f3e32a5b344f7831ba3a3b08486ae4ed71c158e57359dded07
> (5) State = 0xbdc37936b9ef6cdd84932144ea25780b
> (5) Message-Authenticator = 0x04079a652bd0207cdffa3715b865b41a
> (5) session-state: No cached attributes
> (5) # Executing section authorize from file
> /etc/freeradius/3.0/sites-enabled/default
> (5) authorize {
> (5) policy filter_username {
> (5) if (&User-Name) {
> (5) if (&User-Name) -> TRUE
> (5) if (&User-Name) {
> (5) if (&User-Name =~ / /) {
> (5) if (&User-Name =~ / /) -> FALSE
> (5) if (&User-Name =~ /@[^@]*@/ ) {
> (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (5) if (&User-Name =~ /\.\./ ) {
> (5) if (&User-Name =~ /\.\./ ) -> FALSE
> (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
> (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
> FALSE
> (5) if (&User-Name =~ /\.$/) {
> (5) if (&User-Name =~ /\.$/) -> FALSE
> (5) if (&User-Name =~ /@\./) {
> (5) if (&User-Name =~ /@\./) -> FALSE
> (5) } # if (&User-Name) = notfound
> (5) } # policy filter_username = notfound
> (5) [preprocess] = ok
> (5) auth_log: EXPAND
> /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
> (5) auth_log: --> /var/log/freeradius/radacct/
> 192.168.45.05/auth-detail-20170914
> (5) auth_log:
> /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
> expands to /var/log/freeradius/radacct/192.168.45.05/auth-detail-20170914
> (5) auth_log: EXPAND %t
> (5) auth_log: --> Thu Sep 14 11:19:11 2017
> (5) [auth_log] = ok
> (5) [chap] = noop
> (5) [mschap] = noop
> (5) [digest] = noop
> (5) suffix: Checking for suffix after "@"
> (5) suffix: No '@' in User-Name = "bob", looking up realm NULL
> (5) suffix: No such realm "NULL"
> (5) [suffix] = noop
> (5) eap: Peer sent EAP Response (code 2) ID 44 length 55
> (5) eap: Continuing tunnel setup
> (5) [eap] = ok
> (5) } # authorize = ok
> (5) Found Auth-Type = eap
> (5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (5) authenticate {
> (5) eap: Expiring EAP session with state 0xbdc37936b9ef6cdd
> (5) eap: Finished EAP session with state 0xbdc37936b9ef6cdd
> (5) eap: Previous EAP request found for state 0xbdc37936b9ef6cdd, released
> from the list
> (5) eap: Peer sent packet with method EAP TTLS (21)
> (5) eap: Calling submodule eap_ttls to process data
> (5) eap_ttls: Authenticate
> (5) eap_ttls: Continuing EAP-TLS
> (5) eap_ttls: [eaptls verify] = ok
> (5) eap_ttls: Done initial handshake
> (5) eap_ttls: [eaptls process] = ok
> (5) eap_ttls: Session established. Proceeding to decode tunneled attributes
> (5) eap_ttls: Got tunneled request
> (5) eap_ttls: EAP-Message = 0x02000009016d61726b
> (5) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1
> (5) eap_ttls: Got tunneled identity of bob
> (5) eap_ttls: Setting default EAP type for tunneled EAP session
> (5) eap_ttls: Sending tunneled request
> (5) Virtual server inner-tunnel received request
> (5) EAP-Message = 0x02000009016d61726b
> (5) FreeRADIUS-Proxied-To = 127.0.0.1
> (5) User-Name = "bob"
> (5) Called-Station-Id = "54-27-1E-4C-F9-E4:Jumping Bean"
> (5) NAS-Port-Type = Wireless-802.11
> (5) NAS-Port = 0
> (5) Calling-Station-Id = "60-FE-1E-A0-4F-C4"
> (5) Connect-Info = "CONNECT 0Mbps 802.11b"
> (5) Acct-Session-Id = "59B902E8-000000EA"
> (5) Framed-MTU = 1400
> (5) Event-Timestamp = "Sep 14 2017 11:19:11 SAST"
> (5) NAS-IP-Address = 192.168.45.05
> (5) WARNING: Outer and inner identities are the same. User privacy is
> compromised.
> (5) server inner-tunnel {
> (5) # Executing section authorize from file
> /etc/freeradius/3.0/sites-enabled/inner-tunnel
> (5) authorize {
> (5) policy filter_username {
> (5) if (&User-Name) {
> (5) if (&User-Name) -> TRUE
> (5) if (&User-Name) {
> (5) if (&User-Name =~ / /) {
> (5) if (&User-Name =~ / /) -> FALSE
> (5) if (&User-Name =~ /@[^@]*@/ ) {
> (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (5) if (&User-Name =~ /\.\./ ) {
> (5) if (&User-Name =~ /\.\./ ) -> FALSE
> (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
> (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
> -> FALSE
> (5) if (&User-Name =~ /\.$/) {
> (5) if (&User-Name =~ /\.$/) -> FALSE
> (5) if (&User-Name =~ /@\./) {
> (5) if (&User-Name =~ /@\./) -> FALSE
> (5) } # if (&User-Name) = notfound
> (5) } # policy filter_username = notfound
> (5) [chap] = noop
> (5) [mschap] = noop
> (5) suffix: Checking for suffix after "@"
> (5) suffix: No '@' in User-Name = "bob", looking up realm NULL
> (5) suffix: No such realm "NULL"
> (5) [suffix] = noop
> (5) update control {
> (5) &Proxy-To-Realm := LOCAL
> (5) } # update control = noop
> (5) eap: Peer sent EAP Response (code 2) ID 0 length 9
> (5) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
> rest of authorize
> (5) [eap] = ok
> (5) } # authorize = ok
> (5) Found Auth-Type = eap
> (5) # Executing group from file
> /etc/freeradius/3.0/sites-enabled/inner-tunnel
> (5) authenticate {
> (5) eap: Peer sent packet with method EAP Identity (1)
> (5) eap: Calling submodule eap_gtc to process data
> (5) eap_gtc: EXPAND Password:
> (5) eap_gtc: --> Password:
> (5) eap: Sending EAP Request (code 1) ID 1 length 15
> (5) eap: EAP session adding &reply:State = 0x939300d7939206e6
> (5) [eap] = handled
> (5) } # authenticate = handled
> (5) } # server inner-tunnel
> (5) Virtual server sending reply
> (5) EAP-Message = 0x0101000f0650617373776f72643a20
> (5) Message-Authenticator = 0x00000000000000000000000000000000
> (5) State = 0x939300d7939206e632565a4a2d1be287
> (5) eap_ttls: Got tunneled Access-Challenge
> (5) eap: Sending EAP Request (code 1) ID 45 length 63
> (5) eap: EAP session adding &reply:State = 0xbdc37936b8ee6cdd
> (5) [eap] = handled
> (5) } # authenticate = handled
> (5) Using Post-Auth-Type Challenge
> (5) Post-Auth-Type sub-section not found. Ignoring.
> (5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (5) Sent Access-Challenge Id 229 from 192.168.45.74:1812 to
> 192.168.45.05:37339 length 0
> (5) EAP-Message =
> 0x012d003f1580000000351703030030471e30dc08a6d79553ed6a4977806816b7ccd9f91d3c7e620176ceb206f3a0d52f0918d696626cf670769ccb64d27449
> (5) Message-Authenticator = 0x00000000000000000000000000000000
> (5) State = 0xbdc37936b8ee6cdd84932144ea25780b
> (5) Finished request
> Waking up in 4.8 seconds.
> (0) Cleaning up request packet ID 224 with timestamp +10
> (1) Cleaning up request packet ID 225 with timestamp +10
> (2) Cleaning up request packet ID 226 with timestamp +10
> (3) Cleaning up request packet ID 227 with timestamp +10
> (4) Cleaning up request packet ID 228 with timestamp +10
> (5) Cleaning up request packet ID 229 with timestamp +10
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list