TTLS + GTC Configuration -> No Error in log but cleint stuck on "connecting"

Mark mclarke4 at gmail.com
Fri Sep 15 16:44:27 CEST 2017


Ok so I have gone through the configuration and verified that the ssl paths
and passwords are correct but the authentication still fails. I tried
setting the Auth-Type to  local in the gtc configuration block in the eap
configuration file and at least I got a complaint about the password being
in hashed format. Not sure why the hashed format get passed through from
the ldap look up under authorization in phase 1? Maybe I need to force set
it to the provided clear-text password before the inner tunnel is set up?
(I am fully aware I could be talking complete nonsense at this point as my
brain is swimming in a rough see of concepts and, what seems like
convoluted labyrinthine mess of configuration options - kind of like living
a Kafka novel :(  )

It tried changing the setting to ldap but still cannot login.  A bit lost
really :( I see some time "MS-MPPE-Recv-Key" messages but not sure how this
got in there as I don't request any MSCHAP authentication?


On 14 September 2017 at 20:40, Mark <mclarke4 at gmail.com> wrote:

> Thanks for the pointer. The client is using GTC with TTLS.  Having a look
> at the config files remotely I can see the ssl key password is incorrect in
> eap
> tls-common config. This will undoubteldy cause an error but surely it
> would have caused an error earlier? Or at least a more explicit error? Will
> test tomorrow when I am back in wifi range :)
>
>
>
>
> On 14 September 2017 at 13:42, Alan Buxey <alan.buxey at gmail.com> wrote:
>
>> client configured with GTC for EAP TTLS  ? it looks like its not happy
>> responding to the GTC challenge..
>>
>> alan
>>
>> On 14 September 2017 at 10:32, Mark <mclarke4 at gmail.com> wrote:
>> > Hi all,
>> >
>> > I have a openldap server with hashed password and am attempting to set
>> up
>> > WPA-Enterprise authentication. I have enabled the ldpap module and
>> straight
>> > authentication usng ldap and pap works. i.e the proxy server
>> authenticates
>> > without any problems.
>> >
>> > I have the client configured to use ttls and gtc. I have done the same
>> with
>> > the eap configuration file. I don't get any error messages in the log
>> file
>> > when trying to connect. (I regengerated the ssl certs as hinted at by a
>> > previous message but this took away the ssl cert warning but did not
>> solve
>> > the problem.)
>> >
>> > Below is the debug log output. Trying to understand radius and the whole
>> > EAP protocol requires a large amount of effort. I have already
>> understood a
>> > lot more than I did 3 days ago but am not at the end of my concpetual
>> > models ability to trouble shoot this problem. I have tried setting the
>> > Auth-Type: to LDAP in the gtc configuration in the eap conf file as well
>> > but the results are the same.
>> >
>> > Any help or hints appreciated. From the log file below it looks like the
>> > client is not responding to the final Access-Challenge. The only other
>> idea
>> > I have is that the User-Password: field is not being passed to the eap
>> > process? Not sure how to fix that or if it is the problem.
>> >
>> > Thanks
>> >
>> > Ready to process requests
>> > (0) Received Access-Request Id 224 from 192.168.45.05:37339 to
>> > 192.168.45.74:1812 length 166
>> > (0)   User-Name = "bob"
>> > (0)   Called-Station-Id = "54-27-1E-4C-F9-E4:Jumping Bean"
>> > (0)   NAS-Port-Type = Wireless-802.11
>> > (0)   NAS-Port = 0
>> > (0)   Calling-Station-Id = "60-FE-1E-A0-4F-C4"
>> > (0)   Connect-Info = "CONNECT 0Mbps 802.11b"
>> > (0)   Acct-Session-Id = "59B902E8-000000EA"
>> > (0)   Framed-MTU = 1400
>> > (0)   EAP-Message = 0x02270009016d61726b
>> > (0)   Message-Authenticator = 0x4e878ddb529b319d77ea2abfb3131112
>> > (0) # Executing section authorize from file
>> > /etc/freeradius/3.0/sites-enabled/default
>> > (0)   authorize {
>> > (0)     policy filter_username {
>> > (0)       if (&User-Name) {
>> > (0)       if (&User-Name)  -> TRUE
>> > (0)       if (&User-Name)  {
>> > (0)         if (&User-Name =~ / /) {
>> > (0)         if (&User-Name =~ / /)  -> FALSE
>> > (0)         if (&User-Name =~ /@[^@]*@/ ) {
>> > (0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
>> > (0)         if (&User-Name =~ /\.\./ ) {
>> > (0)         if (&User-Name =~ /\.\./ )  -> FALSE
>> > (0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
>> {
>> > (0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
>>  ->
>> > FALSE
>> > (0)         if (&User-Name =~ /\.$/)  {
>> > (0)         if (&User-Name =~ /\.$/)   -> FALSE
>> > (0)         if (&User-Name =~ /@\./)  {
>> > (0)         if (&User-Name =~ /@\./)   -> FALSE
>> > (0)       } # if (&User-Name)  = notfound
>> > (0)     } # policy filter_username = notfound
>> > (0)     [preprocess] = ok
>> > (0) auth_log: EXPAND
>> > /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Pa
>> cket-Src-IPv6-Address}}/auth-detail-%Y%m%d
>> > (0) auth_log:    --> /var/log/freeradius/radacct/
>> > 192.168.45.05/auth-detail-20170914
>> > (0) auth_log:
>> > /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Pa
>> cket-Src-IPv6-Address}}/auth-detail-%Y%m%d
>> > expands to /var/log/freeradius/radacct/192.168.45.05/auth-detail-201709
>> 14
>> > (0) auth_log: EXPAND %t
>> > (0) auth_log:    --> Thu Sep 14 11:19:11 2017
>> > (0)     [auth_log] = ok
>> > (0)     [chap] = noop
>> > (0)     [mschap] = noop
>> > (0)     [digest] = noop
>> > (0) suffix: Checking for suffix after "@"
>> > (0) suffix: No '@' in User-Name = "bob", looking up realm NULL
>> > (0) suffix: No such realm "NULL"
>> > (0)     [suffix] = noop
>> > (0) eap: Peer sent EAP Response (code 2) ID 39 length 9
>> > (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
>> > rest of authorize
>> > (0)     [eap] = ok
>> > (0)   } # authorize = ok
>> > (0) Found Auth-Type = eap
>> > (0) # Executing group from file /etc/freeradius/3.0/sites-enab
>> led/default
>> > (0)   authenticate {
>> > (0) eap: Peer sent packet with method EAP Identity (1)
>> > (0) eap: Calling submodule eap_ttls to process data
>> > (0) eap_ttls: Initiating new EAP-TLS session
>> > (0) eap_ttls: [eaptls start] = request
>> > (0) eap: Sending EAP Request (code 1) ID 40 length 6
>> > (0) eap: EAP session adding &reply:State = 0xbdc37936bdeb6cdd
>> > (0)     [eap] = handled
>> > (0)   } # authenticate = handled
>> > (0) Using Post-Auth-Type Challenge
>> > (0) Post-Auth-Type sub-section not found.  Ignoring.
>> > (0) # Executing group from file /etc/freeradius/3.0/sites-enab
>> led/default
>> > (0) Sent Access-Challenge Id 224 from 192.168.45.74:1812 to
>> > 192.168.45.05:37339 length 0
>> > (0)   EAP-Message = 0x012800061520
>> > (0)   Message-Authenticator = 0x00000000000000000000000000000000
>> > (0)   State = 0xbdc37936bdeb6cdd84932144ea25780b
>> > (0) Finished request
>> > Waking up in 4.9 seconds.
>> > (1) Received Access-Request Id 225 from 192.168.45.05:37339 to
>> > 192.168.45.74:1812 length 339
>> > (1)   User-Name = "bob"
>> > (1)   Called-Station-Id = "54-27-1E-4C-F9-E4:Jumping Bean"
>> > (1)   NAS-Port-Type = Wireless-802.11
>> > (1)   NAS-Port = 0
>> > (1)   Calling-Station-Id = "60-FE-1E-A0-4F-C4"
>> > (1)   Connect-Info = "CONNECT 0Mbps 802.11b"
>> > (1)   Acct-Session-Id = "59B902E8-000000EA"
>> > (1)   Framed-MTU = 1400
>> > (1)   EAP-Message =
>> > 0x022800a4150016030100990100009503030a1c1c168f1fe7ca21b8e5ee
>> 873c19ba1e777641a3b13e1cca092bfa7fe66fc100003cc02cc030009fc0
>> 2bc02f009ec00ac024c014c0280039006bc009c023c013c02700330067c0
>> 07c011009d009c0035003d002f003c00050004000a00ff01000030001700
>> > (1)   State = 0xbdc37936bdeb6cdd84932144ea25780b
>> > (1)   Message-Authenticator = 0xc6c693312fb56f022f47198c94f4c3c7
>> > (1) session-state: No cached attributes
>> > (1) # Executing section authorize from file
>> > /etc/freeradius/3.0/sites-enabled/default
>> > (1)   authorize {
>> > (1)     policy filter_username {
>> > (1)       if (&User-Name) {
>> > (1)       if (&User-Name)  -> TRUE
>> > (1)       if (&User-Name)  {
>> > (1)         if (&User-Name =~ / /) {
>> > (1)         if (&User-Name =~ / /)  -> FALSE
>> > (1)         if (&User-Name =~ /@[^@]*@/ ) {
>> > (1)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
>> > (1)         if (&User-Name =~ /\.\./ ) {
>> > (1)         if (&User-Name =~ /\.\./ )  -> FALSE
>> > (1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
>> {
>> > (1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
>>  ->
>> > FALSE
>> > (1)         if (&User-Name =~ /\.$/)  {
>> > (1)         if (&User-Name =~ /\.$/)   -> FALSE
>> > (1)         if (&User-Name =~ /@\./)  {
>> > (1)         if (&User-Name =~ /@\./)   -> FALSE
>> > (1)       } # if (&User-Name)  = notfound
>> > (1)     } # policy filter_username = notfound
>> > (1)     [preprocess] = ok
>> > (1) auth_log: EXPAND
>> > /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Pa
>> cket-Src-IPv6-Address}}/auth-detail-%Y%m%d
>> > (1) auth_log:    --> /var/log/freeradius/radacct/
>> > 192.168.45.05/auth-detail-20170914
>> > (1) auth_log:
>> > /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Pa
>> cket-Src-IPv6-Address}}/auth-detail-%Y%m%d
>> > expands to /var/log/freeradius/radacct/192.168.45.05/auth-detail-201709
>> 14
>> > (1) auth_log: EXPAND %t
>> > (1) auth_log:    --> Thu Sep 14 11:19:11 2017
>> > (1)     [auth_log] = ok
>> > (1)     [chap] = noop
>> > (1)     [mschap] = noop
>> > (1)     [digest] = noop
>> > (1) suffix: Checking for suffix after "@"
>> > (1) suffix: No '@' in User-Name = "bob", looking up realm NULL
>> > (1) suffix: No such realm "NULL"
>> > (1)     [suffix] = noop
>> > (1) eap: Peer sent EAP Response (code 2) ID 40 length 164
>> > (1) eap: Continuing tunnel setup
>> > (1)     [eap] = ok
>> > (1)   } # authorize = ok
>> > (1) Found Auth-Type = eap
>> > (1) # Executing group from file /etc/freeradius/3.0/sites-enab
>> led/default
>> > (1)   authenticate {
>> > (1) eap: Expiring EAP session with state 0xbdc37936bdeb6cdd
>> > (1) eap: Finished EAP session with state 0xbdc37936bdeb6cdd
>> > (1) eap: Previous EAP request found for state 0xbdc37936bdeb6cdd,
>> released
>> > from the list
>> > (1) eap: Peer sent packet with method EAP TTLS (21)
>> > (1) eap: Calling submodule eap_ttls to process data
>> > (1) eap_ttls: Authenticate
>> > (1) eap_ttls: Continuing EAP-TLS
>> > (1) eap_ttls: Got final TLS record fragment (158 bytes)
>> > (1) eap_ttls: WARNING: Total received TLS record fragments (158 bytes),
>> > does not equal indicated TLS record length (0 bytes)
>> > (1) eap_ttls: [eaptls verify] = ok
>> > (1) eap_ttls: Done initial handshake
>> > (1) eap_ttls: (other): before SSL initialization
>> > (1) eap_ttls: TLS_accept: before SSL initialization
>> > (1) eap_ttls: TLS_accept: before SSL initialization
>> > (1) eap_ttls: <<< recv TLS 1.2  [length 0099]
>> > (1) eap_ttls: TLS_accept: SSLv3/TLS read client hello
>> > (1) eap_ttls: >>> send TLS 1.2  [length 003d]
>> > (1) eap_ttls: TLS_accept: SSLv3/TLS write server hello
>> > (1) eap_ttls: >>> send TLS 1.2  [length 08d3]
>> > (1) eap_ttls: TLS_accept: SSLv3/TLS write certificate
>> > (1) eap_ttls: >>> send TLS 1.2  [length 014d]
>> > (1) eap_ttls: TLS_accept: SSLv3/TLS write key exchange
>> > (1) eap_ttls: >>> send TLS 1.2  [length 0004]
>> > (1) eap_ttls: TLS_accept: SSLv3/TLS write server done
>> > (1) eap_ttls: TLS_accept: Need to read more data: SSLv3/TLS write server
>> > done
>> > (1) eap_ttls: In SSL Handshake Phase
>> > (1) eap_ttls: In SSL Accept mode
>> > (1) eap_ttls: [eaptls process] = handled
>> > (1) eap: Sending EAP Request (code 1) ID 41 length 1004
>> > (1) eap: EAP session adding &reply:State = 0xbdc37936bcea6cdd
>> > (1)     [eap] = handled
>> > (1)   } # authenticate = handled
>> > (1) Using Post-Auth-Type Challenge
>> > (1) Post-Auth-Type sub-section not found.  Ignoring.
>> > (1) # Executing group from file /etc/freeradius/3.0/sites-enab
>> led/default
>> > (1) Sent Access-Challenge Id 225 from 192.168.45.74:1812 to
>> > 192.168.45.05:37339 length 0
>> > (1)   EAP-Message =
>> > 0x012903ec15c000000a75160303003d020000390303bfef2af615bb30a1
>> 795e1502febfbbcfaf0829baff49038576161b0bbe9082d500c030000011
>> ff01000100000b0004030001020017000016030308d30b0008cf0008cc00
>> 03de308203da308202c2a003020102020101300d06092a864886f70d0101
>> > (1)   Message-Authenticator = 0x00000000000000000000000000000000
>> > (1)   State = 0xbdc37936bcea6cdd84932144ea25780b
>> > (1) Finished request
>> > Waking up in 4.9 seconds.
>> > (2) Received Access-Request Id 226 from 192.168.45.05:37339 to
>> > 192.168.45.74:1812 length 181
>> > (2)   User-Name = "bob"
>> > (2)   Called-Station-Id = "54-27-1E-4C-F9-E4:Jumping Bean"
>> > (2)   NAS-Port-Type = Wireless-802.11
>> > (2)   NAS-Port = 0
>> > (2)   Calling-Station-Id = "60-FE-1E-A0-4F-C4"
>> > (2)   Connect-Info = "CONNECT 0Mbps 802.11b"
>> > (2)   Acct-Session-Id = "59B902E8-000000EA"
>> > (2)   Framed-MTU = 1400
>> > (2)   EAP-Message = 0x022900061500
>> > (2)   State = 0xbdc37936bcea6cdd84932144ea25780b
>> > (2)   Message-Authenticator = 0x5e81d512883c3437d5d7c4b1576509da
>> > (2) session-state: No cached attributes
>> > (2) # Executing section authorize from file
>> > /etc/freeradius/3.0/sites-enabled/default
>> > (2)   authorize {
>> > (2)     policy filter_username {
>> > (2)       if (&User-Name) {
>> > (2)       if (&User-Name)  -> TRUE
>> > (2)       if (&User-Name)  {
>> > (2)         if (&User-Name =~ / /) {
>> > (2)         if (&User-Name =~ / /)  -> FALSE
>> > (2)         if (&User-Name =~ /@[^@]*@/ ) {
>> > (2)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
>> > (2)         if (&User-Name =~ /\.\./ ) {
>> > (2)         if (&User-Name =~ /\.\./ )  -> FALSE
>> > (2)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
>> {
>> > (2)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
>>  ->
>> > FALSE
>> > (2)         if (&User-Name =~ /\.$/)  {
>> > (2)         if (&User-Name =~ /\.$/)   -> FALSE
>> > (2)         if (&User-Name =~ /@\./)  {
>> > (2)         if (&User-Name =~ /@\./)   -> FALSE
>> > (2)       } # if (&User-Name)  = notfound
>> > (2)     } # policy filter_username = notfound
>> > (2)     [preprocess] = ok
>> > (2) auth_log: EXPAND
>> > /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Pa
>> cket-Src-IPv6-Address}}/auth-detail-%Y%m%d
>> > (2) auth_log:    --> /var/log/freeradius/radacct/
>> > 192.168.45.05/auth-detail-20170914
>> > (2) auth_log:
>> > /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Pa
>> cket-Src-IPv6-Address}}/auth-detail-%Y%m%d
>> > expands to /var/log/freeradius/radacct/192.168.45.05/auth-detail-201709
>> 14
>> > (2) auth_log: EXPAND %t
>> > (2) auth_log:    --> Thu Sep 14 11:19:11 2017
>> > (2)     [auth_log] = ok
>> > (2)     [chap] = noop
>> > (2)     [mschap] = noop
>> > (2)     [digest] = noop
>> > (2) suffix: Checking for suffix after "@"
>> > (2) suffix: No '@' in User-Name = "bob", looking up realm NULL
>> > (2) suffix: No such realm "NULL"
>> > (2)     [suffix] = noop
>> > (2) eap: Peer sent EAP Response (code 2) ID 41 length 6
>> > (2) eap: Continuing tunnel setup
>> > (2)     [eap] = ok
>> > (2)   } # authorize = ok
>> > (2) Found Auth-Type = eap
>> > (2) # Executing group from file /etc/freeradius/3.0/sites-enab
>> led/default
>> > (2)   authenticate {
>> > (2) eap: Expiring EAP session with state 0xbdc37936bcea6cdd
>> > (2) eap: Finished EAP session with state 0xbdc37936bcea6cdd
>> > (2) eap: Previous EAP request found for state 0xbdc37936bcea6cdd,
>> released
>> > from the list
>> > (2) eap: Peer sent packet with method EAP TTLS (21)
>> > (2) eap: Calling submodule eap_ttls to process data
>> > (2) eap_ttls: Authenticate
>> > (2) eap_ttls: Continuing EAP-TLS
>> > (2) eap_ttls: Peer ACKed our handshake fragment
>> > (2) eap_ttls: [eaptls verify] = request
>> > (2) eap_ttls: [eaptls process] = handled
>> > (2) eap: Sending EAP Request (code 1) ID 42 length 1004
>> > (2) eap: EAP session adding &reply:State = 0xbdc37936bfe96cdd
>> > (2)     [eap] = handled
>> > (2)   } # authenticate = handled
>> > (2) Using Post-Auth-Type Challenge
>> > (2) Post-Auth-Type sub-section not found.  Ignoring.
>> > (2) # Executing group from file /etc/freeradius/3.0/sites-enab
>> led/default
>> > (2) Sent Access-Challenge Id 226 from 192.168.45.74:1812 to
>> > 192.168.45.05:37339 length 0
>> > (2)   EAP-Message =
>> > 0x012a03ec15c000000a75318c53693caf5cec07a26c179201b35044f8b0
>> a36585e88ac8887724d038dace205f76b50f376be76dd9ebe975518e8d82
>> a931d370995cd79469cd39278883b89faf674e3bc275747a253d0cab0004
>> e8308204e4308203cca003020102020900acfa1c7c27c4f226300d06092a
>> > (2)   Message-Authenticator = 0x00000000000000000000000000000000
>> > (2)   State = 0xbdc37936bfe96cdd84932144ea25780b
>> > (2) Finished request
>> > Waking up in 4.9 seconds.
>> > (3) Received Access-Request Id 227 from 192.168.45.05:37339 to
>> > 192.168.45.74:1812 length 181
>> > (3)   User-Name = "bob"
>> > (3)   Called-Station-Id = "54-27-1E-4C-F9-E4:Jumping Bean"
>> > (3)   NAS-Port-Type = Wireless-802.11
>> > (3)   NAS-Port = 0
>> > (3)   Calling-Station-Id = "60-FE-1E-A0-4F-C4"
>> > (3)   Connect-Info = "CONNECT 0Mbps 802.11b"
>> > (3)   Acct-Session-Id = "59B902E8-000000EA"
>> > (3)   Framed-MTU = 1400
>> > (3)   EAP-Message = 0x022a00061500
>> > (3)   State = 0xbdc37936bfe96cdd84932144ea25780b
>> > (3)   Message-Authenticator = 0x9fd121549085c6c53071b12b8b96285a
>> > (3) session-state: No cached attributes
>> > (3) # Executing section authorize from file
>> > /etc/freeradius/3.0/sites-enabled/default
>> > (3)   authorize {
>> > (3)     policy filter_username {
>> > (3)       if (&User-Name) {
>> > (3)       if (&User-Name)  -> TRUE
>> > (3)       if (&User-Name)  {
>> > (3)         if (&User-Name =~ / /) {
>> > (3)         if (&User-Name =~ / /)  -> FALSE
>> > (3)         if (&User-Name =~ /@[^@]*@/ ) {
>> > (3)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
>> > (3)         if (&User-Name =~ /\.\./ ) {
>> > (3)         if (&User-Name =~ /\.\./ )  -> FALSE
>> > (3)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
>> {
>> > (3)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
>>  ->
>> > FALSE
>> > (3)         if (&User-Name =~ /\.$/)  {
>> > (3)         if (&User-Name =~ /\.$/)   -> FALSE
>> > (3)         if (&User-Name =~ /@\./)  {
>> > (3)         if (&User-Name =~ /@\./)   -> FALSE
>> > (3)       } # if (&User-Name)  = notfound
>> > (3)     } # policy filter_username = notfound
>> > (3)     [preprocess] = ok
>> > (3) auth_log: EXPAND
>> > /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Pa
>> cket-Src-IPv6-Address}}/auth-detail-%Y%m%d
>> > (3) auth_log:    --> /var/log/freeradius/radacct/
>> > 192.168.45.05/auth-detail-20170914
>> > (3) auth_log:
>> > /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Pa
>> cket-Src-IPv6-Address}}/auth-detail-%Y%m%d
>> > expands to /var/log/freeradius/radacct/192.168.45.05/auth-detail-201709
>> 14
>> > (3) auth_log: EXPAND %t
>> > (3) auth_log:    --> Thu Sep 14 11:19:11 2017
>> > (3)     [auth_log] = ok
>> > (3)     [chap] = noop
>> > (3)     [mschap] = noop
>> > (3)     [digest] = noop
>> > (3) suffix: Checking for suffix after "@"
>> > (3) suffix: No '@' in User-Name = "bob", looking up realm NULL
>> > (3) suffix: No such realm "NULL"
>> > (3)     [suffix] = noop
>> > (3) eap: Peer sent EAP Response (code 2) ID 42 length 6
>> > (3) eap: Continuing tunnel setup
>> > (3)     [eap] = ok
>> > (3)   } # authorize = ok
>> > (3) Found Auth-Type = eap
>> > (3) # Executing group from file /etc/freeradius/3.0/sites-enab
>> led/default
>> > (3)   authenticate {
>> > (3) eap: Expiring EAP session with state 0xbdc37936bfe96cdd
>> > (3) eap: Finished EAP session with state 0xbdc37936bfe96cdd
>> > (3) eap: Previous EAP request found for state 0xbdc37936bfe96cdd,
>> released
>> > from the list
>> > (3) eap: Peer sent packet with method EAP TTLS (21)
>> > (3) eap: Calling submodule eap_ttls to process data
>> > (3) eap_ttls: Authenticate
>> > (3) eap_ttls: Continuing EAP-TLS
>> > (3) eap_ttls: Peer ACKed our handshake fragment
>> > (3) eap_ttls: [eaptls verify] = request
>> > (3) eap_ttls: [eaptls process] = handled
>> > (3) eap: Sending EAP Request (code 1) ID 43 length 699
>> > (3) eap: EAP session adding &reply:State = 0xbdc37936bee86cdd
>> > (3)     [eap] = handled
>> > (3)   } # authenticate = handled
>> > (3) Using Post-Auth-Type Challenge
>> > (3) Post-Auth-Type sub-section not found.  Ignoring.
>> > (3) # Executing group from file /etc/freeradius/3.0/sites-enab
>> led/default
>> > (3) Sent Access-Challenge Id 227 from 192.168.45.74:1812 to
>> > 192.168.45.05:37339 length 0
>> > (3)   EAP-Message =
>> > 0x012b02bb158000000a750101ff040530030101ff30360603551d1f042f
>> 302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e6f
>> 72672f6578616d706c655f63612e63726c300d06092a864886f70d01010b
>> 05000382010100e3995c54d00cee2fbbc14478b89b75b38a11643e5c1a51
>> > (3)   Message-Authenticator = 0x00000000000000000000000000000000
>> > (3)   State = 0xbdc37936bee86cdd84932144ea25780b
>> > (3) Finished request
>> > Waking up in 4.9 seconds.
>> > (4) Received Access-Request Id 228 from 192.168.45.05:37339 to
>> > 192.168.45.74:1812 length 307
>> > (4)   User-Name = "bob"
>> > (4)   Called-Station-Id = "54-27-1E-4C-F9-E4:Jumping Bean"
>> > (4)   NAS-Port-Type = Wireless-802.11
>> > (4)   NAS-Port = 0
>> > (4)   Calling-Station-Id = "60-FE-1E-A0-4F-C4"
>> > (4)   Connect-Info = "CONNECT 0Mbps 802.11b"
>> > (4)   Acct-Session-Id = "59B902E8-000000EA"
>> > (4)   Framed-MTU = 1400
>> > (4)   EAP-Message =
>> > 0x022b0084150016030300461000004241047d7abad05d5661d82c204f0d
>> 953f0ce6f5b508de608abf44b528fc3897c2f548baacdb60f5cd867ea90d
>> 976f1ad767249c4fc28ba8a810d62bb1102d57fd00e51403030001011603
>> 0300280000000000000000c227b6f946893e02d0eac613069cdc09d93578
>> > (4)   State = 0xbdc37936bee86cdd84932144ea25780b
>> > (4)   Message-Authenticator = 0xb50eb2de770b6149c3752e62afebe833
>> > (4) session-state: No cached attributes
>> > (4) # Executing section authorize from file
>> > /etc/freeradius/3.0/sites-enabled/default
>> > (4)   authorize {
>> > (4)     policy filter_username {
>> > (4)       if (&User-Name) {
>> > (4)       if (&User-Name)  -> TRUE
>> > (4)       if (&User-Name)  {
>> > (4)         if (&User-Name =~ / /) {
>> > (4)         if (&User-Name =~ / /)  -> FALSE
>> > (4)         if (&User-Name =~ /@[^@]*@/ ) {
>> > (4)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
>> > (4)         if (&User-Name =~ /\.\./ ) {
>> > (4)         if (&User-Name =~ /\.\./ )  -> FALSE
>> > (4)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
>> {
>> > (4)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
>>  ->
>> > FALSE
>> > (4)         if (&User-Name =~ /\.$/)  {
>> > (4)         if (&User-Name =~ /\.$/)   -> FALSE
>> > (4)         if (&User-Name =~ /@\./)  {
>> > (4)         if (&User-Name =~ /@\./)   -> FALSE
>> > (4)       } # if (&User-Name)  = notfound
>> > (4)     } # policy filter_username = notfound
>> > (4)     [preprocess] = ok
>> > (4) auth_log: EXPAND
>> > /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Pa
>> cket-Src-IPv6-Address}}/auth-detail-%Y%m%d
>> > (4) auth_log:    --> /var/log/freeradius/radacct/
>> > 192.168.45.05/auth-detail-20170914
>> > (4) auth_log:
>> > /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Pa
>> cket-Src-IPv6-Address}}/auth-detail-%Y%m%d
>> > expands to /var/log/freeradius/radacct/192.168.45.05/auth-detail-201709
>> 14
>> > (4) auth_log: EXPAND %t
>> > (4) auth_log:    --> Thu Sep 14 11:19:11 2017
>> > (4)     [auth_log] = ok
>> > (4)     [chap] = noop
>> > (4)     [mschap] = noop
>> > (4)     [digest] = noop
>> > (4) suffix: Checking for suffix after "@"
>> > (4) suffix: No '@' in User-Name = "bob", looking up realm NULL
>> > (4) suffix: No such realm "NULL"
>> > (4)     [suffix] = noop
>> > (4) eap: Peer sent EAP Response (code 2) ID 43 length 132
>> > (4) eap: Continuing tunnel setup
>> > (4)     [eap] = ok
>> > (4)   } # authorize = ok
>> > (4) Found Auth-Type = eap
>> > (4) # Executing group from file /etc/freeradius/3.0/sites-enab
>> led/default
>> > (4)   authenticate {
>> > (4) eap: Expiring EAP session with state 0xbdc37936bee86cdd
>> > (4) eap: Finished EAP session with state 0xbdc37936bee86cdd
>> > (4) eap: Previous EAP request found for state 0xbdc37936bee86cdd,
>> released
>> > from the list
>> > (4) eap: Peer sent packet with method EAP TTLS (21)
>> > (4) eap: Calling submodule eap_ttls to process data
>> > (4) eap_ttls: Authenticate
>> > (4) eap_ttls: Continuing EAP-TLS
>> > (4) eap_ttls: [eaptls verify] = ok
>> > (4) eap_ttls: Done initial handshake
>> > (4) eap_ttls: TLS_accept: SSLv3/TLS write server done
>> > (4) eap_ttls: <<< recv TLS 1.2  [length 0046]
>> > (4) eap_ttls: TLS_accept: SSLv3/TLS read client key exchange
>> > (4) eap_ttls: TLS_accept: SSLv3/TLS read change cipher spec
>> > (4) eap_ttls: <<< recv TLS 1.2  [length 0010]
>> > (4) eap_ttls: TLS_accept: SSLv3/TLS read finished
>> > (4) eap_ttls: >>> send TLS 1.2  [length 0001]
>> > (4) eap_ttls: TLS_accept: SSLv3/TLS write change cipher spec
>> > (4) eap_ttls: >>> send TLS 1.2  [length 0010]
>> > (4) eap_ttls: TLS_accept: SSLv3/TLS write finished
>> > (4) eap_ttls: (other): SSL negotiation finished successfully
>> > (4) eap_ttls: SSL Connection Established
>> > (4) eap_ttls: [eaptls process] = handled
>> > (4) eap: Sending EAP Request (code 1) ID 44 length 61
>> > (4) eap: EAP session adding &reply:State = 0xbdc37936b9ef6cdd
>> > (4)     [eap] = handled
>> > (4)   } # authenticate = handled
>> > (4) Using Post-Auth-Type Challenge
>> > (4) Post-Auth-Type sub-section not found.  Ignoring.
>> > (4) # Executing group from file /etc/freeradius/3.0/sites-enab
>> led/default
>> > (4) Sent Access-Challenge Id 228 from 192.168.45.74:1812 to
>> > 192.168.45.05:37339 length 0
>> > (4)   EAP-Message =
>> > 0x012c003d1580000000331403030001011603030028471e30dc08a6d794
>> f227f69ef0ae81d75a7082e5643ef6c65d9ee2604fcd4f7c55114fc65525a838
>> > (4)   Message-Authenticator = 0x00000000000000000000000000000000
>> > (4)   State = 0xbdc37936b9ef6cdd84932144ea25780b
>> > (4) Finished request
>> > Waking up in 4.8 seconds.
>> > (5) Received Access-Request Id 229 from 192.168.45.05:37339 to
>> > 192.168.45.74:1812 length 230
>> > (5)   User-Name = "bob"
>> > (5)   Called-Station-Id = "54-27-1E-4C-F9-E4:Jumping Bean"
>> > (5)   NAS-Port-Type = Wireless-802.11
>> > (5)   NAS-Port = 0
>> > (5)   Calling-Station-Id = "60-FE-1E-A0-4F-C4"
>> > (5)   Connect-Info = "CONNECT 0Mbps 802.11b"
>> > (5)   Acct-Session-Id = "59B902E8-000000EA"
>> > (5)   Framed-MTU = 1400
>> > (5)   EAP-Message =
>> > 0x022c00371500170303002c0000000000000001595cecb3de730e899e84
>> a9f3e32a5b344f7831ba3a3b08486ae4ed71c158e57359dded07
>> > (5)   State = 0xbdc37936b9ef6cdd84932144ea25780b
>> > (5)   Message-Authenticator = 0x04079a652bd0207cdffa3715b865b41a
>> > (5) session-state: No cached attributes
>> > (5) # Executing section authorize from file
>> > /etc/freeradius/3.0/sites-enabled/default
>> > (5)   authorize {
>> > (5)     policy filter_username {
>> > (5)       if (&User-Name) {
>> > (5)       if (&User-Name)  -> TRUE
>> > (5)       if (&User-Name)  {
>> > (5)         if (&User-Name =~ / /) {
>> > (5)         if (&User-Name =~ / /)  -> FALSE
>> > (5)         if (&User-Name =~ /@[^@]*@/ ) {
>> > (5)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
>> > (5)         if (&User-Name =~ /\.\./ ) {
>> > (5)         if (&User-Name =~ /\.\./ )  -> FALSE
>> > (5)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
>> {
>> > (5)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
>>  ->
>> > FALSE
>> > (5)         if (&User-Name =~ /\.$/)  {
>> > (5)         if (&User-Name =~ /\.$/)   -> FALSE
>> > (5)         if (&User-Name =~ /@\./)  {
>> > (5)         if (&User-Name =~ /@\./)   -> FALSE
>> > (5)       } # if (&User-Name)  = notfound
>> > (5)     } # policy filter_username = notfound
>> > (5)     [preprocess] = ok
>> > (5) auth_log: EXPAND
>> > /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Pa
>> cket-Src-IPv6-Address}}/auth-detail-%Y%m%d
>> > (5) auth_log:    --> /var/log/freeradius/radacct/
>> > 192.168.45.05/auth-detail-20170914
>> > (5) auth_log:
>> > /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Pa
>> cket-Src-IPv6-Address}}/auth-detail-%Y%m%d
>> > expands to /var/log/freeradius/radacct/192.168.45.05/auth-detail-201709
>> 14
>> > (5) auth_log: EXPAND %t
>> > (5) auth_log:    --> Thu Sep 14 11:19:11 2017
>> > (5)     [auth_log] = ok
>> > (5)     [chap] = noop
>> > (5)     [mschap] = noop
>> > (5)     [digest] = noop
>> > (5) suffix: Checking for suffix after "@"
>> > (5) suffix: No '@' in User-Name = "bob", looking up realm NULL
>> > (5) suffix: No such realm "NULL"
>> > (5)     [suffix] = noop
>> > (5) eap: Peer sent EAP Response (code 2) ID 44 length 55
>> > (5) eap: Continuing tunnel setup
>> > (5)     [eap] = ok
>> > (5)   } # authorize = ok
>> > (5) Found Auth-Type = eap
>> > (5) # Executing group from file /etc/freeradius/3.0/sites-enab
>> led/default
>> > (5)   authenticate {
>> > (5) eap: Expiring EAP session with state 0xbdc37936b9ef6cdd
>> > (5) eap: Finished EAP session with state 0xbdc37936b9ef6cdd
>> > (5) eap: Previous EAP request found for state 0xbdc37936b9ef6cdd,
>> released
>> > from the list
>> > (5) eap: Peer sent packet with method EAP TTLS (21)
>> > (5) eap: Calling submodule eap_ttls to process data
>> > (5) eap_ttls: Authenticate
>> > (5) eap_ttls: Continuing EAP-TLS
>> > (5) eap_ttls: [eaptls verify] = ok
>> > (5) eap_ttls: Done initial handshake
>> > (5) eap_ttls: [eaptls process] = ok
>> > (5) eap_ttls: Session established.  Proceeding to decode tunneled
>> attributes
>> > (5) eap_ttls: Got tunneled request
>> > (5) eap_ttls:   EAP-Message = 0x02000009016d61726b
>> > (5) eap_ttls:   FreeRADIUS-Proxied-To = 127.0.0.1
>> > (5) eap_ttls: Got tunneled identity of bob
>> > (5) eap_ttls: Setting default EAP type for tunneled EAP session
>> > (5) eap_ttls: Sending tunneled request
>> > (5) Virtual server inner-tunnel received request
>> > (5)   EAP-Message = 0x02000009016d61726b
>> > (5)   FreeRADIUS-Proxied-To = 127.0.0.1
>> > (5)   User-Name = "bob"
>> > (5)   Called-Station-Id = "54-27-1E-4C-F9-E4:Jumping Bean"
>> > (5)   NAS-Port-Type = Wireless-802.11
>> > (5)   NAS-Port = 0
>> > (5)   Calling-Station-Id = "60-FE-1E-A0-4F-C4"
>> > (5)   Connect-Info = "CONNECT 0Mbps 802.11b"
>> > (5)   Acct-Session-Id = "59B902E8-000000EA"
>> > (5)   Framed-MTU = 1400
>> > (5)   Event-Timestamp = "Sep 14 2017 11:19:11 SAST"
>> > (5)   NAS-IP-Address = 192.168.45.05
>> > (5) WARNING: Outer and inner identities are the same.  User privacy is
>> > compromised.
>> > (5) server inner-tunnel {
>> > (5)   # Executing section authorize from file
>> > /etc/freeradius/3.0/sites-enabled/inner-tunnel
>> > (5)     authorize {
>> > (5)       policy filter_username {
>> > (5)         if (&User-Name) {
>> > (5)         if (&User-Name)  -> TRUE
>> > (5)         if (&User-Name)  {
>> > (5)           if (&User-Name =~ / /) {
>> > (5)           if (&User-Name =~ / /)  -> FALSE
>> > (5)           if (&User-Name =~ /@[^@]*@/ ) {
>> > (5)           if (&User-Name =~ /@[^@]*@/ )  -> FALSE
>> > (5)           if (&User-Name =~ /\.\./ ) {
>> > (5)           if (&User-Name =~ /\.\./ )  -> FALSE
>> > (5)           if ((&User-Name =~ /@/) && (&User-Name !~
>> /@(.+)\.(.+)$/))  {
>> > (5)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
>> > -> FALSE
>> > (5)           if (&User-Name =~ /\.$/)  {
>> > (5)           if (&User-Name =~ /\.$/)   -> FALSE
>> > (5)           if (&User-Name =~ /@\./)  {
>> > (5)           if (&User-Name =~ /@\./)   -> FALSE
>> > (5)         } # if (&User-Name)  = notfound
>> > (5)       } # policy filter_username = notfound
>> > (5)       [chap] = noop
>> > (5)       [mschap] = noop
>> > (5) suffix: Checking for suffix after "@"
>> > (5) suffix: No '@' in User-Name = "bob", looking up realm NULL
>> > (5) suffix: No such realm "NULL"
>> > (5)       [suffix] = noop
>> > (5)       update control {
>> > (5)         &Proxy-To-Realm := LOCAL
>> > (5)       } # update control = noop
>> > (5) eap: Peer sent EAP Response (code 2) ID 0 length 9
>> > (5) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
>> > rest of authorize
>> > (5)       [eap] = ok
>> > (5)     } # authorize = ok
>> > (5)   Found Auth-Type = eap
>> > (5)   # Executing group from file
>> > /etc/freeradius/3.0/sites-enabled/inner-tunnel
>> > (5)     authenticate {
>> > (5) eap: Peer sent packet with method EAP Identity (1)
>> > (5) eap: Calling submodule eap_gtc to process data
>> > (5) eap_gtc: EXPAND Password:
>> > (5) eap_gtc:    --> Password:
>> > (5) eap: Sending EAP Request (code 1) ID 1 length 15
>> > (5) eap: EAP session adding &reply:State = 0x939300d7939206e6
>> > (5)       [eap] = handled
>> > (5)     } # authenticate = handled
>> > (5) } # server inner-tunnel
>> > (5) Virtual server sending reply
>> > (5)   EAP-Message = 0x0101000f0650617373776f72643a20
>> > (5)   Message-Authenticator = 0x00000000000000000000000000000000
>> > (5)   State = 0x939300d7939206e632565a4a2d1be287
>> > (5) eap_ttls: Got tunneled Access-Challenge
>> > (5) eap: Sending EAP Request (code 1) ID 45 length 63
>> > (5) eap: EAP session adding &reply:State = 0xbdc37936b8ee6cdd
>> > (5)     [eap] = handled
>> > (5)   } # authenticate = handled
>> > (5) Using Post-Auth-Type Challenge
>> > (5) Post-Auth-Type sub-section not found.  Ignoring.
>> > (5) # Executing group from file /etc/freeradius/3.0/sites-enab
>> led/default
>> > (5) Sent Access-Challenge Id 229 from 192.168.45.74:1812 to
>> > 192.168.45.05:37339 length 0
>> > (5)   EAP-Message =
>> > 0x012d003f1580000000351703030030471e30dc08a6d79553ed6a497780
>> 6816b7ccd9f91d3c7e620176ceb206f3a0d52f0918d696626cf670769ccb64d27449
>> > (5)   Message-Authenticator = 0x00000000000000000000000000000000
>> > (5)   State = 0xbdc37936b8ee6cdd84932144ea25780b
>> > (5) Finished request
>> > Waking up in 4.8 seconds.
>> > (0) Cleaning up request packet ID 224 with timestamp +10
>> > (1) Cleaning up request packet ID 225 with timestamp +10
>> > (2) Cleaning up request packet ID 226 with timestamp +10
>> > (3) Cleaning up request packet ID 227 with timestamp +10
>> > (4) Cleaning up request packet ID 228 with timestamp +10
>> > (5) Cleaning up request packet ID 229 with timestamp +10
>> > -
>> > List info/subscribe/unsubscribe? See http://www.freeradius.org/list
>> /users.html
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list
>> /users.html
>
>
>


More information about the Freeradius-Users mailing list