TTLS with MSCHAPv2

elias.naslund at skf.com elias.naslund at skf.com
Fri Mar 2 09:08:57 CET 2018


Hello,

I have installed FreeRADIUS on Ubuntu Server 16.04. I can connect to it 
with EAP MSCHAPv2 and many other ways but it fails on TTLS MSCHAPv2 which 
is the one I need to use. If wanted I can send the debug information from 
a working EAP MSCHAPv2.

I try to connect with an android phone through a ASUS router.

Anyone got any idea why it is not working?

root at ubuntuRADIUS:/etc/freeradius# freeradius -X
freeradius: FreeRADIUS Version 2.2.8, for host i686-pc-linux-gnu, built on 
Jul 26 2017 at 15:28:44
Copyright (C) 1999-2015 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
For more information about these matters, see the file named COPYRIGHT.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/modules/
including configuration file /etc/freeradius/modules/redis
including configuration file /etc/freeradius/modules/soh
including configuration file /etc/freeradius/modules/smsotp
including configuration file /etc/freeradius/modules/ldap
including configuration file /etc/freeradius/modules/policy
including configuration file /etc/freeradius/modules/detail
including configuration file /etc/freeradius/modules/etc_group
including configuration file /etc/freeradius/modules/ippool
including configuration file /etc/freeradius/modules/detail.log
including configuration file /etc/freeradius/modules/mschap
including configuration file /etc/freeradius/modules/sradutmp
including configuration file /etc/freeradius/modules/smbpasswd
including configuration file /etc/freeradius/modules/attr_filter
including configuration file /etc/freeradius/modules/dynamic_clients
including configuration file /etc/freeradius/modules/passwd
including configuration file /etc/freeradius/modules/krb5
including configuration file /etc/freeradius/modules/radutmp
including configuration file /etc/freeradius/modules/opendirectory
including configuration file /etc/freeradius/modules/mac2ip
including configuration file /etc/freeradius/modules/ntlm_auth
including configuration file /etc/freeradius/modules/pam
including configuration file /etc/freeradius/modules/mac2vlan
including configuration file /etc/freeradius/modules/perl
including configuration file /etc/freeradius/modules/checkval
including configuration file 
/etc/freeradius/modules/sqlcounter_expire_on_login
including configuration file /etc/freeradius/modules/unix
including configuration file /etc/freeradius/modules/inner-eap
including configuration file /etc/freeradius/modules/expiration
including configuration file /etc/freeradius/modules/radrelay
including configuration file /etc/freeradius/modules/files
including configuration file /etc/freeradius/modules/pap
including configuration file /etc/freeradius/modules/echo
including configuration file /etc/freeradius/modules/attr_rewrite
including configuration file /etc/freeradius/modules/counter
including configuration file /etc/freeradius/modules/sql_log
including configuration file /etc/freeradius/modules/preprocess
including configuration file /etc/freeradius/modules/replicate
including configuration file /etc/freeradius/modules/digest
including configuration file /etc/freeradius/modules/cache
including configuration file /etc/freeradius/modules/acct_unique
including configuration file /etc/freeradius/modules/linelog
including configuration file /etc/freeradius/modules/expr
including configuration file /etc/freeradius/modules/wimax
including configuration file /etc/freeradius/modules/cui
including configuration file /etc/freeradius/modules/rediswho
including configuration file /etc/freeradius/modules/exec
including configuration file /etc/freeradius/modules/realm
including configuration file /etc/freeradius/modules/always
including configuration file /etc/freeradius/modules/logintime
including configuration file /etc/freeradius/modules/otp
including configuration file /etc/freeradius/modules/detail.example.com
including configuration file /etc/freeradius/modules/dhcp_sqlippool
including configuration file /etc/freeradius/modules/chap
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
including configuration file /etc/freeradius/sites-enabled/default
main {
        user = "freerad"
        group = "freerad"
        allow_core_dumps = no
}
including dictionary file /etc/freeradius/dictionary
main {
        name = "freeradius"
        prefix = "/usr"
        localstatedir = "/var"
        sbindir = "/usr/sbin"
        logdir = "/var/log/freeradius"
        run_dir = "/var/run/freeradius"
        libdir = "/usr/lib/freeradius"
        radacctdir = "/var/log/freeradius/radacct"
        hostname_lookups = no
        max_request_time = 30
        cleanup_delay = 5
        max_requests = 1024
        pidfile = "/var/run/freeradius/freeradius.pid"
        checkrad = "/usr/sbin/checkrad"
        debug_level = 0
        proxy_requests = yes
 log {
        stripped_names = yes
        auth = yes
        auth_badpass = yes
        auth_goodpass = yes
 }
 security {
        max_attributes = 200
        reject_delay = 1
        status_server = yes
        allow_vulnerable_openssl = no
 }
}
radiusd: #### Loading Realms and Home Servers ####
 proxy server {
        retry_delay = 5
        retry_count = 3
        default_fallback = no
        dead_time = 120
        wake_all_if_all_dead = no
 }
 home_server localhost {
        ipaddr = 127.0.0.1
        port = 1812
        type = "auth"
        secret = "testing123"
        response_window = 20
        max_outstanding = 65536
        require_message_authenticator = yes
        zombie_period = 40
        status_check = "status-server"
        ping_interval = 30
        check_interval = 30
        num_answers_to_alive = 3
        num_pings_to_alive = 3
        revive_interval = 120
        status_check_timeout = 4
  coa {
        irt = 2
        mrt = 16
        mrc = 5
        mrd = 30
  }
 }
 home_server_pool my_auth_failover {
        type = fail-over
        home_server = localhost
 }
 realm example.com {
        auth_pool = my_auth_failover
 }
 realm LOCAL {
 }
radiusd: #### Loading Clients ####
 client localhost {
        ipaddr = 127.0.0.1
        require_message_authenticator = no
        secret = "testing123"
        nastype = "other"
 }
 client 10.0.2.2 {
        ipaddr = 10.0.2.2
        require_message_authenticator = no
        secret = "testing123"
 }
 client asus {
        ipaddr = 10.0.0.1
        require_message_authenticator = no
        secret = "testing123"
 }
radiusd: #### Instantiating modules ####
 instantiate {
 Module: Linked to module rlm_exec
 Module: Instantiating module "exec" from file 
/etc/freeradius/modules/exec
  exec {
        wait = no
        input_pairs = "request"
        shell_escape = yes
        timeout = 10
  }
 Module: Linked to module rlm_expr
 Module: Instantiating module "expr" from file 
/etc/freeradius/modules/expr
 Module: Linked to module rlm_expiration
 Module: Instantiating module "expiration" from file 
/etc/freeradius/modules/expiration
  expiration {
        reply-message = "Password Has Expired  "
  }
 Module: Linked to module rlm_logintime
 Module: Instantiating module "logintime" from file 
/etc/freeradius/modules/logintime
  logintime {
        reply-message = "You are calling outside your allowed timespan  "
        minimum-timeout = 60
  }
 }
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/freeradius/radiusd.conf
 modules {
  Module: Creating Auth-Type = digest
 Module: Checking authenticate {...} for more modules to load
 Module: Linked to module rlm_pap
 Module: Instantiating module "pap" from file /etc/freeradius/modules/pap
  pap {
        encryption_scheme = "auto"
        auto_header = no
  }
 Module: Linked to module rlm_chap
 Module: Instantiating module "chap" from file 
/etc/freeradius/modules/chap
 Module: Linked to module rlm_mschap
 Module: Instantiating module "mschap" from file 
/etc/freeradius/modules/mschap
  mschap {
        use_mppe = yes
        require_encryption = no
        require_strong = no
        with_ntdomain_hack = no
        allow_retry = yes
  }
 Module: Linked to module rlm_digest
 Module: Instantiating module "digest" from file 
/etc/freeradius/modules/digest
 Module: Linked to module rlm_unix
 Module: Instantiating module "unix" from file 
/etc/freeradius/modules/unix
  unix {
        radwtmp = "/var/log/freeradius/radwtmp"
  }
 Module: Linked to module rlm_eap
 Module: Instantiating module "eap" from file /etc/freeradius/eap.conf
  eap {
        default_eap_type = "ttls"
        timer_expire = 60
        ignore_unknown_eap_types = no
        cisco_accounting_username_bug = no
        max_sessions = 1024
  }
 Module: Linked to sub-module rlm_eap_md5
 Module: Instantiating eap-md5
 Module: Linked to sub-module rlm_eap_leap
 Module: Instantiating eap-leap
 Module: Linked to sub-module rlm_eap_gtc
 Module: Instantiating eap-gtc
   gtc {
        challenge = "Password: "
        auth_type = "PAP"
   }
 Module: Linked to sub-module rlm_eap_tls
 Module: Instantiating eap-tls
   tls {
        rsa_key_exchange = no
        dh_key_exchange = yes
        rsa_key_length = 512
        dh_key_length = 512
        verify_depth = 0
        CA_path = "/etc/freeradius/certs"
        pem_file_type = yes
        private_key_file = "/etc/freeradius/certs/server.key"
        certificate_file = "/etc/freeradius/certs/server.pem"
        CA_file = "/etc/freeradius/certs/ca.pem"
        private_key_password = "whatever"
        dh_file = "/etc/freeradius/certs/dh"
        random_file = "/dev/urandom"
        fragment_size = 1024
        include_length = yes
        check_crl = no
        check_all_crl = no
        cipher_list = "DEFAULT"
        make_cert_command = "/etc/freeradius/certs/bootstrap"
        ecdh_curve = "prime256v1"
    cache {
        enable = no
        lifetime = 24
        max_entries = 255
    }
    verify {
    }
    ocsp {
        enable = no
        override_cert_url = yes
        url = "http://127.0.0.1/ocsp/"
        use_nonce = yes
        timeout = 0
        softfail = no
    }
   }
 Module: Linked to sub-module rlm_eap_ttls
 Module: Instantiating eap-ttls
   ttls {
        default_eap_type = "mschapv2"
        copy_request_to_tunnel = no
        use_tunneled_reply = no
        virtual_server = "inner-tunnel"
        include_length = yes
   }
 Module: Linked to sub-module rlm_eap_peap
 Module: Instantiating eap-peap
   peap {
        default_eap_type = "mschapv2"
        copy_request_to_tunnel = no
        use_tunneled_reply = no
        proxy_tunneled_request_as_eap = yes
        virtual_server = "inner-tunnel"
        soh = no
   }
 Module: Linked to sub-module rlm_eap_mschapv2
 Module: Instantiating eap-mschapv2
   mschapv2 {
        with_ntdomain_hack = no
        send_error = no
   }
 Module: Checking authorize {...} for more modules to load
 Module: Linked to module rlm_preprocess
 Module: Instantiating module "preprocess" from file 
/etc/freeradius/modules/preprocess
  preprocess {
        huntgroups = "/etc/freeradius/huntgroups"
        hints = "/etc/freeradius/hints"
        with_ascend_hack = no
        ascend_channels_per_line = 23
        with_ntdomain_hack = no
        with_specialix_jetstream_hack = no
        with_cisco_vsa_hack = no
        with_alvarion_vsa_hack = no
  }
reading pairlist file /etc/freeradius/huntgroups
reading pairlist file /etc/freeradius/hints
 Module: Linked to module rlm_realm
 Module: Instantiating module "suffix" from file 
/etc/freeradius/modules/realm
  realm suffix {
        format = "suffix"
        delimiter = "@"
        ignore_default = no
        ignore_null = no
  }
 Module: Linked to module rlm_files
 Module: Instantiating module "files" from file 
/etc/freeradius/modules/files
  files {
        usersfile = "/etc/freeradius/users"
        acctusersfile = "/etc/freeradius/acct_users"
        preproxy_usersfile = "/etc/freeradius/preproxy_users"
        compat = "no"
  }
reading pairlist file /etc/freeradius/users
reading pairlist file /etc/freeradius/acct_users
reading pairlist file /etc/freeradius/preproxy_users
 Module: Checking preacct {...} for more modules to load
 Module: Linked to module rlm_acct_unique
 Module: Instantiating module "acct_unique" from file 
/etc/freeradius/modules/acct_unique
  acct_unique {
        key = "User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Identifier, 
NAS-Port"
  }
 Module: Checking accounting {...} for more modules to load
 Module: Linked to module rlm_detail
 Module: Instantiating module "detail" from file 
/etc/freeradius/modules/detail
  detail {
        detailfile = 
"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
        header = "%t"
        detailperm = 384
        dirperm = 493
        locking = no
        log_packet_header = no
        escape_filenames = no
  }
 Module: Linked to module rlm_attr_filter
 Module: Instantiating module "attr_filter.accounting_response" from file 
/etc/freeradius/modules/attr_filter
  attr_filter attr_filter.accounting_response {
        attrsfile = "/etc/freeradius/attrs.accounting_response"
        key = "%{User-Name}"
        relaxed = no
  }
reading pairlist file /etc/freeradius/attrs.accounting_response
 Module: Checking session {...} for more modules to load
 Module: Linked to module rlm_radutmp
 Module: Instantiating module "radutmp" from file 
/etc/freeradius/modules/radutmp
  radutmp {
        filename = "/var/log/freeradius/radutmp"
        username = "%{User-Name}"
        case_sensitive = yes
        check_with_nas = yes
        perm = 384
        callerid = yes
  }
 Module: Checking post-proxy {...} for more modules to load
 Module: Checking post-auth {...} for more modules to load
 Module: Instantiating module "attr_filter.access_reject" from file 
/etc/freeradius/modules/attr_filter
  attr_filter attr_filter.access_reject {
        attrsfile = "/etc/freeradius/attrs.access_reject"
        key = "%{User-Name}"
        relaxed = no
  }
reading pairlist file /etc/freeradius/attrs.access_reject
 } # modules
} # server
server inner-tunnel { # from file 
/etc/freeradius/sites-enabled/inner-tunnel
 modules {
 Module: Checking authenticate {...} for more modules to load
 Module: Checking authorize {...} for more modules to load
 Module: Checking session {...} for more modules to load
 Module: Checking post-proxy {...} for more modules to load
 Module: Checking post-auth {...} for more modules to load
 } # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
        type = "auth"
        ipaddr = *
        port = 0
}
listen {
        type = "acct"
        ipaddr = *
        port = 0
}
listen {
        type = "auth"
        ipaddr = 127.0.0.1
        port = 18120
}
 ... adding new socket proxy address * port 58209
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on authentication address 127.0.0.1 port 18120 as server 
inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 10.0.2.2 port 37101, id=0, 
length=131
        User-Name = "anonymous"
        NAS-IP-Address = 10.0.0.1
        Called-Station-Id = "ac9e17bd7668"
        Calling-Station-Id = "2c0e3d040b41"
        NAS-Identifier = "ac9e17bd7668"
        NAS-Port = 14
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        EAP-Message = 0x0200000e01616e6f6e796d6f7573
        Message-Authenticator = 0xbeb4b21ce8f441d188a5cfd604ea60f4
# Executing section authorize from file 
/etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 0 length 14
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No "known good" password found for the user. Authentication 
may fail because of this.
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 0 to 10.0.2.2 port 37101
        EAP-Message = 0x010100061520
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x566041d25661548b775c8b93cb3b8ac0
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.2.2 port 37101, id=0, 
length=306
Cleaning up request 0 ID 0 with timestamp +34
        User-Name = "anonymous"
        NAS-IP-Address = 10.0.0.1
        Called-Station-Id = "ac9e17bd7668"
        Calling-Station-Id = "2c0e3d040b41"
        NAS-Identifier = "ac9e17bd7668"
        NAS-Port = 14
        Framed-MTU = 1400
        State = 0x566041d25661548b775c8b93cb3b8ac0
        NAS-Port-Type = Wireless-802.11
        EAP-Message = 
0x020100ab150016030100a00100009c0303526804514ac801dadb13db30bc913fac38c7cb01a7563c4e87eae08760e0f0e500003ec02cc030009fc02bc02f009ecca9cca8c00ac024c014c0280039006bc009c023c013c02700330067c007c011009d009c0035003d002f003c00050004000a01000035ff0100010000170000000d001600140601060305010503040104030301030302010203000b00020100000a00080006001700180019
        Message-Authenticator = 0xfa662c8841ae23189146cdb69dcb7064
# Executing section authorize from file 
/etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 1 length 171
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls]     (other): before/accept initialization
[ttls]     TLS_accept: before/accept initialization
[ttls] <<< Unknown TLS version [length 0005]
[ttls] <<< Unknown TLS version [length 00a0]
[ttls]     TLS_accept: unknown state
[ttls] >>> Unknown TLS version [length 0005]
[ttls] >>> Unknown TLS version [length 0039]
[ttls]     TLS_accept: unknown state
[ttls] >>> Unknown TLS version [length 0005]
[ttls] >>> Unknown TLS version [length 02cc]
[ttls]     TLS_accept: unknown state
[ttls] >>> Unknown TLS version [length 0005]
[ttls] >>> Unknown TLS version [length 014d]
[ttls]     TLS_accept: unknown state
[ttls] >>> Unknown TLS version [length 0005]
[ttls] >>> Unknown TLS version [length 0004]
[ttls]     TLS_accept: unknown state
[ttls]     TLS_accept: unknown state
[ttls]     TLS_accept: unknown state
[ttls]     TLS_accept: Need to read more data: unknown state
[ttls]     TLS_accept: Need to read more data: unknown state
In SSL Handshake Phase
In SSL Accept mode
[ttls] eaptls_process returned 13
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 0 to 10.0.2.2 port 37101
        EAP-Message = 
0x0102040015c00000046a1603030039020000350303882e3d0906b3ac53b42c9a46285a2d0ae21d934798a065c56e02ad4103ed1b5800c03000000dff01000100000b00040300010216030302cc0b0002c80002c50002c2308202be308201a6a003020102020900b37fe074c794d454300d06092a864886f70d01010b050030173115301306035504030c0c7562756e7475524144495553301e170d3138303330313133353235325a170d3238303232373133353235325a30173115301306035504030c0c7562756e747552414449555330820122300d06092a864886f70d01010105000382010f003082010a0282010100be9382ed2dc1add32b1b35f7
        EAP-Message = 
0x52c8fc8c0d2652e99ec612ac75a1029c63f63cfff4fd6cd9bb9e419bcfb7aed8e64d01f0f410c11961e22e9d2bea61dc6aacf0717dc0e386103809ea6f9978c068b1d59f405695fddfd47aff401b5f3390333b57b915960ec53698c32b02a49566bbbfb192c0a9b928a24535f40190231bf71416c580b6d982b17e744c7780ac0a64ea777a6f6d3cc493896914f89e0569b9a24f5a59387c852f838f053a9c396eee54f4ea222ae605b4735262d4e3685c6088da5fb881f739c00c93542663954a9800c99410e74ff3593536a9a669c0ef50b612e4270afe8f123d0ad38121639babf0fbd66137021597d97e6ef7d4aa7f9c02710203010001a30d300b
        EAP-Message = 
0x30090603551d1304023000300d06092a864886f70d01010b050003820101000b407680d9c47a5900401c7b6fe5390675f547567dacb4a75fb72387a0b621d5a668726d0654ef300fbe6b18324ddf2510cb0b6e459e90857c9d9cc34482c2aa5d7d9df792b1cc77f83aa3ccb7c6d0bd9080c31e22f5eb90212ede14732eaffcc9b24c580fede255a3e5acf05effc49d74cb63971ea81cda755983b202bffc116440616a01f57ad5b353cd7bba302dcf067313b00d0ff8a1bdd01e1b612ee04fd36c42949a32175585a1b28583c6a46f9399989acc68d2c3e7b7360ceddca417823ae7fe9d21a888c393bca3a9dbd66ccbbf59d5a1a290e7c67f1abe3bb3
        EAP-Message = 
0x77e112552a255d336731fee2e1a05bd01a87a238f12694278b87ef2146a11e649288160303014d0c00014903001741041c8714338c965bc7b84cfcb017ba8f7b4ac0b9677bab6c17f25b3d7ae14e08b09a2bedeb5c45f7979bff9eecd8c07b25fd937226555016d601cc60fa422ef751060101006dd90aabf97ea915a14e0e6ef6c57bfe4829db82b1602975b98712ec5db42b3c8b5c79572d5573bcd0a5c7560a03067e2f771494ecafa8a038672befabaf28d49b5f0d9b0a55b8d7d225eb2a11727955c030546f3709e912bc3f1b4d904c979c1fd43b0a325c403a3adc3aeeededdb811a1d55a2f8de44262e62557d74e60789234cd69ce46be1c86a
        EAP-Message = 0x6c200c441581cef8c8df6fa0
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x566041d25762548b775c8b93cb3b8ac0
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.2.2 port 37101, id=0, 
length=141
Cleaning up request 1 ID 0 with timestamp +34
        User-Name = "anonymous"
        NAS-IP-Address = 10.0.0.1
        Called-Station-Id = "ac9e17bd7668"
        Calling-Station-Id = "2c0e3d040b41"
        NAS-Identifier = "ac9e17bd7668"
        NAS-Port = 14
        Framed-MTU = 1400
        State = 0x566041d25762548b775c8b93cb3b8ac0
        NAS-Port-Type = Wireless-802.11
        EAP-Message = 0x020200061500
        Message-Authenticator = 0x9edaf5e9ac1eadb44961e09e6104bcbe
# Executing section authorize from file 
/etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 2 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] Received TLS ACK
[ttls] ACK handshake fragment handler
[ttls] eaptls_verify returned 1
[ttls] eaptls_process returned 13
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 0 to 10.0.2.2 port 37101
        EAP-Message = 
0x0103007e15800000046aac4b2092f7d8e1ea994220a3e8fd64f6d29dd5d76d635dd7ac0895ea388f366812df6a1924dc25d7bb65058b2688fb10a125244fbfb429eddaab8d0bbdd38c76c39129ccddd422eaec8d1f5b478a431a81eeda645fc6502dfb21b1aa3c3a2abe102dd9b84bd475b427489216030300040e000000
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x566041d25463548b775c8b93cb3b8ac0
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.2.2 port 37101, id=0, 
length=267
Cleaning up request 2 ID 0 with timestamp +34
        User-Name = "anonymous"
        NAS-IP-Address = 10.0.0.1
        Called-Station-Id = "ac9e17bd7668"
        Calling-Station-Id = "2c0e3d040b41"
        NAS-Identifier = "ac9e17bd7668"
        NAS-Port = 14
        Framed-MTU = 1400
        State = 0x566041d25463548b775c8b93cb3b8ac0
        NAS-Port-Type = Wireless-802.11
        EAP-Message = 
0x02030084150016030300461000004241046c37eb48dbbe8b3f2e0d3f4da3132daa81876d95c47c3c705cbf6917fa06d3ded4742817f732475c9c8b95f86670e5e80736e8f8e722d7e5a840d53943d1487d14030300010116030300280000000000000000db7f068e8fcce0d83d6a09d6b3abb56aefe288bc0d88a8c936338de79690e402
        Message-Authenticator = 0x73f1ad17bb3790824f1409941692e2c8
# Executing section authorize from file 
/etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 3 length 132
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls] <<< Unknown TLS version [length 0005]
[ttls] <<< Unknown TLS version [length 0046]
[ttls]     TLS_accept: unknown state
[ttls]     TLS_accept: unknown state
[ttls] <<< Unknown TLS version [length 0005]
[ttls] <<< Unknown TLS version [length 0001]
[ttls] <<< Unknown TLS version [length 0005]
[ttls] <<< Unknown TLS version [length 0010]
[ttls]     TLS_accept: unknown state
[ttls] >>> Unknown TLS version [length 0005]
[ttls] >>> Unknown TLS version [length 0001]
[ttls]     TLS_accept: unknown state
[ttls] >>> Unknown TLS version [length 0005]
[ttls] >>> Unknown TLS version [length 0010]
[ttls]     TLS_accept: unknown state
[ttls]     TLS_accept: unknown state
[ttls]     (other): SSL negotiation finished successfully
SSL Connection Established
[ttls] eaptls_process returned 13
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 0 to 10.0.2.2 port 37101
        EAP-Message = 
0x0104003d158000000033140303000101160303002848357c1cd4efab5cceee0653c966dd0bf3a945b2ad77d149c6a69feff8cda8dcc4ab0b04d23d59d8
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x566041d25564548b775c8b93cb3b8ac0
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.2.2 port 37101, id=0, 
length=278
Cleaning up request 3 ID 0 with timestamp +34
        User-Name = "anonymous"
        NAS-IP-Address = 10.0.0.1
        Called-Station-Id = "ac9e17bd7668"
        Calling-Station-Id = "2c0e3d040b41"
        NAS-Identifier = "ac9e17bd7668"
        NAS-Port = 14
        Framed-MTU = 1400
        State = 0x566041d25564548b775c8b93cb3b8ac0
        NAS-Port-Type = Wireless-802.11
        EAP-Message = 
0x0204008f150017030300840000000000000001adeee8b56ad79d8da4b1679db4746911f0033f5b5d83956312523861b8b2791310d63b269ec0b5eff151f90027dccef0ad6d604f6362e4bec2d7e8329969d05507acde23d18bf5c09ef07eface4cd2cba6c386f193dd76063b912057d569d1a549db5a68e108be0542d58e654e1b61e4716d701605d32b81ac0e5e9c
        Message-Authenticator = 0x05dc9439feca7c1d8a89f6cf01ca1fe5
# Executing section authorize from file 
/etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 4 length 143
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls] <<< Unknown TLS version [length 0005]
[ttls] eaptls_process returned 7
[ttls] Session established.  Proceeding to decode tunneled attributes.
[ttls] Tunneled challenge is incorrect
[eap] Handler failed in EAP/ttls
[eap] Failed in EAP select
++[eap] = invalid
+} # group authenticate = invalid
Failed to authenticate the user.
Login incorrect: [anonymous/<via Auth-Type = EAP>] (from client 10.0.2.2 
port 14 cli 2c0e3d040b41)
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+group REJECT {
[eap] Reply already contained an EAP-Message, not inserting EAP-Failure
++[eap] = noop
[attr_filter.access_reject]     expand: %{User-Name} -> anonymous
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
Delaying reject of request 4 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 4
Sending Access-Reject of id 0 to 10.0.2.2 port 37101
        EAP-Message = 0x04040004
        Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 4.9 seconds.
Cleaning up request 4 ID 0 with timestamp +34
Ready to process requests.
rad_recv: Access-Request packet from host 10.0.2.2 port 37101, id=0, 
length=131
        User-Name = "anonymous"
        NAS-IP-Address = 10.0.0.1
        Called-Station-Id = "ac9e17bd7668"
        Calling-Station-Id = "2c0e3d040b41"
        NAS-Identifier = "ac9e17bd7668"
        NAS-Port = 14
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        EAP-Message = 0x0200000e01616e6f6e796d6f7573
        Message-Authenticator = 0x1c6c04fb8378f1910b9fb507c133e93c
# Executing section authorize from file 
/etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 0 length 14
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No "known good" password found for the user. Authentication 
may fail because of this.
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 0 to 10.0.2.2 port 37101
        EAP-Message = 0x010100061520
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x0c457a660c446f12a95d9c7efeb2c3c0
Finished request 5.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.2.2 port 37101, id=0, 
length=306
Cleaning up request 5 ID 0 with timestamp +41
        User-Name = "anonymous"
        NAS-IP-Address = 10.0.0.1
        Called-Station-Id = "ac9e17bd7668"
        Calling-Station-Id = "2c0e3d040b41"
        NAS-Identifier = "ac9e17bd7668"
        NAS-Port = 14
        Framed-MTU = 1400
        State = 0x0c457a660c446f12a95d9c7efeb2c3c0
        NAS-Port-Type = Wireless-802.11
        EAP-Message = 
0x020100ab150016030100a00100009c03037bd1bcd41a4e58bb2447cae4df3b01e79efc412376c6c44ecd111b633f6da95900003ec02cc030009fc02bc02f009ecca9cca8c00ac024c014c0280039006bc009c023c013c02700330067c007c011009d009c0035003d002f003c00050004000a01000035ff0100010000170000000d001600140601060305010503040104030301030302010203000b00020100000a00080006001700180019
        Message-Authenticator = 0x26bfb48fc179201a854a456aae91e65c
# Executing section authorize from file 
/etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 1 length 171
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls]     (other): before/accept initialization
[ttls]     TLS_accept: before/accept initialization
[ttls] <<< Unknown TLS version [length 0005]
[ttls] <<< Unknown TLS version [length 00a0]
[ttls]     TLS_accept: unknown state
[ttls] >>> Unknown TLS version [length 0005]
[ttls] >>> Unknown TLS version [length 0039]
[ttls]     TLS_accept: unknown state
[ttls] >>> Unknown TLS version [length 0005]
[ttls] >>> Unknown TLS version [length 02cc]
[ttls]     TLS_accept: unknown state
[ttls] >>> Unknown TLS version [length 0005]
[ttls] >>> Unknown TLS version [length 014d]
[ttls]     TLS_accept: unknown state
[ttls] >>> Unknown TLS version [length 0005]
[ttls] >>> Unknown TLS version [length 0004]
[ttls]     TLS_accept: unknown state
[ttls]     TLS_accept: unknown state
[ttls]     TLS_accept: unknown state
[ttls]     TLS_accept: Need to read more data: unknown state
[ttls]     TLS_accept: Need to read more data: unknown state
In SSL Handshake Phase
In SSL Accept mode
[ttls] eaptls_process returned 13
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 0 to 10.0.2.2 port 37101
        EAP-Message = 
0x0102040015c00000046a16030300390200003503039c0f1bfc9ead4d4ac014ec5aa1165fa6567c65c0de03bd01fde7d800817a142500c03000000dff01000100000b00040300010216030302cc0b0002c80002c50002c2308202be308201a6a003020102020900b37fe074c794d454300d06092a864886f70d01010b050030173115301306035504030c0c7562756e7475524144495553301e170d3138303330313133353235325a170d3238303232373133353235325a30173115301306035504030c0c7562756e747552414449555330820122300d06092a864886f70d01010105000382010f003082010a0282010100be9382ed2dc1add32b1b35f7
        EAP-Message = 
0x52c8fc8c0d2652e99ec612ac75a1029c63f63cfff4fd6cd9bb9e419bcfb7aed8e64d01f0f410c11961e22e9d2bea61dc6aacf0717dc0e386103809ea6f9978c068b1d59f405695fddfd47aff401b5f3390333b57b915960ec53698c32b02a49566bbbfb192c0a9b928a24535f40190231bf71416c580b6d982b17e744c7780ac0a64ea777a6f6d3cc493896914f89e0569b9a24f5a59387c852f838f053a9c396eee54f4ea222ae605b4735262d4e3685c6088da5fb881f739c00c93542663954a9800c99410e74ff3593536a9a669c0ef50b612e4270afe8f123d0ad38121639babf0fbd66137021597d97e6ef7d4aa7f9c02710203010001a30d300b
        EAP-Message = 
0x30090603551d1304023000300d06092a864886f70d01010b050003820101000b407680d9c47a5900401c7b6fe5390675f547567dacb4a75fb72387a0b621d5a668726d0654ef300fbe6b18324ddf2510cb0b6e459e90857c9d9cc34482c2aa5d7d9df792b1cc77f83aa3ccb7c6d0bd9080c31e22f5eb90212ede14732eaffcc9b24c580fede255a3e5acf05effc49d74cb63971ea81cda755983b202bffc116440616a01f57ad5b353cd7bba302dcf067313b00d0ff8a1bdd01e1b612ee04fd36c42949a32175585a1b28583c6a46f9399989acc68d2c3e7b7360ceddca417823ae7fe9d21a888c393bca3a9dbd66ccbbf59d5a1a290e7c67f1abe3bb3
        EAP-Message = 
0x77e112552a255d336731fee2e1a05bd01a87a238f12694278b87ef2146a11e649288160303014d0c0001490300174104c9045f5eb696e3bae69ae45f211aa435df203c126a105d4a36ff13d66e0d4a63be257f9607c09181a5937f23017e649418a160a82bd6665ec0c91baf97c6426d06010100929ea9e28c3494ad9133da7258e1b236497833a40dab4df86ddeb1c9d15551ea00a6527607177a2245b04be917f5290ea002cfb420ae25310982a2d28b6db50e72f77b59c971b9952f55452e845b89a799a6de4b20a436d32f8d8b096784af93e77e1173ac2f8f7f93fac69934ee96dae1758470d9da75f2e48bcd9c71552e1da13bb79bbc9757153e
        EAP-Message = 0x0a6dd003a8cc5909b776178e
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x0c457a660d476f12a95d9c7efeb2c3c0
Finished request 6.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.2.2 port 37101, id=0, 
length=141
Cleaning up request 6 ID 0 with timestamp +41
        User-Name = "anonymous"
        NAS-IP-Address = 10.0.0.1
        Called-Station-Id = "ac9e17bd7668"
        Calling-Station-Id = "2c0e3d040b41"
        NAS-Identifier = "ac9e17bd7668"
        NAS-Port = 14
        Framed-MTU = 1400
        State = 0x0c457a660d476f12a95d9c7efeb2c3c0
        NAS-Port-Type = Wireless-802.11
        EAP-Message = 0x020200061500
        Message-Authenticator = 0xa934c5d9ef37110127b4f5bde5976891
# Executing section authorize from file 
/etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 2 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] Received TLS ACK
[ttls] ACK handshake fragment handler
[ttls] eaptls_verify returned 1
[ttls] eaptls_process returned 13
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 0 to 10.0.2.2 port 37101
        EAP-Message = 
0x0103007e15800000046acb854a80c6735479539ee466b6a78aea03b8217eca2044c6ae68d2abbe534fde390dee64a8f7fd6b3dae8a0df9ac8d0af161c7625e3c3760846bfecd09dd16ee51aa7dcc9fba22300f028808728e22ead32640c245d1a74109ccab548af6f1de2121336a0c96e46418d10716030300040e000000
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x0c457a660e466f12a95d9c7efeb2c3c0
Finished request 7.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.2.2 port 37101, id=0, 
length=267
Cleaning up request 7 ID 0 with timestamp +41
        User-Name = "anonymous"
        NAS-IP-Address = 10.0.0.1
        Called-Station-Id = "ac9e17bd7668"
        Calling-Station-Id = "2c0e3d040b41"
        NAS-Identifier = "ac9e17bd7668"
        NAS-Port = 14
        Framed-MTU = 1400
        State = 0x0c457a660e466f12a95d9c7efeb2c3c0
        NAS-Port-Type = Wireless-802.11
        EAP-Message = 
0x02030084150016030300461000004241040908ad55e927f17918673c168d8477906aabd3bc14038f994d1c1a2f327e121ddf4f448468ff574b1de06a5e5c00123236777eace6353a385d9d6205b8e023d51403030001011603030028000000000000000038383460e069ca3fb477847a834dece115cf0c5f26f01130a5b49d8a3e7e3efc
        Message-Authenticator = 0xcf44d9a2c92b07296faf5930c64adb01
# Executing section authorize from file 
/etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 3 length 132
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls] <<< Unknown TLS version [length 0005]
[ttls] <<< Unknown TLS version [length 0046]
[ttls]     TLS_accept: unknown state
[ttls]     TLS_accept: unknown state
[ttls] <<< Unknown TLS version [length 0005]
[ttls] <<< Unknown TLS version [length 0001]
[ttls] <<< Unknown TLS version [length 0005]
[ttls] <<< Unknown TLS version [length 0010]
[ttls]     TLS_accept: unknown state
[ttls] >>> Unknown TLS version [length 0005]
[ttls] >>> Unknown TLS version [length 0001]
[ttls]     TLS_accept: unknown state
[ttls] >>> Unknown TLS version [length 0005]
[ttls] >>> Unknown TLS version [length 0010]
[ttls]     TLS_accept: unknown state
[ttls]     TLS_accept: unknown state
[ttls]     (other): SSL negotiation finished successfully
SSL Connection Established
[ttls] eaptls_process returned 13
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 0 to 10.0.2.2 port 37101
        EAP-Message = 
0x0104003d1580000000331403030001011603030028df04f4b005fc62dedaf73c81ca86bc8d61392e442fd3a85c287b0d0e06972d6e6410ba3fbf7330d1
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x0c457a660f416f12a95d9c7efeb2c3c0
Finished request 8.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.2.2 port 37101, id=0, 
length=278
Cleaning up request 8 ID 0 with timestamp +41
        User-Name = "anonymous"
        NAS-IP-Address = 10.0.0.1
        Called-Station-Id = "ac9e17bd7668"
        Calling-Station-Id = "2c0e3d040b41"
        NAS-Identifier = "ac9e17bd7668"
        NAS-Port = 14
        Framed-MTU = 1400
        State = 0x0c457a660f416f12a95d9c7efeb2c3c0
        NAS-Port-Type = Wireless-802.11
        EAP-Message = 
0x0204008f1500170303008400000000000000010b253d2220ac2acfe53e1fd5fbf2f2598a92443873a876f42e99da95a7bb051826a9c1c5dffc5c67c16c586df567d560ca07a7241921db2556e8d2a66f422b1932cfb3e1eb112d1fc6d3ba616889e05555c878940ee3f351d7a15a49586714bdd55276e3cdeab9ed113e4e460db718e3924ebd328bdf9a3e3236b6fc
        Message-Authenticator = 0x1af17b63a64f47fcbc3a0ec16717a910
# Executing section authorize from file 
/etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 4 length 143
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls] <<< Unknown TLS version [length 0005]
[ttls] eaptls_process returned 7
[ttls] Session established.  Proceeding to decode tunneled attributes.
[ttls] Tunneled challenge is incorrect
[eap] Handler failed in EAP/ttls
[eap] Failed in EAP select
++[eap] = invalid
+} # group authenticate = invalid
Failed to authenticate the user.
Login incorrect: [anonymous/<via Auth-Type = EAP>] (from client 10.0.2.2 
port 14 cli 2c0e3d040b41)
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+group REJECT {
[eap] Reply already contained an EAP-Message, not inserting EAP-Failure
++[eap] = noop
[attr_filter.access_reject]     expand: %{User-Name} -> anonymous
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
Delaying reject of request 9 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 9
Sending Access-Reject of id 0 to 10.0.2.2 port 37101
        EAP-Message = 0x04040004
        Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 4.9 seconds.
Cleaning up request 9 ID 0 with timestamp +41
Ready to process requests.
rad_recv: Access-Request packet from host 10.0.2.2 port 37101, id=0, 
length=131
        User-Name = "anonymous"
        NAS-IP-Address = 10.0.0.1
        Called-Station-Id = "ac9e17bd7668"
        Calling-Station-Id = "2c0e3d040b41"
        NAS-Identifier = "ac9e17bd7668"
        NAS-Port = 14
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        EAP-Message = 0x0200000e01616e6f6e796d6f7573
        Message-Authenticator = 0x676ec42b20976a91a8bd7ab0d8cb999f
# Executing section authorize from file 
/etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 0 length 14
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No "known good" password found for the user. Authentication 
may fail because of this.
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 0 to 10.0.2.2 port 37101
        EAP-Message = 0x010100061520
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x983a0f7a983b1a9e70d1786f6677e705
Finished request 10.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.2.2 port 37101, id=0, 
length=306
Cleaning up request 10 ID 0 with timestamp +49
        User-Name = "anonymous"
        NAS-IP-Address = 10.0.0.1
        Called-Station-Id = "ac9e17bd7668"
        Calling-Station-Id = "2c0e3d040b41"
        NAS-Identifier = "ac9e17bd7668"
        NAS-Port = 14
        Framed-MTU = 1400
        State = 0x983a0f7a983b1a9e70d1786f6677e705
        NAS-Port-Type = Wireless-802.11
        EAP-Message = 
0x020100ab150016030100a00100009c0303a27710c867999b0722e29b8d455b6f41806830d2b5785a86ef947bc76d4ef04a00003ec02cc030009fc02bc02f009ecca9cca8c00ac024c014c0280039006bc009c023c013c02700330067c007c011009d009c0035003d002f003c00050004000a01000035ff0100010000170000000d001600140601060305010503040104030301030302010203000b00020100000a00080006001700180019
        Message-Authenticator = 0x4494d20d1a8cb27ec272148c29dfc456
# Executing section authorize from file 
/etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 1 length 171
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls]     (other): before/accept initialization
[ttls]     TLS_accept: before/accept initialization
[ttls] <<< Unknown TLS version [length 0005]
[ttls] <<< Unknown TLS version [length 00a0]
[ttls]     TLS_accept: unknown state
[ttls] >>> Unknown TLS version [length 0005]
[ttls] >>> Unknown TLS version [length 0039]
[ttls]     TLS_accept: unknown state
[ttls] >>> Unknown TLS version [length 0005]
[ttls] >>> Unknown TLS version [length 02cc]
[ttls]     TLS_accept: unknown state
[ttls] >>> Unknown TLS version [length 0005]
[ttls] >>> Unknown TLS version [length 014d]
[ttls]     TLS_accept: unknown state
[ttls] >>> Unknown TLS version [length 0005]
[ttls] >>> Unknown TLS version [length 0004]
[ttls]     TLS_accept: unknown state
[ttls]     TLS_accept: unknown state
[ttls]     TLS_accept: unknown state
[ttls]     TLS_accept: Need to read more data: unknown state
[ttls]     TLS_accept: Need to read more data: unknown state
In SSL Handshake Phase
In SSL Accept mode
[ttls] eaptls_process returned 13
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 0 to 10.0.2.2 port 37101
        EAP-Message = 
0x0102040015c00000046a160303003902000035030338d451eebc70f7a6865019f0f9fe971d97d29dbbf259f8c9fd51f0aa6f931c6000c03000000dff01000100000b00040300010216030302cc0b0002c80002c50002c2308202be308201a6a003020102020900b37fe074c794d454300d06092a864886f70d01010b050030173115301306035504030c0c7562756e7475524144495553301e170d3138303330313133353235325a170d3238303232373133353235325a30173115301306035504030c0c7562756e747552414449555330820122300d06092a864886f70d01010105000382010f003082010a0282010100be9382ed2dc1add32b1b35f7
        EAP-Message = 
0x52c8fc8c0d2652e99ec612ac75a1029c63f63cfff4fd6cd9bb9e419bcfb7aed8e64d01f0f410c11961e22e9d2bea61dc6aacf0717dc0e386103809ea6f9978c068b1d59f405695fddfd47aff401b5f3390333b57b915960ec53698c32b02a49566bbbfb192c0a9b928a24535f40190231bf71416c580b6d982b17e744c7780ac0a64ea777a6f6d3cc493896914f89e0569b9a24f5a59387c852f838f053a9c396eee54f4ea222ae605b4735262d4e3685c6088da5fb881f739c00c93542663954a9800c99410e74ff3593536a9a669c0ef50b612e4270afe8f123d0ad38121639babf0fbd66137021597d97e6ef7d4aa7f9c02710203010001a30d300b
        EAP-Message = 
0x30090603551d1304023000300d06092a864886f70d01010b050003820101000b407680d9c47a5900401c7b6fe5390675f547567dacb4a75fb72387a0b621d5a668726d0654ef300fbe6b18324ddf2510cb0b6e459e90857c9d9cc34482c2aa5d7d9df792b1cc77f83aa3ccb7c6d0bd9080c31e22f5eb90212ede14732eaffcc9b24c580fede255a3e5acf05effc49d74cb63971ea81cda755983b202bffc116440616a01f57ad5b353cd7bba302dcf067313b00d0ff8a1bdd01e1b612ee04fd36c42949a32175585a1b28583c6a46f9399989acc68d2c3e7b7360ceddca417823ae7fe9d21a888c393bca3a9dbd66ccbbf59d5a1a290e7c67f1abe3bb3
        EAP-Message = 
0x77e112552a255d336731fee2e1a05bd01a87a238f12694278b87ef2146a11e649288160303014d0c0001490300174104d4bc9b3384651e6ecdfedf74bd004c614a51dfeeae36a9fc6b3f3e9d756da259a0d153ef55332cb9350c545c4cad7b3b96f4c0a5e04abc0475aca9a2494dd0bf06010100bb47844ba03bc1969c891a1e37a8a99e1310d97835b5be102a13ddf1b84b3a7a4840fad85e9c6e272ab4a5e2d1afc31d0f2f6edb69d42dc73bd33bc93566a2f5b3a6c3f7468b951c623115a75f9e74d98369e4aa8f2be02b4ccbde2bd4c438a7cc780a035d0dbc5a5ff14f9761fc1068db76a5fceff260f5a1cd60d261c535af2676a2ca2e0cb2d15d
        EAP-Message = 0xc9ea0b7bf4dc7b16b042bed8
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x983a0f7a99381a9e70d1786f6677e705
Finished request 11.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.2.2 port 37101, id=0, 
length=141
Cleaning up request 11 ID 0 with timestamp +49
        User-Name = "anonymous"
        NAS-IP-Address = 10.0.0.1
        Called-Station-Id = "ac9e17bd7668"
        Calling-Station-Id = "2c0e3d040b41"
        NAS-Identifier = "ac9e17bd7668"
        NAS-Port = 14
        Framed-MTU = 1400
        State = 0x983a0f7a99381a9e70d1786f6677e705
        NAS-Port-Type = Wireless-802.11
        EAP-Message = 0x020200061500
        Message-Authenticator = 0x29ca321bf5207e566bdfbde431c392df
# Executing section authorize from file 
/etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 2 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] Received TLS ACK
[ttls] ACK handshake fragment handler
[ttls] eaptls_verify returned 1
[ttls] eaptls_process returned 13
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 0 to 10.0.2.2 port 37101
        EAP-Message = 
0x0103007e15800000046a4e10b776a37915fcf4f2dde3685940dbfea0542c5769819c4b948a1eaea41a55547f1fba0cd678ad5fd9868549d4ad9ba86131ccde39ca1a54e8d4ff6135f1da87c7649d577be682838374dc3922358785cbb92f67427b573e3447c30ec5f00758b9bda56bbde8b5b5f7af16030300040e000000
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x983a0f7a9a391a9e70d1786f6677e705
Finished request 12.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.2.2 port 37101, id=0, 
length=267
Cleaning up request 12 ID 0 with timestamp +49
        User-Name = "anonymous"
        NAS-IP-Address = 10.0.0.1
        Called-Station-Id = "ac9e17bd7668"
        Calling-Station-Id = "2c0e3d040b41"
        NAS-Identifier = "ac9e17bd7668"
        NAS-Port = 14
        Framed-MTU = 1400
        State = 0x983a0f7a9a391a9e70d1786f6677e705
        NAS-Port-Type = Wireless-802.11
        EAP-Message = 
0x0203008415001603030046100000424104939c1ca8205736e62176faa470a2ddd4cc4732bdfb0a91a3c69756ff20227f99c8be39ae3ee90aef2cfd6ee33ee90a00d5a6009982426148bf7cf50eaaf9649c14030300010116030300280000000000000000cb752cedfefbb76538cb2a753067821926acc5a82e1587251a9ae55e49270d99
        Message-Authenticator = 0x48305bf93df8cdc7213e51a97981a74b
# Executing section authorize from file 
/etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 3 length 132
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls] <<< Unknown TLS version [length 0005]
[ttls] <<< Unknown TLS version [length 0046]
[ttls]     TLS_accept: unknown state
[ttls]     TLS_accept: unknown state
[ttls] <<< Unknown TLS version [length 0005]
[ttls] <<< Unknown TLS version [length 0001]
[ttls] <<< Unknown TLS version [length 0005]
[ttls] <<< Unknown TLS version [length 0010]
[ttls]     TLS_accept: unknown state
[ttls] >>> Unknown TLS version [length 0005]
[ttls] >>> Unknown TLS version [length 0001]
[ttls]     TLS_accept: unknown state
[ttls] >>> Unknown TLS version [length 0005]
[ttls] >>> Unknown TLS version [length 0010]
[ttls]     TLS_accept: unknown state
[ttls]     TLS_accept: unknown state
[ttls]     (other): SSL negotiation finished successfully
SSL Connection Established
[ttls] eaptls_process returned 13
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 0 to 10.0.2.2 port 37101
        EAP-Message = 
0x0104003d15800000003314030300010116030300280b1a10be1e4e65a7c37a795524033677856ba37e47405ca76d6d047a8119d2116f56dc72c6053901
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x983a0f7a9b3e1a9e70d1786f6677e705
Finished request 13.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.2.2 port 37101, id=0, 
length=278
Cleaning up request 13 ID 0 with timestamp +49
        User-Name = "anonymous"
        NAS-IP-Address = 10.0.0.1
        Called-Station-Id = "ac9e17bd7668"
        Calling-Station-Id = "2c0e3d040b41"
        NAS-Identifier = "ac9e17bd7668"
        NAS-Port = 14
        Framed-MTU = 1400
        State = 0x983a0f7a9b3e1a9e70d1786f6677e705
        NAS-Port-Type = Wireless-802.11
        EAP-Message = 
0x0204008f15001703030084000000000000000181f59453f45ff9351d0eb09f8559ad492ab457ecade0e6c6c30f1a8e547e2dd5f00316175c390c1f26d1aaa61eaa1a25735804b47041bede97df420c9eef1e806739cc77f680dbca690661abb5c7e3d19a7dc4f892452d4a704a7f7bd4d89fd81f982735b50be5c35f6f0b45d340a01c9384319974ad53e68a8fcf73
        Message-Authenticator = 0x6f40d71d85b6f299fd688e265aa1ce7a
# Executing section authorize from file 
/etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 4 length 143
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls] <<< Unknown TLS version [length 0005]
[ttls] eaptls_process returned 7
[ttls] Session established.  Proceeding to decode tunneled attributes.
[ttls] Tunneled challenge is incorrect
[eap] Handler failed in EAP/ttls
[eap] Failed in EAP select
++[eap] = invalid
+} # group authenticate = invalid
Failed to authenticate the user.
Login incorrect: [anonymous/<via Auth-Type = EAP>] (from client 10.0.2.2 
port 14 cli 2c0e3d040b41)
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+group REJECT {
[eap] Reply already contained an EAP-Message, not inserting EAP-Failure
++[eap] = noop
[attr_filter.access_reject]     expand: %{User-Name} -> anonymous
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
Delaying reject of request 14 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 14
Sending Access-Reject of id 0 to 10.0.2.2 port 37101
        EAP-Message = 0x04040004
        Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 4.9 seconds.
Cleaning up request 14 ID 0 with timestamp +49
Ready to process requests.




More information about the Freeradius-Users mailing list