help perl and pap authentication
lesterpl at infomed.sld.cu
lesterpl at infomed.sld.cu
Tue Sep 4 14:32:57 CEST 2018
Hi, I have problems with freeradius I am authenticate with a perl
script and it works only when I do a radtest like in the following case:
Ready to process requests
(0) Received Access-Request Id 188 from 192.168.0.3:40871 to
192.168.0.9:1812 length 109
(0) User-Name = "lesterpl at infomed.sld.cu"
(0) User-Password = "supermelinda.com2010"
(0) NAS-IP-Address = 192.168.0.3
(0) NAS-Port = 1812
(0) Message-Authenticator = 0xe32e609007f449c81e2c6bd8ecf18a8e
(0) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /@\./) {
(0) if (&User-Name =~ /@\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: Looking up realm "infomed.sld.cu" for User-Name =
"lesterpl at infomed.sld.cu"
(0) suffix: Found realm "infomed.sld.cu"
(0) suffix: Adding Stripped-User-Name = "lesterpl"
(0) suffix: Adding Realm = "infomed.sld.cu"
(0) suffix: Authentication realm is LOCAL
(0) [suffix] = ok
(0) eap: No EAP-Message, not doing EAP
(0) [eap] = noop
(0) files: users: Matched entry DEFAULT at line 221
(0) [files] = ok
(0) if (ok || updated) {
(0) if (ok || updated) -> TRUE
(0) if (ok || updated) {
(0) update control {
(0) Auth-Type := perl
(0) } # update control = noop
(0) } # if (ok || updated) = noop
(0) [expiration] = noop
(0) [logintime] = noop
(0) pap: WARNING: No "known good" password found for the user. Not
setting Auth-Type
(0) pap: WARNING: Authentication will fail unless a "known good"
password is available
(0) [pap] = noop
(0) } # authorize = ok
(0) Found Auth-Type = perl
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0) Auth-Type perl {
(0) perl: $RAD_REQUEST{'User-Name'} = &request:User-Name ->
'lesterpl at infomed.sld.cu'
(0) perl: $RAD_REQUEST{'User-Password'} = &request:User-Password ->
'supermelinda.com2010'
(0) perl: $RAD_REQUEST{'NAS-IP-Address'} = &request:NAS-IP-Address
-> '192.168.0.3'
(0) perl: $RAD_REQUEST{'NAS-Port'} = &request:NAS-Port -> '1812'
(0) perl: $RAD_REQUEST{'Event-Timestamp'} = &request:Event-Timestamp
-> 'Sep 4 2018 12:25:15 UTC'
(0) perl: $RAD_REQUEST{'Message-Authenticator'} =
&request:Message-Authenticator -> '0xe32e609007f449c81e2c6bd8ecf18a8e'
(0) perl: $RAD_REQUEST{'Stripped-User-Name'} =
&request:Stripped-User-Name -> 'lesterpl'
(0) perl: $RAD_REQUEST{'Realm'} = &request:Realm -> 'infomed.sld.cu'
(0) perl: $RAD_CHECK{'Auth-Type'} = &control:Auth-Type -> 'perl'
(0) perl: $RAD_CONFIG{'Auth-Type'} = &control:Auth-Type -> 'perl'
SOFT ASSERT FAILED src/modules/rlm_perl/rlm_perl.c[703]: *vps
(0) perl: &request:Message-Authenticator =
$RAD_REQUEST{'Message-Authenticator'} ->
'0xe32e609007f449c81e2c6bd8ecf18a8e'
(0) perl: &request:User-Name = $RAD_REQUEST{'User-Name'} ->
'lesterpl at infomed.sld.cu'
(0) perl: &request:Event-Timestamp = $RAD_REQUEST{'Event-Timestamp'}
-> 'Sep 4 2018 12:25:15 UTC'
(0) perl: &request:User-Password = $RAD_REQUEST{'User-Password'} ->
'supermelinda.com2010'
(0) perl: &request:NAS-Port = $RAD_REQUEST{'NAS-Port'} -> '1812'
(0) perl: &request:Stripped-User-Name =
$RAD_REQUEST{'Stripped-User-Name'} -> 'lesterpl'
(0) perl: &request:NAS-IP-Address = $RAD_REQUEST{'NAS-IP-Address'} ->
'192.168.0.3'
(0) perl: &request:Realm = $RAD_REQUEST{'Realm'} -> 'infomed.sld.cu'
SOFT ASSERT FAILED src/modules/rlm_perl/rlm_perl.c[703]: *vps
(0) perl: &control:Auth-Type = $RAD_CHECK{'Auth-Type'} -> 'perl'
(0) [perl] = ok
(0) } # Auth-Type perl = ok
(0) # Executing section post-auth from file
/etc/freeradius/3.0/sites-enabled/default
(0) post-auth {
(0) update {
(0) No attributes updated
(0) } # update = noop
(0) [exec] = noop
(0) policy remove_reply_message_if_eap {
(0) if (&reply:EAP-Message && &reply:Reply-Message) {
(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(0) else {
(0) [noop] = noop
(0) } # else = noop
(0) } # policy remove_reply_message_if_eap = noop
(0) } # post-auth = noop
(0) Sent Access-Accept Id 188 from 192.168.0.9:1812 to
192.168.0.3:40871 length 0
(0) Finished request
Waking up in 4.9 seconds.
BUT WHEN I SEND IT MY AP THE FREERADIUS ASSUMES IT IN THE GROUP OF PAP
AND NOT AUTHENTIC
Received Access-Request Id 4 from 192.168.0.80:1061 to
192.168.0.9:1812 length 322
(4) Message-Authenticator = 0x7350cca44f5ea831e5dff8bf3ea5be8b
(4) Service-Type = Framed-User
(4) User-Name = "aymeema"
(4) Framed-MTU = 1488
(4) State = 0xee0bf512ed0fecd6e57224eb55af15dd
(4) Called-Station-Id = "00-23-CD-DC-C5-54:FTS"
(4) Calling-Station-Id = "48-59-29-D4-FC-33"
(4) NAS-Port-Type = Wireless-802.11
(4) Connect-Info = "CONNECT 54Mbps 802.11g"
(4) EAP-Message =
0x020400901980000000861603010046100000424104631fdc9346cd60c44035b7efb9e8f1f0c997f33787eff9189e4b6eeee27cc542d466b86da33c4f378c5ce26aa52d5d311a5790c308e422e121b9093286c1c303140301000101160301003085b82bf9e3a0949af7d6af10fc9938d21707e2778c3cde
(4) NAS-IP-Address = 192.168.1.5
(4) NAS-Port = 2
(4) NAS-Port-Id = "STA port # 2"
(4) session-state: No cached attributes
(4) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(4) authorize {
(4) policy filter_username {
(4) if (&User-Name) {
(4) if (&User-Name) -> TRUE
(4) if (&User-Name) {
(4) if (&User-Name =~ / /) {
(4) if (&User-Name =~ / /) -> FALSE
(4) if (&User-Name =~ /@[^@]*@/ ) {
(4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(4) if (&User-Name =~ /\.\./ ) {
(4) if (&User-Name =~ /\.\./ ) -> FALSE
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(4) if (&User-Name =~ /\.$/) {
(4) if (&User-Name =~ /\.$/) -> FALSE
(4) if (&User-Name =~ /@\./) {
(4) if (&User-Name =~ /@\./) -> FALSE
(4) } # if (&User-Name) = notfound
(4) } # policy filter_username = notfound
(4) [preprocess] = ok
(4) [chap] = noop
(4) [mschap] = noop
(4) [digest] = noop
(4) suffix: Checking for suffix after "@"
(4) suffix: No '@' in User-Name = "aymeema", looking up realm NULL
(4) suffix: No such realm "NULL"
(4) [suffix] = noop
(4) eap: Peer sent EAP Response (code 2) ID 4 length 144
(4) eap: Continuing tunnel setup
(4) [eap] = ok
(4) } # authorize = ok
(4) Found Auth-Type = eap
(4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(4) authenticate {
(4) eap: Expiring EAP session with state 0xee0bf512ed0fecd6
(4) eap: Finished EAP session with state 0xee0bf512ed0fecd6
(4) eap: Previous EAP request found for state 0xee0bf512ed0fecd6,
released from the list
(4) eap: Peer sent packet with method EAP PEAP (25)
(4) eap: Calling submodule eap_peap to process data
(4) eap_peap: Continuing EAP-TLS
(4) eap_peap: Peer indicated complete TLS record size will be 134 bytes
(4) eap_peap: Got complete TLS record (134 bytes)
(4) eap_peap: [eaptls verify] = length included
(4) eap_peap: TLS_accept: SSLv3/TLS write server done
(4) eap_peap: <<< recv TLS 1.0 Handshake [length 0046], ClientKeyExchange
(4) eap_peap: TLS_accept: SSLv3/TLS read client key exchange
(4) eap_peap: TLS_accept: SSLv3/TLS read change cipher spec
(4) eap_peap: <<< recv TLS 1.0 Handshake [length 0010], Finished
(4) eap_peap: TLS_accept: SSLv3/TLS read finished
(4) eap_peap: >>> send TLS 1.0 ChangeCipherSpec [length 0001]
(4) eap_peap: TLS_accept: SSLv3/TLS write change cipher spec
(4) eap_peap: >>> send TLS 1.0 Handshake [length 0010], Finished
(4) eap_peap: TLS_accept: SSLv3/TLS write finished
(4) eap_peap: (other): SSL negotiation finished successfully
(4) eap_peap: SSL Connection Established
(4) eap_peap: [eaptls process] = handled
(4) eap: Sending EAP Request (code 1) ID 5 length 65
(4) eap: EAP session adding &reply:State = 0xee0bf512ea0eecd6
(4) [eap] = handled
(4) } # authenticate = handled
(4) Using Post-Auth-Type Challenge
(4) Post-Auth-Type sub-section not found. Ignoring.
(4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(4) Sent Access-Challenge Id 4 from 192.168.0.9:1812 to
192.168.0.80:1061 length 0
(4) EAP-Message =
0x01050041190014030100010116030100309e11214d85fa990821becf3a07c9bb538025176dc796b9634c64808ba1686f9238894ab9576ed35c33363c495fe50394
(4) Message-Authenticator = 0x00000000000000000000000000000000
(4) State = 0xee0bf512ea0eecd6e57224eb55af15dd
(4) Finished request
Waking up in 3.9 seconds.
(5) Received Access-Request Id 5 from 192.168.0.80:1061 to
192.168.0.9:1812 length 184
(5) Message-Authenticator = 0x5817762eb30c8ca2143d311a5f05701f
(5) Service-Type = Framed-User
(5) User-Name = "aymeema"
(5) Framed-MTU = 1488
(5) State = 0xee0bf512ea0eecd6e57224eb55af15dd
(5) Called-Station-Id = "00-23-CD-DC-C5-54:FTS"
(5) Calling-Station-Id = "48-59-29-D4-FC-33"
(5) NAS-Port-Type = Wireless-802.11
(5) Connect-Info = "CONNECT 54Mbps 802.11g"
(5) EAP-Message = 0x020500061900
(5) NAS-IP-Address = 192.168.1.5
(5) NAS-Port = 2
(5) NAS-Port-Id = "STA port # 2"
(5) session-state: No cached attributes
(5) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(5) authorize {
(5) policy filter_username {
(5) if (&User-Name) {
(5) if (&User-Name) -> TRUE
(5) if (&User-Name) {
(5) if (&User-Name =~ / /) {
(5) if (&User-Name =~ / /) -> FALSE
(5) if (&User-Name =~ /@[^@]*@/ ) {
(5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(5) if (&User-Name =~ /\.\./ ) {
(5) if (&User-Name =~ /\.\./ ) -> FALSE
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(5) if (&User-Name =~ /\.$/) {
(5) if (&User-Name =~ /\.$/) -> FALSE
(5) if (&User-Name =~ /@\./) {
(5) if (&User-Name =~ /@\./) -> FALSE
(5) } # if (&User-Name) = notfound
(5) } # policy filter_username = notfound
(5) [preprocess] = ok
(5) [chap] = noop
(5) [mschap] = noop
(5) [digest] = noop
(5) suffix: Checking for suffix after "@"
(5) suffix: No '@' in User-Name = "aymeema", looking up realm NULL
(5) suffix: No such realm "NULL"
(5) [suffix] = noop
(5) eap: Peer sent EAP Response (code 2) ID 5 length 6
(5) eap: Continuing tunnel setup
(5) [eap] = ok
(5) } # authorize = ok
(5) Found Auth-Type = eap
(5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(5) authenticate {
(5) eap: Expiring EAP session with state 0xee0bf512ea0eecd6
(5) eap: Finished EAP session with state 0xee0bf512ea0eecd6
(5) eap: Previous EAP request found for state 0xee0bf512ea0eecd6,
released from the list
(5) eap: Peer sent packet with method EAP PEAP (25)
(5) eap: Calling submodule eap_peap to process data
(5) eap_peap: Continuing EAP-TLS
(5) eap_peap: Peer ACKed our handshake fragment. handshake is finished
(5) eap_peap: [eaptls verify] = success
(5) eap_peap: [eaptls process] = success
(5) eap_peap: Session established. Decoding tunneled attributes
(5) eap_peap: PEAP state TUNNEL ESTABLISHED
(5) eap: Sending EAP Request (code 1) ID 6 length 43
(5) eap: EAP session adding &reply:State = 0xee0bf512eb0decd6
(5) [eap] = handled
(5) } # authenticate = handled
(5) Using Post-Auth-Type Challenge
(5) Post-Auth-Type sub-section not found. Ignoring.
(5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(5) Sent Access-Challenge Id 5 from 192.168.0.9:1812 to
192.168.0.80:1061 length 0
(5) EAP-Message =
0x0106002b19001703010020e5982b8f79ff254f613da0903bf2edcd9082b515df3088104824bfed85946d68
(5) Message-Authenticator = 0x00000000000000000000000000000000
(5) State = 0xee0bf512eb0decd6e57224eb55af15dd
(5) Finished request
Waking up in 3.9 seconds.
(6) Received Access-Request Id 6 from 192.168.0.80:1061 to
192.168.0.9:1812 length 258
(6) Message-Authenticator = 0xc0a67886a6db2931141dc8ab02e5f4ec
(6) Service-Type = Framed-User
(6) User-Name = "aymeema"
(6) Framed-MTU = 1488
(6) State = 0xee0bf512eb0decd6e57224eb55af15dd
(6) Called-Station-Id = "00-23-CD-DC-C5-54:FTS"
(6) Calling-Station-Id = "48-59-29-D4-FC-33"
(6) NAS-Port-Type = Wireless-802.11
(6) Connect-Info = "CONNECT 54Mbps 802.11g"
(6) EAP-Message =
0x0206005019001703010020b02f8c267ab89a8847fbfc6ee6ab613935ab0fdc7c2e2635d7f785dd8ea3d6e31703010020383a7ac5e717bd2dff247c3d2aeed6364d86752af73793a7ba166abcb88aea89
(6) NAS-IP-Address = 192.168.1.5
(6) NAS-Port = 2
(6) NAS-Port-Id = "STA port # 2"
(6) session-state: No cached attributes
(6) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(6) authorize {
(6) policy filter_username {
(6) if (&User-Name) {
(6) if (&User-Name) -> TRUE
(6) if (&User-Name) {
(6) if (&User-Name =~ / /) {
(6) if (&User-Name =~ / /) -> FALSE
(6) if (&User-Name =~ /@[^@]*@/ ) {
(6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(6) if (&User-Name =~ /\.\./ ) {
(6) if (&User-Name =~ /\.\./ ) -> FALSE
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(6) if (&User-Name =~ /\.$/) {
(6) if (&User-Name =~ /\.$/) -> FALSE
(6) if (&User-Name =~ /@\./) {
(6) if (&User-Name =~ /@\./) -> FALSE
(6) } # if (&User-Name) = notfound
(6) } # policy filter_username = notfound
(6) [preprocess] = ok
(6) [chap] = noop
(6) [mschap] = noop
(6) [digest] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "aymeema", looking up realm NULL
(6) suffix: No such realm "NULL"
(6) [suffix] = noop
(6) eap: Peer sent EAP Response (code 2) ID 6 length 80
(6) eap: Continuing tunnel setup
(6) [eap] = ok
(6) } # authorize = ok
(6) Found Auth-Type = eap
(6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(6) authenticate {
(6) eap: Expiring EAP session with state 0xee0bf512eb0decd6
(6) eap: Finished EAP session with state 0xee0bf512eb0decd6
(6) eap: Previous EAP request found for state 0xee0bf512eb0decd6,
released from the list
(6) eap: Peer sent packet with method EAP PEAP (25)
(6) eap: Calling submodule eap_peap to process data
(6) eap_peap: Continuing EAP-TLS
(6) eap_peap: [eaptls verify] = ok
(6) eap_peap: Done initial handshake
(6) eap_peap: [eaptls process] = ok
(6) eap_peap: Session established. Decoding tunneled attributes
(6) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(6) eap_peap: Identity - aymeema
(6) eap_peap: Got inner identity 'aymeema'
(6) eap_peap: Setting default EAP type for tunneled EAP session
(6) eap_peap: Got tunneled request
(6) eap_peap: EAP-Message = 0x0206000c0161796d65656d61
(6) eap_peap: Setting User-Name to aymeema
(6) eap_peap: Sending tunneled request to inner-tunnel
(6) eap_peap: EAP-Message = 0x0206000c0161796d65656d61
(6) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(6) eap_peap: User-Name = "aymeema"
(6) Virtual server inner-tunnel received request
(6) EAP-Message = 0x0206000c0161796d65656d61
(6) FreeRADIUS-Proxied-To = 127.0.0.1
(6) User-Name = "aymeema"
(6) WARNING: Outer and inner identities are the same. User privacy is
compromised.
(6) server inner-tunnel {
(6) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(6) authorize {
(6) policy filter_username {
(6) if (&User-Name) {
(6) if (&User-Name) -> TRUE
(6) if (&User-Name) {
(6) if (&User-Name =~ / /) {
(6) if (&User-Name =~ / /) -> FALSE
(6) if (&User-Name =~ /@[^@]*@/ ) {
(6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(6) if (&User-Name =~ /\.\./ ) {
(6) if (&User-Name =~ /\.\./ ) -> FALSE
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(6) if ((&User-Name =~ /@/) && (&User-Name !~
/@(.+)\.(.+)$/)) -> FALSE
(6) if (&User-Name =~ /\.$/) {
(6) if (&User-Name =~ /\.$/) -> FALSE
(6) if (&User-Name =~ /@\./) {
(6) if (&User-Name =~ /@\./) -> FALSE
(6) } # if (&User-Name) = notfound
(6) } # policy filter_username = notfound
(6) [chap] = noop
(6) [mschap] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "aymeema", looking up realm NULL
(6) suffix: No such realm "NULL"
(6) [suffix] = noop
(6) update control {
(6) &Proxy-To-Realm := LOCAL
(6) } # update control = noop
(6) eap: Peer sent EAP Response (code 2) ID 6 length 12
(6) eap: EAP-Identity reply, returning 'ok' so we can short-circuit
the rest of authorize
(6) [eap] = ok
(6) } # authorize = ok
(6) Found Auth-Type = eap
(6) # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(6) authenticate {
(6) eap: Peer sent packet with method EAP Identity (1)
(6) eap: Calling submodule eap_mschapv2 to process data
(6) eap_mschapv2: Issuing Challenge
(6) eap: Sending EAP Request (code 1) ID 7 length 43
(6) eap: EAP session adding &reply:State = 0x122cc322122bd902
(6) [eap] = handled
(6) } # authenticate = handled
(6) } # server inner-tunnel
(6) Virtual server sending reply
(6) EAP-Message =
0x0107002b1a0107002610376ccdc558f65a17b14afc6aca1ccfef667265657261646975732d332e302e3132
(6) Message-Authenticator = 0x00000000000000000000000000000000
(6) State = 0x122cc322122bd9025a123037d96cd8cc
(6) eap_peap: Got tunneled reply code 11
(6) eap_peap: EAP-Message =
0x0107002b1a0107002610376ccdc558f65a17b14afc6aca1ccfef667265657261646975732d332e302e3132
(6) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(6) eap_peap: State = 0x122cc322122bd9025a123037d96cd8cc
(6) eap_peap: Got tunneled reply RADIUS code 11
(6) eap_peap: EAP-Message =
0x0107002b1a0107002610376ccdc558f65a17b14afc6aca1ccfef667265657261646975732d332e302e3132
(6) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(6) eap_peap: State = 0x122cc322122bd9025a123037d96cd8cc
(6) eap_peap: Got tunneled Access-Challenge
(6) eap: Sending EAP Request (code 1) ID 7 length 75
(6) eap: EAP session adding &reply:State = 0xee0bf512e80cecd6
(6) [eap] = handled
(6) } # authenticate = handled
(6) Using Post-Auth-Type Challenge
(6) Post-Auth-Type sub-section not found. Ignoring.
(6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(6) Sent Access-Challenge Id 6 from 192.168.0.9:1812 to
192.168.0.80:1061 length 0
(6) EAP-Message =
0x0107004b19001703010040171a800058420a49caaa8d4866e007313847e5baccdd901f56266b9863c45e076cce5ee00d9c0ea977fab30c69c1d8c5e16a06f7c69fff919decaaf19a5a90f6
(6) Message-Authenticator = 0x00000000000000000000000000000000
(6) State = 0xee0bf512e80cecd6e57224eb55af15dd
(6) Finished request
Waking up in 3.8 seconds.
(7) Received Access-Request Id 7 from 192.168.0.80:1061 to
192.168.0.9:1812 length 322
(7) Message-Authenticator = 0x4dc080cff5d2aec2ee857c6c7375b959
(7) Service-Type = Framed-User
(7) User-Name = "aymeema"
(7) Framed-MTU = 1488
(7) State = 0xee0bf512e80cecd6e57224eb55af15dd
(7) Called-Station-Id = "00-23-CD-DC-C5-54:FTS"
(7) Calling-Station-Id = "48-59-29-D4-FC-33"
(7) NAS-Port-Type = Wireless-802.11
(7) Connect-Info = "CONNECT 54Mbps 802.11g"
(7) EAP-Message =
0x0207009019001703010020b184428e6a6c8997d160d1a52137bbf60102a804bb422c47aa5f08e04eadc391170301006002f9a0662fa796bca2340e3ea61f635a9da1e2836df02e56a30ee198ea1b58d5a9cc41385046f7138e93c6124fcf6f1e32559708b4797a9c94ab3a2be57dd6535d72c428c5c02a
(7) NAS-IP-Address = 192.168.1.5
(7) NAS-Port = 2
(7) NAS-Port-Id = "STA port # 2"
(7) session-state: No cached attributes
(7) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(7) authorize {
(7) policy filter_username {
(7) if (&User-Name) {
(7) if (&User-Name) -> TRUE
(7) if (&User-Name) {
(7) if (&User-Name =~ / /) {
(7) if (&User-Name =~ / /) -> FALSE
(7) if (&User-Name =~ /@[^@]*@/ ) {
(7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(7) if (&User-Name =~ /\.\./ ) {
(7) if (&User-Name =~ /\.\./ ) -> FALSE
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(7) if (&User-Name =~ /\.$/) {
(7) if (&User-Name =~ /\.$/) -> FALSE
(7) if (&User-Name =~ /@\./) {
(7) if (&User-Name =~ /@\./) -> FALSE
(7) } # if (&User-Name) = notfound
(7) } # policy filter_username = notfound
(7) [preprocess] = ok
(7) [chap] = noop
(7) [mschap] = noop
(7) [digest] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "aymeema", looking up realm NULL
(7) suffix: No such realm "NULL"
(7) [suffix] = noop
(7) eap: Peer sent EAP Response (code 2) ID 7 length 144
(7) eap: Continuing tunnel setup
(7) [eap] = ok
(7) } # authorize = ok
(7) Found Auth-Type = eap
(7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(7) authenticate {
(7) eap: Expiring EAP session with state 0x122cc322122bd902
(7) eap: Finished EAP session with state 0xee0bf512e80cecd6
(7) eap: Previous EAP request found for state 0xee0bf512e80cecd6,
released from the list
(7) eap: Peer sent packet with method EAP PEAP (25)
(7) eap: Calling submodule eap_peap to process data
(7) eap_peap: Continuing EAP-TLS
(7) eap_peap: [eaptls verify] = ok
(7) eap_peap: Done initial handshake
(7) eap_peap: [eaptls process] = ok
(7) eap_peap: Session established. Decoding tunneled attributes
(7) eap_peap: PEAP state phase2
(7) eap_peap: EAP method MSCHAPv2 (26)
(7) eap_peap: Got tunneled request
(7) eap_peap: EAP-Message =
0x020700421a0207003d310fd6e853d94fc6045add7929942343ee00000000000000009620b931c92b1f08b063b513a33a5330e01b5519358610210061796d65656d61
(7) eap_peap: Setting User-Name to aymeema
(7) eap_peap: Sending tunneled request to inner-tunnel
(7) eap_peap: EAP-Message =
0x020700421a0207003d310fd6e853d94fc6045add7929942343ee00000000000000009620b931c92b1f08b063b513a33a5330e01b5519358610210061796d65656d61
(7) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(7) eap_peap: User-Name = "aymeema"
(7) eap_peap: State = 0x122cc322122bd9025a123037d96cd8cc
(7) Virtual server inner-tunnel received request
(7) EAP-Message =
0x020700421a0207003d310fd6e853d94fc6045add7929942343ee00000000000000009620b931c92b1f08b063b513a33a5330e01b5519358610210061796d65656d61
(7) FreeRADIUS-Proxied-To = 127.0.0.1
(7) User-Name = "aymeema"
(7) State = 0x122cc322122bd9025a123037d96cd8cc
(7) WARNING: Outer and inner identities are the same. User privacy is
compromised.
(7) server inner-tunnel {
(7) session-state: No cached attributes
(7) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(7) authorize {
(7) policy filter_username {
(7) if (&User-Name) {
(7) if (&User-Name) -> TRUE
(7) if (&User-Name) {
(7) if (&User-Name =~ / /) {
(7) if (&User-Name =~ / /) -> FALSE
(7) if (&User-Name =~ /@[^@]*@/ ) {
(7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(7) if (&User-Name =~ /\.\./ ) {
(7) if (&User-Name =~ /\.\./ ) -> FALSE
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(7) if ((&User-Name =~ /@/) && (&User-Name !~
/@(.+)\.(.+)$/)) -> FALSE
(7) if (&User-Name =~ /\.$/) {
(7) if (&User-Name =~ /\.$/) -> FALSE
(7) if (&User-Name =~ /@\./) {
(7) if (&User-Name =~ /@\./) -> FALSE
(7) } # if (&User-Name) = notfound
(7) } # policy filter_username = notfound
(7) [chap] = noop
(7) [mschap] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "aymeema", looking up realm NULL
(7) suffix: No such realm "NULL"
(7) [suffix] = noop
(7) update control {
(7) &Proxy-To-Realm := LOCAL
(7) } # update control = noop
(7) eap: Peer sent EAP Response (code 2) ID 7 length 66
(7) eap: No EAP Start, assuming it's an on-going EAP conversation
(7) [eap] = updated
(7) [files] = noop
(7) perl: $RAD_REQUEST{'User-Name'} = &request:User-Name -> 'aymeema'
(7) perl: $RAD_REQUEST{'State'} = &request:State ->
'0x122cc322122bd9025a123037d96cd8cc'
(7) perl: $RAD_REQUEST{'EAP-Message'} = &request:EAP-Message ->
'0x020700421a0207003d310fd6e853d94fc6045add7929942343ee00000000000000009620b931c92b1f08b063b513a33a5330e01b5519358610210061796d65656d61'
(7) perl: $RAD_REQUEST{'FreeRADIUS-Proxied-To'} =
&request:FreeRADIUS-Proxied-To -> '127.0.0.1'
(7) perl: $RAD_REQUEST{'EAP-Type'} = &request:EAP-Type -> 'MSCHAPv2'
(7) perl: $RAD_CHECK{'Auth-Type'} = &control:Auth-Type -> 'eap'
(7) perl: $RAD_CHECK{'Proxy-To-Realm'} = &control:Proxy-To-Realm -> 'LOCAL'
(7) perl: $RAD_CONFIG{'Auth-Type'} = &control:Auth-Type -> 'eap'
(7) perl: $RAD_CONFIG{'Proxy-To-Realm'} = &control:Proxy-To-Realm -> 'LOCAL'
SOFT ASSERT FAILED src/modules/rlm_perl/rlm_perl.c[703]: *vps
(7) perl: &request:EAP-Message = $RAD_REQUEST{'EAP-Message'} ->
'0x020700421a0207003d310fd6e853d94fc6045add7929942343ee00000000000000009620b931c92b1f08b063b513a33a5330e01b5519358610210061796d65656d61'
(7) perl: &request:State = $RAD_REQUEST{'State'} ->
'0x122cc322122bd9025a123037d96cd8cc'
(7) perl: &request:FreeRADIUS-Proxied-To =
$RAD_REQUEST{'FreeRADIUS-Proxied-To'} -> '127.0.0.1'
(7) perl: &request:EAP-Type = $RAD_REQUEST{'EAP-Type'} -> 'MSCHAPv2'
(7) perl: &request:User-Name = $RAD_REQUEST{'User-Name'} -> 'aymeema'
SOFT ASSERT FAILED src/modules/rlm_perl/rlm_perl.c[703]: *vps
(7) perl: &control:Proxy-To-Realm = $RAD_CHECK{'Proxy-To-Realm'} -> 'LOCAL'
(7) perl: &control:Auth-Type = $RAD_CHECK{'Auth-Type'} -> 'eap'
(7) [perl] = ok
(7) [expiration] = noop
(7) [logintime] = noop
(7) [pap] = noop
(7) } # authorize = updated
(7) Found Auth-Type = eap
(7) # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(7) authenticate {
(7) eap: Expiring EAP session with state 0x122cc322122bd902
(7) eap: Finished EAP session with state 0x122cc322122bd902
(7) eap: Previous EAP request found for state 0x122cc322122bd902,
released from the list
(7) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(7) eap: Calling submodule eap_mschapv2 to process data
(7) eap_mschapv2: # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(7) eap_mschapv2: authenticate {
(7) mschap: WARNING: No Cleartext-Password configured. Cannot create
NT-Password
(7) mschap: WARNING: No Cleartext-Password configured. Cannot create
LM-Password
(7) mschap: Creating challenge hash with username: aymeema
(7) mschap: Client is using MS-CHAPv2
(7) mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform authentication
(7) mschap: ERROR: MS-CHAP2-Response is incorrect
(7) [mschap] = reject
(7) } # authenticate = reject
(7) eap: Sending EAP Failure (code 4) ID 7 length 4
(7) eap: Freeing handler
(7) [eap] = reject
(7) } # authenticate = reject
(7) Failed to authenticate the user
(7) Using Post-Auth-Type Reject
(7) # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(7) Post-Auth-Type REJECT {
(7) attr_filter.access_reject: EXPAND %{User-Name}
(7) attr_filter.access_reject: --> aymeema
(7) attr_filter.access_reject: Matched entry DEFAULT at line 11
(7) [attr_filter.access_reject] = updated
(7) update outer.session-state {
(7) &Module-Failure-Message := &request:Module-Failure-Message
-> 'mschap: FAILED: No NT/LM-Password. Cannot perform authentication'
(7) } # update outer.session-state = noop
(7) } # Post-Auth-Type REJECT = updated
(7) } # server inner-tunnel
(7) Virtual server sending reply
(7) MS-CHAP-Error = "\007E=691 R=1
C=fcb1c9be7da91078278e0b9b45cf0517 V=3 M=Authentication failed"
(7) EAP-Message = 0x04070004
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_peap: Got tunneled reply code 3
(7) eap_peap: MS-CHAP-Error = "\007E=691 R=1
C=fcb1c9be7da91078278e0b9b45cf0517 V=3 M=Authentication failed"
(7) eap_peap: EAP-Message = 0x04070004
(7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_peap: Got tunneled reply RADIUS code 3
(7) eap_peap: MS-CHAP-Error = "\007E=691 R=1
C=fcb1c9be7da91078278e0b9b45cf0517 V=3 M=Authentication failed"
(7) eap_peap: EAP-Message = 0x04070004
(7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_peap: Tunneled authentication was rejected
(7) eap_peap: FAILURE
(7) eap: Sending EAP Request (code 1) ID 8 length 43
(7) eap: EAP session adding &reply:State = 0xee0bf512e903ecd6
(7) [eap] = handled
(7) } # authenticate = handled
(7) Using Post-Auth-Type Challenge
(7) Post-Auth-Type sub-section not found. Ignoring.
(7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(7) session-state: Saving cached attributes
(7) Module-Failure-Message := "mschap: FAILED: No NT/LM-Password.
Cannot perform authentication"
(7) Sent Access-Challenge Id 7 from 192.168.0.9:1812 to
192.168.0.80:1061 length 0
(7) EAP-Message =
0x0108002b19001703010020349d637b500281f48f99c09f3393a3f9ff128e70fe6005b6de3d4d5db3fd680f
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0xee0bf512e903ecd6e57224eb55af15dd
(7) Finished request
Waking up in 3.8 seconds.
(8) Received Access-Request Id 8 from 192.168.0.80:1061 to
192.168.0.9:1812 length 258
(8) Message-Authenticator = 0x6d2614f187dcdb7592b43f61f3bc426c
(8) Service-Type = Framed-User
(8) User-Name = "aymeema"
(8) Framed-MTU = 1488
(8) State = 0xee0bf512e903ecd6e57224eb55af15dd
(8) Called-Station-Id = "00-23-CD-DC-C5-54:FTS"
(8) Calling-Station-Id = "48-59-29-D4-FC-33"
(8) NAS-Port-Type = Wireless-802.11
(8) Connect-Info = "CONNECT 54Mbps 802.11g"
(8) EAP-Message =
0x02080050190017030100206c2d7efa7278365fe6169b3873bb4bd90d9bea6499b5a50b532e34b4cedddaaf170301002068dc2af39bb85f463ce6f8b752991db68a1079ae0382ef75f600bada56b907a1
(8) NAS-IP-Address = 192.168.1.5
(8) NAS-Port = 2
(8) NAS-Port-Id = "STA port # 2"
(8) Restoring &session-state
(8) &session-state:Module-Failure-Message := "mschap: FAILED: No
NT/LM-Password. Cannot perform authentication"
(8) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(8) authorize {
(8) policy filter_username {
(8) if (&User-Name) {
(8) if (&User-Name) -> TRUE
(8) if (&User-Name) {
(8) if (&User-Name =~ / /) {
(8) if (&User-Name =~ / /) -> FALSE
(8) if (&User-Name =~ /@[^@]*@/ ) {
(8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(8) if (&User-Name =~ /\.\./ ) {
(8) if (&User-Name =~ /\.\./ ) -> FALSE
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(8) if (&User-Name =~ /\.$/) {
(8) if (&User-Name =~ /\.$/) -> FALSE
(8) if (&User-Name =~ /@\./) {
(8) if (&User-Name =~ /@\./) -> FALSE
(8) } # if (&User-Name) = notfound
(8) } # policy filter_username = notfound
(8) [preprocess] = ok
(8) [chap] = noop
(8) [mschap] = noop
(8) [digest] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "aymeema", looking up realm NULL
(8) suffix: No such realm "NULL"
(8) [suffix] = noop
(8) eap: Peer sent EAP Response (code 2) ID 8 length 80
(8) eap: Continuing tunnel setup
(8) [eap] = ok
(8) } # authorize = ok
(8) Found Auth-Type = eap
(8) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(8) authenticate {
(8) eap: Expiring EAP session with state 0xee0bf512e903ecd6
(8) eap: Finished EAP session with state 0xee0bf512e903ecd6
(8) eap: Previous EAP request found for state 0xee0bf512e903ecd6,
released from the list
(8) eap: Peer sent packet with method EAP PEAP (25)
(8) eap: Calling submodule eap_peap to process data
(8) eap_peap: Continuing EAP-TLS
(8) eap_peap: [eaptls verify] = ok
(8) eap_peap: Done initial handshake
(8) eap_peap: [eaptls process] = ok
(8) eap_peap: Session established. Decoding tunneled attributes
(8) eap_peap: PEAP state send tlv failure
(8) eap_peap: Received EAP-TLV response
(8) eap_peap: The users session was previously rejected: returning
reject (again.)
(8) eap_peap: This means you need to read the PREVIOUS messages in
the debug output
(8) eap_peap: to find out the reason why the user was rejected
(8) eap_peap: Look for "reject" or "fail". Those earlier messages
will tell you
(8) eap_peap: what went wrong, and how to fix the problem
(8) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP
sub-module failed
(8) eap: Sending EAP Failure (code 4) ID 8 length 4
(8) eap: Failed in EAP select
(8) [eap] = invalid
(8) } # authenticate = invalid
(8) Failed to authenticate the user
(8) Using Post-Auth-Type Reject
(8) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(8) Post-Auth-Type REJECT {
(8) attr_filter.access_reject: EXPAND %{User-Name}
(8) attr_filter.access_reject: --> aymeema
(8) attr_filter.access_reject: Matched entry DEFAULT at line 11
(8) [attr_filter.access_reject] = updated
(8) [eap] = noop
(8) policy remove_reply_message_if_eap {
(8) if (&reply:EAP-Message && &reply:Reply-Message) {
(8) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(8) else {
(8) [noop] = noop
(8) } # else = noop
(8) } # policy remove_reply_message_if_eap = noop
(8) } # Post-Auth-Type REJECT = updated
(8) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(8) Sending delayed response
(8) Sent Access-Reject Id 8 from 192.168.0.9:1812 to 192.168.0.80:1061
length 44
(8) EAP-Message = 0x04080004
(8) Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 2.8 seconds.
(0) Cleaning up request packet ID 0 with timestamp +55
(1) Cleaning up request packet ID 1 with timestamp +55
(2) Cleaning up request packet ID 2 with timestamp +55
(3) Cleaning up request packet ID 3 with timestamp +55
Waking up in 1.0 seconds.
(4) Cleaning up request packet ID 4 with timestamp +56
(5) Cleaning up request packet ID 5 with timestamp +56
(6) Cleaning up request packet ID 6 with timestamp +56
(7) Cleaning up request packet ID 7 with timestamp +56
(8) Cleaning up request packet ID 8 with timestamp +56
Ready to process requests
Any suggestions?
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
--
Este mensaje le ha llegado mediante el servicio de correo electronico que ofrece Infomed para respaldar el cumplimiento de las misiones del Sistema Nacional de Salud. La persona que envia este correo asume el compromiso de usar el servicio a tales fines y cumplir con las regulaciones establecidas
Infomed: http://www.sld.cu/
More information about the Freeradius-Users
mailing list