Password " $ " Sign issue
prasad karulkar
prasad at iitdh.ac.in
Fri Mar 29 07:22:12 CET 2019
Dear Alan,
Please find attached debug logs.
Following is the error as per the logs. What can be issue please?
[mschap] Client is using MS-CHAPv2 for test.fac1, we need NT-Password
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] = reject
+} # group MS-CHAP = reject
[eap] Freeing handler
++[eap] = reject
+} # group authenticate = reject
Failed to authenticate the user.
Login incorrect: [test.fac1/<via Auth-Type = EAP>] (from client iitap port
0 cli D4-63-C6-9E-33-BD via TLS tunnel)
Using Post-Auth-Type Reject
On Fri, Mar 22, 2019 at 4:27 PM Alan DeKok <aland at deployingradius.com>
wrote:
> On Mar 22, 2019, at 1:21 AM, prasad karulkar <prasad at iitdh.ac.in> wrote:
> > I have configured FreeRadius server for my cisco wireless authentication
> > through LDAP.
> > I am facing one issue.
> > When a user setting his password which has $ sign the user cannot able to
> > access wireless.
> >
> > e.g. :
> > 1. If user's password is : Pass123$ then it does connects to wireless
> > 2. If user's password is : Pass$123 then it does not connect to wireless
> > 3. If we put $ sign any where in between the password user cant able to
> > connect to wireless.
> >
> > I see from the aaa debugs that the Radius server sent Access-Reject, as
> you
> > see below:
> >
> > *radiusTransportThread: Mar 20 10:48:02.130:
> > 3c:f8:62:7e:fd:1a Access-Reject received from RADIUS server 10.250.200.11
> > (qid:10) with port:1812, pktId:167 for mobile 3c:f8:62:7e:fd:1a
> receiveId =
> > 6
>
> If only FreeRADIUS had debug output you could read.
>
> Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-------------- next part --------------
[root at radius ~]#
[root at radius ~]# radiusd -X
radiusd: FreeRADIUS Version 2.2.10, for host x86_64-unknown-linux-gnu, built on Jan 30 2019 at 00:05:00
Copyright (C) 1999-2015 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
For more information about these matters, see the file named COPYRIGHT.
Starting - reading configuration files ...
including configuration file /home/setup.radius/etc/raddb/radiusd.conf
including configuration file /home/setup.radius/etc/raddb/proxy.conf
including configuration file /home/setup.radius/etc/raddb/clients.conf
including files in directory /home/setup.radius/etc/raddb/modules/
including configuration file /home/setup.radius/etc/raddb/modules/acct_unique
including configuration file /home/setup.radius/etc/raddb/modules/always
including configuration file /home/setup.radius/etc/raddb/modules/attr_filter
including configuration file /home/setup.radius/etc/raddb/modules/attr_rewrite
including configuration file /home/setup.radius/etc/raddb/modules/cache
including configuration file /home/setup.radius/etc/raddb/modules/chap
including configuration file /home/setup.radius/etc/raddb/modules/checkval
including configuration file /home/setup.radius/etc/raddb/modules/counter
including configuration file /home/setup.radius/etc/raddb/modules/cui
including configuration file /home/setup.radius/etc/raddb/modules/detail
including configuration file /home/setup.radius/etc/raddb/modules/detail.example.com
including configuration file /home/setup.radius/etc/raddb/modules/detail.log
including configuration file /home/setup.radius/etc/raddb/modules/dhcp_sqlippool
including configuration file /home/setup.radius/etc/raddb/sql/mysql/ippool-dhcp.conf
including configuration file /home/setup.radius/etc/raddb/modules/digest
including configuration file /home/setup.radius/etc/raddb/modules/dynamic_clients
including configuration file /home/setup.radius/etc/raddb/modules/echo
including configuration file /home/setup.radius/etc/raddb/modules/etc_group
including configuration file /home/setup.radius/etc/raddb/modules/exec
including configuration file /home/setup.radius/etc/raddb/modules/expiration
including configuration file /home/setup.radius/etc/raddb/modules/expr
including configuration file /home/setup.radius/etc/raddb/modules/files
including configuration file /home/setup.radius/etc/raddb/modules/ippool
including configuration file /home/setup.radius/etc/raddb/modules/krb5
including configuration file /home/setup.radius/etc/raddb/modules/linelog
including configuration file /home/setup.radius/etc/raddb/modules/logintime
including configuration file /home/setup.radius/etc/raddb/modules/mac2ip
including configuration file /home/setup.radius/etc/raddb/modules/mac2vlan
including configuration file /home/setup.radius/etc/raddb/modules/ntlm_auth
including configuration file /home/setup.radius/etc/raddb/modules/opendirectory
including configuration file /home/setup.radius/etc/raddb/modules/otp
including configuration file /home/setup.radius/etc/raddb/modules/pam
including configuration file /home/setup.radius/etc/raddb/modules/pap
including configuration file /home/setup.radius/etc/raddb/modules/passwd
including configuration file /home/setup.radius/etc/raddb/modules/perl
including configuration file /home/setup.radius/etc/raddb/modules/policy
including configuration file /home/setup.radius/etc/raddb/modules/preprocess
including configuration file /home/setup.radius/etc/raddb/modules/radrelay
including configuration file /home/setup.radius/etc/raddb/modules/radutmp
including configuration file /home/setup.radius/etc/raddb/modules/realm
including configuration file /home/setup.radius/etc/raddb/modules/redis
including configuration file /home/setup.radius/etc/raddb/modules/rediswho
including configuration file /home/setup.radius/etc/raddb/modules/replicate
including configuration file /home/setup.radius/etc/raddb/modules/smbpasswd
including configuration file /home/setup.radius/etc/raddb/modules/smsotp
including configuration file /home/setup.radius/etc/raddb/modules/soh
including configuration file /home/setup.radius/etc/raddb/modules/sql_log
including configuration file /home/setup.radius/etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /home/setup.radius/etc/raddb/modules/sradutmp
including configuration file /home/setup.radius/etc/raddb/modules/unix
including configuration file /home/setup.radius/etc/raddb/modules/wimax
including configuration file /home/setup.radius/etc/raddb/modules/inner-eap
including configuration file /home/setup.radius/etc/raddb/modules/mschap
including configuration file /home/setup.radius/etc/raddb/modules/ldap
including configuration file /home/setup.radius/etc/raddb/modules/f_ticks
including configuration file /home/setup.radius/etc/raddb/eap.conf
including configuration file /home/setup.radius/etc/raddb/policy.conf
including files in directory /home/setup.radius/etc/raddb/sites-enabled/
including configuration file /home/setup.radius/etc/raddb/sites-enabled/default
including configuration file /home/setup.radius/etc/raddb/sites-enabled/inner-tunnel
including configuration file /home/setup.radius/etc/raddb/sites-enabled/control-socket
including configuration file /home/setup.radius/etc/raddb/sites-enabled/eduroam
including configuration file /home/setup.radius/etc/raddb/sites-enabled/eduroam-inner-tunnel
main {
user = "radiusd"
group = "radiusd"
allow_core_dumps = no
}
including dictionary file /home/setup.radius/etc/raddb/dictionary
main {
name = "radiusd"
prefix = "/home/setup.radius"
localstatedir = "/home/setup.radius/var"
sbindir = "/home/setup.radius/sbin"
logdir = "/home/setup.radius/var/log/radius"
run_dir = "/home/setup.radius/var/run/radiusd"
libdir = "/home/setup.radius/lib"
radacctdir = "/home/setup.radius/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/home/setup.radius/var/run/radiusd/radiusd.pid"
checkrad = "/home/setup.radius/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = yes
auth_badpass = yes
auth_goodpass = yes
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
allow_vulnerable_openssl = no
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "IDENTITY MASKED"
response_window = 20
max_outstanding = 65536
require_message_authenticator = yes
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
realm NULL {
authhost = LOCAL
}
realm x.com {
authhost = LOCAL
}
realm DEFAULT {
nostrip
authhost = flr1.eduroam.ernet.in
secret = IDENTITY MASKED
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "IDENTITY MASKED"
nastype = "other"
}
client 10.250.200.52 {
require_message_authenticator = no
secret = "IDENTITY MASKED"
}
client iitap {
ipaddr = 103.21.127.8
require_message_authenticator = no
secret = "IDENTITY MASKED"
}
client cisco-controller {
ipaddr = 10.196.3.252
require_message_authenticator = no
secret = "IDENTITY MASKED"
}
client 10.250.1.0/24 {
require_message_authenticator = no
secret = "IDENTITY MASKED"
shortname = "mojo-dc"
}
client 10.250.9.0/24 {
require_message_authenticator = no
secret = "IDENTITY MASKED"
shortname = "classrooms-left"
}
client 10.250.10.0/24 {
require_message_authenticator = no
secret = "IDENTITY MASKED"
shortname = "classrooms-middle"
}
client 10.250.11.0/24 {
require_message_authenticator = no
secret = "IDENTITY MASKED"
shortname = "classrooms-right"
}
client 10.250.12.0/24 {
require_message_authenticator = no
secret = "IDENTITY MASKED"
shortname = "lcr-lab"
}
client 10.250.26.0/24 {
require_message_authenticator = no
secret = "IDENTITY MASKED"
shortname = "mess-building"
}
client 10.250.27.0/24 {
require_message_authenticator = no
secret = "IDENTITY MASKED"
shortname = "hostel-1"
}
client 10.250.28.0/24 {
require_message_authenticator = no
secret = "IDENTITY MASKED"
shortname = "hostel-2"
}
client 10.250.29.0/24 {
require_message_authenticator = no
secret = "IDENTITY MASKED"
shortname = "hostel-3"
}
client 10.250.30.0/24 {
require_message_authenticator = no
secret = "IDENTITY MASKED"
shortname = "hostel-4"
}
client 10.250.31.0/24 {
require_message_authenticator = no
secret = "IDENTITY MASKED"
shortname = "hostel-5"
}
client 10.250.32.0/24 {
require_message_authenticator = no
secret = "IDENTITY MASKED"
shortname = "hostel-6"
}
client 10.250.33.0/24 {
require_message_authenticator = no
secret = "IDENTITY MASKED"
shortname = "hostel-7"
}
client 10.250.34.0/24 {
require_message_authenticator = no
secret = "IDENTITY MASKED"
shortname = "hostel-8"
}
client 10.250.35.0/24 {
require_message_authenticator = no
secret = "IDENTITY MASKED"
shortname = "hostel-9"
}
client 10.250.36.0/24 {
require_message_authenticator = no
secret = "IDENTITY MASKED"
shortname = "hostel-10"
}
client flr1.eduroam.ernet.in {
require_message_authenticator = no
secret = "IDENTITY MASKED"
shortname = "flr1"
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating module "exec" from file /home/setup.radius/etc/raddb/modules/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
Module: Linked to module rlm_expr
Module: Instantiating module "expr" from file /home/setup.radius/etc/raddb/modules/expr
Module: Linked to module rlm_expiration
Module: Instantiating module "expiration" from file /home/setup.radius/etc/raddb/modules/expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating module "logintime" from file /home/setup.radius/etc/raddb/modules/logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server { # from file /home/setup.radius/etc/raddb/radiusd.conf
modules {
Module: Creating Auth-Type = digest
Module: Creating Auth-Type = LDAP
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating module "pap" from file /home/setup.radius/etc/raddb/modules/pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating module "chap" from file /home/setup.radius/etc/raddb/modules/chap
Module: Linked to module rlm_mschap
Module: Instantiating module "mschap" from file /home/setup.radius/etc/raddb/modules/mschap
mschap {
use_mppe = yes
require_encryption = yes
require_strong = yes
with_ntdomain_hack = no
allow_retry = yes
}
Module: Linked to module rlm_digest
Module: Instantiating module "digest" from file /home/setup.radius/etc/raddb/modules/digest
Module: Linked to module rlm_unix
Module: Instantiating module "unix" from file /home/setup.radius/etc/raddb/modules/unix
unix {
radwtmp = "/home/setup.radius/var/log/radius/radwtmp"
}
Module: Linked to module rlm_ldap
Module: Instantiating module "ldap" from file /home/setup.radius/etc/raddb/modules/ldap
ldap {
server = "ldap.x.com"
port = 389
password = "IDENTITY MASKED"
expect_password = yes
identity = "cn=wireless,ou=people,dc=x,dc=com"
net_timeout = 1
timeout = 4
timelimit = 3
max_uses = 0
tls_mode = no
start_tls = no
tls_require_cert = "allow"
tls {
start_tls = no
require_cert = "allow"
}
basedn = "ou=people,dc=x,dc=com"
filter = "(&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(policy=accept)(enabledapps=web))"
base_filter = "(objectclass=posixAccount)"
auto_header = no
access_attr_used_for_allow = yes
groupname_attribute = "cn"
groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))"
dictionary_mapping = "/home/setup.radius/etc/raddb/ldap.attrmap"
ldap_debug = 0
ldap_connections_number = 5
compare_check_items = no
do_xlat = yes
set_auth_type = yes
keepalive {
idle = 60
probes = 3
interval = 3
}
}
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap
rlm_ldap: reading ldap<->radius mappings from file /home/setup.radius/etc/raddb/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password
rlm_ldap: LDAP userPassword mapped to RADIUS Password-With-Header
rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP employeeType mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
rlm_ldap: LDAP radiusClass mapped to RADIUS Class
rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link
rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network
rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone
rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message
rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type
rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type
rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-Id
rlm_ldap: LDAP departmentNumber mapped to RADIUS Dept-Number
conns: 0x1ce6f80
Module: Linked to module rlm_eap
Module: Instantiating module "eap" from file /home/setup.radius/etc/raddb/eap.conf
eap {
default_eap_type = "peap"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 2048
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
pem_file_type = yes
private_key_file = "/home/setup.radius/etc/raddb/certs/server.key"
certificate_file = "/home/setup.radius/etc/raddb/certs/server.pem"
CA_file = "/home/setup.radius/etc/raddb/certs/ca.pem"
private_key_password = "IDENTITY MASKED"
dh_file = "/home/setup.radius/etc/raddb/certs/dh"
random_file = "/dev/urandom"
fragment_size = 1024
include_length = yes
check_crl = no
check_all_crl = no
cipher_list = "DEFAULT"
ecdh_curve = "prime256v1"
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "mschapv2"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "eduroam-inner-tunnel"
include_length = yes
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
proxy_tunneled_request_as_eap = yes
soh = no
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating module "preprocess" from file /home/setup.radius/etc/raddb/modules/preprocess
preprocess {
huntgroups = "/home/setup.radius/etc/raddb/huntgroups"
hints = "/home/setup.radius/etc/raddb/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
reading pairlist file /home/setup.radius/etc/raddb/huntgroups
reading pairlist file /home/setup.radius/etc/raddb/hints
Module: Linked to module rlm_realm
Module: Instantiating module "suffix" from file /home/setup.radius/etc/raddb/modules/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating module "files" from file /home/setup.radius/etc/raddb/modules/files
files {
usersfile = "/home/setup.radius/etc/raddb/users"
acctusersfile = "/home/setup.radius/etc/raddb/acct_users"
preproxy_usersfile = "/home/setup.radius/etc/raddb/preproxy_users"
compat = "no"
}
reading pairlist file /home/setup.radius/etc/raddb/users
reading pairlist file /home/setup.radius/etc/raddb/acct_users
reading pairlist file /home/setup.radius/etc/raddb/preproxy_users
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating module "acct_unique" from file /home/setup.radius/etc/raddb/modules/acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Identifier, NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating module "detail" from file /home/setup.radius/etc/raddb/modules/detail
detail {
detailfile = "/home/setup.radius/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
escape_filenames = no
}
Module: Linked to module rlm_attr_filter
Module: Instantiating module "attr_filter.accounting_response" from file /home/setup.radius/etc/raddb/modules/attr_filter
attr_filter attr_filter.accounting_response {
attrsfile = "/home/setup.radius/etc/raddb/attrs.accounting_response"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /home/setup.radius/etc/raddb/attrs.accounting_response
Module: Checking session {...} for more modules to load
Module: Linked to module rlm_radutmp
Module: Instantiating module "radutmp" from file /home/setup.radius/etc/raddb/modules/radutmp
radutmp {
filename = "/home/setup.radius/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Instantiating module "attr_filter.access_reject" from file /home/setup.radius/etc/raddb/modules/attr_filter
attr_filter attr_filter.access_reject {
attrsfile = "/home/setup.radius/etc/raddb/attrs.access_reject"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /home/setup.radius/etc/raddb/attrs.access_reject
} # modules
} # server
server inner-tunnel { # from file /home/setup.radius/etc/raddb/sites-enabled/inner-tunnel
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
server eduroam { # from file /home/setup.radius/etc/raddb/sites-enabled/eduroam
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Instantiating module "auth_log" from file /home/setup.radius/etc/raddb/modules/detail.log
detail auth_log {
detailfile = "/home/setup.radius/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
escape_filenames = no
}
Module: Checking preacct {...} for more modules to load
Module: Checking pre-proxy {...} for more modules to load
Module: Instantiating module "pre_proxy_log" from file /home/setup.radius/etc/raddb/modules/detail.log
detail pre_proxy_log {
detailfile = "/home/setup.radius/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
escape_filenames = no
}
Module: Instantiating module "attr_filter.pre-proxy" from file /home/setup.radius/etc/raddb/modules/attr_filter
attr_filter attr_filter.pre-proxy {
attrsfile = "/home/setup.radius/etc/raddb/attrs.pre-proxy"
key = "%{Realm}"
relaxed = no
}
reading pairlist file /home/setup.radius/etc/raddb/attrs.pre-proxy
Module: Checking post-proxy {...} for more modules to load
Module: Instantiating module "post_proxy_log" from file /home/setup.radius/etc/raddb/modules/detail.log
detail post_proxy_log {
detailfile = "/home/setup.radius/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
escape_filenames = no
}
Module: Instantiating module "attr_filter.post-proxy" from file /home/setup.radius/etc/raddb/modules/attr_filter
attr_filter attr_filter.post-proxy {
attrsfile = "/home/setup.radius/etc/raddb/attrs"
key = "%{Realm}"
relaxed = no
}
reading pairlist file /home/setup.radius/etc/raddb/attrs
Module: Checking post-auth {...} for more modules to load
Module: Instantiating module "reply_log" from file /home/setup.radius/etc/raddb/modules/detail.log
detail reply_log {
detailfile = "/home/setup.radius/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
escape_filenames = no
}
Module: Linked to module rlm_linelog
Module: Instantiating module "f_ticks" from file /home/setup.radius/etc/raddb/modules/f_ticks
linelog f_ticks {
filename = "syslog"
permissions = 384
format = ""
reference = "f_ticks.%{%{reply:Packet-Type}:-format}"
}
} # modules
} # server
server eduroam-inner-tunnel { # from file /home/setup.radius/etc/raddb/sites-enabled/eduroam-inner-tunnel
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
listen {
type = "control"
listen {
socket = "/home/setup.radius/var/run/radiusd/radiusd.sock"
}
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
... adding new socket proxy address * port 51478
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /home/setup.radius/var/run/radiusd/radiusd.sock
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 103.21.127.8 port 36461, id=57, length=192
User-Name = "test.fac1"
Called-Station-Id = "2C-4D-54-CA-B7-D8:ASUS_D8_2G"
NAS-Port-Type = Wireless-802.11
NAS-Port = 0
Calling-Station-Id = "D4-63-C6-9E-33-BD"
Connect-Info = "CONNECT 0Mbps 802.11b"
Acct-Session-Id = "CC7E34D6-0000000F"
WLAN-Pairwise-Cipher = 1027076
WLAN-Group-Cipher = 1027074
WLAN-AKM-Suite = 1027073
Framed-MTU = 1400
EAP-Message = 0x028f000e01746573742e66616331
Message-Authenticator = 0x2dd69a2b06c00a9de727d4d4910b6878
# Executing section authorize from file /home/setup.radius/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "test.fac1", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "test.fac1"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 143 length 14
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
[ldap] performing user authorization for test.fac1
[ldap] expand: %{Stripped-User-Name} -> test.fac1
[ldap] expand: (&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(policy=accept)(enabledapps=web)) -> (&(uid=test.fac1)(policy=accept)(enabledapps=web))
[ldap] expand: ou=people,dc=x,dc=com -> ou=people,dc=x,dc=com
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] attempting LDAP reconnection
[ldap] (re)connect to ldap.x.com:389, authentication 0
[ldap] bind as cn=wireless,ou=people,dc=x,dc=com/IDENTITY MASKED to ldap.x.com:389
[ldap] waiting for bind result ...
[ldap] Bind was successful
[ldap] performing search in ou=people,dc=x,dc=com with filter (&(uid=test.fac1)(policy=accept)(enabledapps=web))
[ldap] looking for check items in directory...
[ldap] userPassword -> Password-With-Header == "{SSHA}IDENTITY MASKED"
[ldap] ntPassword -> NT-Password == IDENTITY MASKED
[ldap] lmPassword -> LM-Password == IDENTITY MASKED
[ldap] looking for reply items in directory...
[ldap] departmentNumber -> Dept-Number = "CSE"
[ldap] employeeType -> Filter-Id = "FAC"
[ldap] ldap_release_conn: Release Id: 0
++[ldap] = ok
++[expiration] = noop
++[logintime] = noop
[pap] Normalizing NT-Password from hex encoding
[pap] Normalizing LM-Password from hex encoding
[pap] Normalizing SSHA1-Password from base64 encoding
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /home/setup.radius/etc/raddb/sites-enabled/default
+group authenticate {
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 57 to 103.21.127.8 port 36461
Filter-Id = "FAC"
EAP-Message = 0x019000061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x44e11138447108b3ddc39d6e6b8fcf3a
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 103.21.127.8 port 36461, id=58, length=345
User-Name = "test.fac1"
Called-Station-Id = "2C-4D-54-CA-B7-D8:ASUS_D8_2G"
NAS-Port-Type = Wireless-802.11
NAS-Port = 0
Calling-Station-Id = "D4-63-C6-9E-33-BD"
Connect-Info = "CONNECT 0Mbps 802.11b"
Acct-Session-Id = "CC7E34D6-0000000F"
WLAN-Pairwise-Cipher = 1027076
WLAN-Group-Cipher = 1027074
WLAN-AKM-Suite = 1027073
Framed-MTU = 1400
EAP-Message = 0x0290009519800000008b1603010086010000820303d2d0dcb341329d470a66620c85cd9ca95100b951585a83e2f3322088b8f8249d00002ac02bc02fc02cc030cca9cca8c009c023c013c027c00ac024c014c028009c009d002f003c0035003d000a0100002fff0100010000170000000d0010000e0403040105030501060306010201000b00020100000a00080006001d00170018
State = 0x44e11138447108b3ddc39d6e6b8fcf3a
Message-Authenticator = 0xd3225adc21222bbe08c40088f3124cca
# Executing section authorize from file /home/setup.radius/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "test.fac1", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "test.fac1"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 144 length 149
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /home/setup.radius/etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 139
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< Unknown TLS version [length 0086]
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> Unknown TLS version [length 0039]
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> Unknown TLS version [length 08ee]
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> Unknown TLS version [length 014d]
[peap] TLS_accept: SSLv3 write key exchange A
[peap] >>> Unknown TLS version [length 0004]
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: SSLv3 read client certificate A
[peap] TLS_accept: Need to read more data: SSLv3 read client key exchange A
[peap] TLS_accept: Need to read more data: SSLv3 read client key exchange A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 58 to 103.21.127.8 port 36461
EAP-Message = 0x0191040019c000000a8c16030300390200003503038a81216071d4a6c42a243fe76ac8ac6975080bef93f45b079d6679283f973ca100c02f00000dff01000100000b00040300010216030308ee0b0008ea0008e70003e7308203e3308202cba003020102020101300d06092a864886f70d01010b0500308199310b300906035504061302494e3112301006035504080c094b61726e6174616b613110300e06035504070c074468617277616431143012060355040a0c0b49495420446861727761643122302006092a864886f70d01090116136d6f6e69746f724069697464682e61632e696e312a302806035504030c21494954204468617277616420
EAP-Message = 0x436572746966696361746520417574686f72697479301e170d3139303133303135303530355a170d3231303132393135303530355a307f310b300906035504061302494e3112301006035504080c094b61726e6174616b6131143012060355040a0c0b49495420446861727761643122302006035504030c19526164697573205365727665722043657274696669636174653122302006092a864886f70d01090116136d6f6e69746f724069697464682e61632e696e30820122300d06092a864886f70d01010105000382010f003082010a0282010100c1b0955b319f1f6621f5607ecbb49f744a0a0f78ea4e31d19a0ca744addd9045bb0220d89bbc
EAP-Message = 0x8b6d6169b9fb0c255bc7ade7d879902aa4a060f96cd4e0c25ff660cdf5ecf4492055712b6d334868161dea5f988314bc360df494f987900b0f6fd8b6a0e3e63e7577ad34c71e55cb327d7d57b5fe3c38dacdf153ed5a14a62f438b815cc91102a28033020c8373e7b82484c3f04fe984847437e62d4769ff7c40081dc6651d2736549bf4fa9e3108ef872332aded8f649ed1e11892a3cfa16566b15e183bc0f8c99b698830c692f383b890b8a0730a7458d0b2348bf314efbb066ceaf4bb1f70e0be1255bee09c84db6bb06f77ea9efa36519b644b1f50a79ad90203010001a34f304d30130603551d25040c300a06082b060105050703013036060355
EAP-Message = 0x1d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e636f6d2f6578616d706c655f63612e63726c300d06092a864886f70d01010b050003820101001302ed567f477a828a34effb1be5a87e140173473485fb8d310719ed80a926c14c95b72b15f2e6331a43b733a5ad2fe1e495ae3896a1499c6825a616d6bc51cdcf660a6069172eba30489bec9a8729f2821188bad3678a2a1678f73f6b2fe4fdbaad7a72549c9663e324fcd6c8e08ebed908a58166de237c39ee4f8e295802381abf228dbfa129ca7bfd4c75eafa134590cda55af27e3bbe9a850a6317c41924637b35dd3d0d5534e28f7db9407abe986a46b8cbf387
EAP-Message = 0x593d2de647de76683cb6fd95
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x44e11138457008b3ddc39d6e6b8fcf3a
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 103.21.127.8 port 36461, id=59, length=202
User-Name = "test.fac1"
Called-Station-Id = "2C-4D-54-CA-B7-D8:ASUS_D8_2G"
NAS-Port-Type = Wireless-802.11
NAS-Port = 0
Calling-Station-Id = "D4-63-C6-9E-33-BD"
Connect-Info = "CONNECT 0Mbps 802.11b"
Acct-Session-Id = "CC7E34D6-0000000F"
WLAN-Pairwise-Cipher = 1027076
WLAN-Group-Cipher = 1027074
WLAN-AKM-Suite = 1027073
Framed-MTU = 1400
EAP-Message = 0x029100061900
State = 0x44e11138457008b3ddc39d6e6b8fcf3a
Message-Authenticator = 0x3ee8595df00a1545ca24ced1373b4224
# Executing section authorize from file /home/setup.radius/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "test.fac1", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "test.fac1"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 145 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /home/setup.radius/etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 59 to 103.21.127.8 port 36461
EAP-Message = 0x019203fc1940596fb2deeec8722992cfd5833f268aeb321265faf276fc6fdaaa84e70e7192f149ab519dc832ca469e28473b8f5154c9449aa3f4519393f587349a0d6bfb0004fa308204f6308203dea003020102020900b195ed2925374bc5300d06092a864886f70d01010b0500308199310b300906035504061302494e3112301006035504080c094b61726e6174616b613110300e06035504070c074468617277616431143012060355040a0c0b49495420446861727761643122302006092a864886f70d01090116136d6f6e69746f724069697464682e61632e696e312a302806035504030c214949542044686172776164204365727469666963
EAP-Message = 0x61746520417574686f72697479301e170d3139303133303135303334375a170d3231303132393135303334375a308199310b300906035504061302494e3112301006035504080c094b61726e6174616b613110300e06035504070c074468617277616431143012060355040a0c0b49495420446861727761643122302006092a864886f70d01090116136d6f6e69746f724069697464682e61632e696e312a302806035504030c21494954204468617277616420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100aa60dd6c677c68f395a7930d0684d20cc116ff
EAP-Message = 0x7ab3141d129e8939f7732f3e873fc5c79fe51fa6de2a0cdf01343299207284c9075fafd7ee5bff3bcb284bb9bea69700da15b0bb3e96d640794669c604fd0c2bb7fcf1336cf8cca9debb776889af2e45af9615c27f1f996ca8d1f768406010da1912ad8c7d3ed71e97933b6fd9fab9ce7fe8bfd7a1bb8b7d3c611b8f2f6b5868a4ae7296c4c170a807e2dc553e21c93e9d8cb8f2b3a769999c5060de8b827b069c447fbe7e3707e3855976122cd434f078414c6512c35079db5708ee0f7e5ec3284c30e74c3d8f9f7e8c2d88f12ff557ebbcdc409bb58b339946a61af8198d3ddc55c6b9c3589f473734c7de390203010001a382013d30820139301d06
EAP-Message = 0x03551d0e04160414876f3b6ff4f034850d26e76d1cfa4727e22231683081ce0603551d230481c63081c38014876f3b6ff4f034850d26e76d1cfa4727e2223168a1819fa4819c308199310b300906035504061302494e3112301006035504080c094b61726e6174616b613110300e06035504070c074468617277616431143012060355040a0c0b49495420446861727761643122302006092a864886f70d01090116136d6f6e69746f724069697464682e61632e696e312a302806035504030c21494954204468617277616420436572746966696361746520417574686f72697479820900b195ed2925374bc5300f0603551d130101ff040530030101
EAP-Message = 0xff30360603551d1f
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x44e11138467308b3ddc39d6e6b8fcf3a
Finished request 2.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 103.21.127.8 port 36461, id=60, length=202
User-Name = "test.fac1"
Called-Station-Id = "2C-4D-54-CA-B7-D8:ASUS_D8_2G"
NAS-Port-Type = Wireless-802.11
NAS-Port = 0
Calling-Station-Id = "D4-63-C6-9E-33-BD"
Connect-Info = "CONNECT 0Mbps 802.11b"
Acct-Session-Id = "CC7E34D6-0000000F"
WLAN-Pairwise-Cipher = 1027076
WLAN-Group-Cipher = 1027074
WLAN-AKM-Suite = 1027073
Framed-MTU = 1400
EAP-Message = 0x029200061900
State = 0x44e11138467308b3ddc39d6e6b8fcf3a
Message-Authenticator = 0xfb8fd96993eb4d189d63eb354bdcaf70
# Executing section authorize from file /home/setup.radius/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "test.fac1", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "test.fac1"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 146 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /home/setup.radius/etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 60 to 103.21.127.8 port 36461
EAP-Message = 0x019302a61900042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e6f72672f6578616d706c655f63612e63726c300d06092a864886f70d01010b0500038201010004198cd9513bbda7757818012765e60d14d05dd60f18760c5e8726bb1c24da7347d6a13aa7feac3e7babaa4c0025d30906dd493ec9b861693893252c170010289afd64d7a9ef04742b44e7483698f7afb4dd629a1ffd15912faacc78959fcbc244600752e2ae04809970f4f3bd066fc6d1106aa64982437ee4ced6f4a9c539416fdd01ad64cfc3f3d2ffd2bdd25cd979e58bfaf16ff856ee621cdfa39093942e0921814b3d00fa00d1d07311be051b5b9967
EAP-Message = 0xdc7a3c57fc2966073ac687529d646828040221acc839d856edd6a4d02fe265cedeea60cd4a6aa6da58de81bc11e002b1a6c00e97633e3781ef0ba790daae2e8f8dd5d5eaa6a4f6ae661d3c4c68e9160303014d0c00014903001741048157f67ad47b7975a3d5ef988ece4a22b7943cc6f4c831e12728f5469326775a6a2dd6bbdd06b86fa847470a73979f1a5cc1a2680d2f773243a2e954628a9f15040101008f382e96ba39664314647b136fa536cb5a74eda264fcdb9b369d9ee871ea3481ae4e7e1bc70e235e618fa403256a2636b9dfca45f6a1cd3751e6d6e164454e4e1b41a071187a5b139e0a40dff98594f42ce8de431658c12f452353a6e1
EAP-Message = 0xd2cf8ab2d0a2254b5a8701c3bdaa36f7078c26514d266e58200d425e1975c768b816581ab3324a7250a97157b66418b6680b70bf18e5d1d6220e2d4200844a39658722c27b08663766a3b7bb1d0adac8895c7dc0907234867ad31ba910819b1d7be6b41a54ce2e2486b27b1655c10a0842cf0ff4066307d425b368413da5c067f0913b9ca5e7165fac1eb81f8bd2e7c50d717dcdc15c07d340bf65dfc308b68682b32916030300040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x44e11138477208b3ddc39d6e6b8fcf3a
Finished request 3.
Going to the next request
Waking up in 4.7 seconds.
rad_recv: Access-Request packet from host 103.21.127.8 port 36461, id=61, length=332
User-Name = "test.fac1"
Called-Station-Id = "2C-4D-54-CA-B7-D8:ASUS_D8_2G"
NAS-Port-Type = Wireless-802.11
NAS-Port = 0
Calling-Station-Id = "D4-63-C6-9E-33-BD"
Connect-Info = "CONNECT 0Mbps 802.11b"
Acct-Session-Id = "CC7E34D6-0000000F"
WLAN-Pairwise-Cipher = 1027076
WLAN-Group-Cipher = 1027074
WLAN-AKM-Suite = 1027073
Framed-MTU = 1400
EAP-Message = 0x0293008819800000007e160303004610000042410441c65da909b29363fb6d94d11341d1a63737fc33858564e4777d1fba3938d34f6b6cde48fddbeaaa5b57166b057abae5919baef12bff79e808bb1c48fe2181dd14030300010116030300280000000000000000b56cff1d8d1a458245408995a7011c578778ff8cc1f11b05a84277633e87496c
State = 0x44e11138477208b3ddc39d6e6b8fcf3a
Message-Authenticator = 0xeebfb14c48e28cd794fa1ef51956772b
# Executing section authorize from file /home/setup.radius/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "test.fac1", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "test.fac1"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 147 length 136
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /home/setup.radius/etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 126
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< Unknown TLS version [length 0046]
[peap] TLS_accept: SSLv3 read client key exchange A
[peap] TLS_accept: SSLv3 read certificate verify A
[peap] <<< Unknown TLS version [length 0001]
[peap] <<< Unknown TLS version [length 0010]
[peap] TLS_accept: SSLv3 read finished A
[peap] >>> Unknown TLS version [length 0001]
[peap] TLS_accept: SSLv3 write change cipher spec A
[peap] >>> Unknown TLS version [length 0010]
[peap] TLS_accept: SSLv3 write finished A
[peap] TLS_accept: SSLv3 flush data
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 61 to 103.21.127.8 port 36461
EAP-Message = 0x019400391900140303000101160303002814208a69892760c3d1a54ca7591eb5f1381a96fcf9ce7e665ca765a62869c80ebc159d7b5abf84d5
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x44e11138407508b3ddc39d6e6b8fcf3a
Finished request 4.
Going to the next request
Waking up in 4.6 seconds.
rad_recv: Access-Request packet from host 103.21.127.8 port 36461, id=62, length=202
User-Name = "test.fac1"
Called-Station-Id = "2C-4D-54-CA-B7-D8:ASUS_D8_2G"
NAS-Port-Type = Wireless-802.11
NAS-Port = 0
Calling-Station-Id = "D4-63-C6-9E-33-BD"
Connect-Info = "CONNECT 0Mbps 802.11b"
Acct-Session-Id = "CC7E34D6-0000000F"
WLAN-Pairwise-Cipher = 1027076
WLAN-Group-Cipher = 1027074
WLAN-AKM-Suite = 1027073
Framed-MTU = 1400
EAP-Message = 0x029400061900
State = 0x44e11138407508b3ddc39d6e6b8fcf3a
Message-Authenticator = 0x4924f62a9f2a41b5c9ac17caab27d7ee
# Executing section authorize from file /home/setup.radius/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "test.fac1", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "test.fac1"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 148 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /home/setup.radius/etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state TUNNEL ESTABLISHED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 62 to 103.21.127.8 port 36461
EAP-Message = 0x019500281900170303001d14208a69892760c405708180ee60e4d4a6b47310941d12bd78d06c7e3a
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x44e11138417408b3ddc39d6e6b8fcf3a
Finished request 5.
Going to the next request
Waking up in 4.6 seconds.
rad_recv: Access-Request packet from host 103.21.127.8 port 36461, id=63, length=241
User-Name = "test.fac1"
Called-Station-Id = "2C-4D-54-CA-B7-D8:ASUS_D8_2G"
NAS-Port-Type = Wireless-802.11
NAS-Port = 0
Calling-Station-Id = "D4-63-C6-9E-33-BD"
Connect-Info = "CONNECT 0Mbps 802.11b"
Acct-Session-Id = "CC7E34D6-0000000F"
WLAN-Pairwise-Cipher = 1027076
WLAN-Group-Cipher = 1027074
WLAN-AKM-Suite = 1027073
Framed-MTU = 1400
EAP-Message = 0x0295002d190017030300220000000000000001dca5af0083d483ffafd631c034efed7ea97d0207ef4bd21fb770
State = 0x44e11138417408b3ddc39d6e6b8fcf3a
Message-Authenticator = 0x002dc507d8c58f08dc250b9e135fa976
# Executing section authorize from file /home/setup.radius/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "test.fac1", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "test.fac1"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 149 length 45
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /home/setup.radius/etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state WAITING FOR INNER IDENTITY
[peap] Identity - test.fac1
[peap] Got inner identity 'test.fac1'
[peap] Setting default EAP type for tunneled EAP session.
[peap] Got tunneled request
EAP-Message = 0x0295000e01746573742e66616331
server {
[peap] Setting User-Name to test.fac1
Sending tunneled request
EAP-Message = 0x0295000e01746573742e66616331
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "test.fac1"
Called-Station-Id = "2C-4D-54-CA-B7-D8:ASUS_D8_2G"
NAS-Port-Type = Wireless-802.11
NAS-Port = 0
Calling-Station-Id = "D4-63-C6-9E-33-BD"
Connect-Info = "CONNECT 0Mbps 802.11b"
Acct-Session-Id = "CC7E34D6-0000000F"
WLAN-Pairwise-Cipher = 1027076
WLAN-Group-Cipher = 1027074
WLAN-AKM-Suite = 1027073
Framed-MTU = 1400
NAS-IP-Address = 103.21.127.8
server {
# Executing section authorize from file /home/setup.radius/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "test.fac1", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "test.fac1"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 149 length 14
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
[ldap] performing user authorization for test.fac1
[ldap] expand: %{Stripped-User-Name} -> test.fac1
[ldap] expand: (&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(policy=accept)(enabledapps=web)) -> (&(uid=test.fac1)(policy=accept)(enabledapps=web))
[ldap] expand: ou=people,dc=x,dc=com -> ou=people,dc=x,dc=com
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in ou=people,dc=x,dc=com with filter (&(uid=test.fac1)(policy=accept)(enabledapps=web))
[ldap] looking for check items in directory...
[ldap] userPassword -> Password-With-Header == "{SSHA}IDENTITY MASKED"
[ldap] ntPassword -> NT-Password == IDENTITY MASKED
[ldap] lmPassword -> LM-Password == IDENTITY MASKED
[ldap] looking for reply items in directory...
[ldap] departmentNumber -> Dept-Number = "CSE"
[ldap] employeeType -> Filter-Id = "FAC"
[ldap] ldap_release_conn: Release Id: 0
++[ldap] = ok
++[expiration] = noop
++[logintime] = noop
[pap] Normalizing NT-Password from hex encoding
[pap] Normalizing LM-Password from hex encoding
[pap] Normalizing SSHA1-Password from base64 encoding
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /home/setup.radius/etc/raddb/sites-enabled/default
+group authenticate {
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] = handled
+} # group authenticate = handled
} # server
[peap] Got tunneled reply code 11
Dept-Number = "CSE"
Filter-Id = "FAC"
EAP-Message = 0x019600231a0196001e1081d4aede15f3e759d816150f9f90d0d9746573742e66616331
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x259b8c2c250d963050bba180eb895341
[peap] Got tunneled reply RADIUS code Access-Challenge
Dept-Number = "CSE"
Filter-Id = "FAC"
EAP-Message = 0x019600231a0196001e1081d4aede15f3e759d816150f9f90d0d9746573742e66616331
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x259b8c2c250d963050bba180eb895341
[peap] Got tunneled Access-Challenge
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 63 to 103.21.127.8 port 36461
EAP-Message = 0x019600421900170303003714208a69892760c5976feee0c355b169fb0c3d9fdc4724796bc532c9fb4ed9af0fcefb0d4bcfbee14863a2ffb97e47b5414a148ead167d
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x44e11138427708b3ddc39d6e6b8fcf3a
Finished request 6.
Going to the next request
Waking up in 4.5 seconds.
rad_recv: Access-Request packet from host 103.21.127.8 port 36461, id=64, length=295
User-Name = "test.fac1"
Called-Station-Id = "2C-4D-54-CA-B7-D8:ASUS_D8_2G"
NAS-Port-Type = Wireless-802.11
NAS-Port = 0
Calling-Station-Id = "D4-63-C6-9E-33-BD"
Connect-Info = "CONNECT 0Mbps 802.11b"
Acct-Session-Id = "CC7E34D6-0000000F"
WLAN-Pairwise-Cipher = 1027076
WLAN-Group-Cipher = 1027074
WLAN-AKM-Suite = 1027073
Framed-MTU = 1400
EAP-Message = 0x02960063190017030300580000000000000002f46448f8de434237a7801a1bfb84e5ab19879f21b09ec99ec48d2d6c970acd1b419056751d7ab0301ad2bbe80d1fe0150900afecd21455e9e133df368545eee2b5b9e6666278a19158420a986f896fd6
State = 0x44e11138427708b3ddc39d6e6b8fcf3a
Message-Authenticator = 0xca1c9218629941b0c5afe8dbf00724ab
# Executing section authorize from file /home/setup.radius/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "test.fac1", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "test.fac1"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 150 length 99
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /home/setup.radius/etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message = 0x029600441a0296003f310b504e9d0939a2a45337a15051a7e9c50000000000000000d4337995d2e6033e7ada08d52e715f700cc345f3ce7f619100746573742e66616331
server {
[peap] Setting User-Name to test.fac1
Sending tunneled request
EAP-Message = 0x029600441a0296003f310b504e9d0939a2a45337a15051a7e9c50000000000000000d4337995d2e6033e7ada08d52e715f700cc345f3ce7f619100746573742e66616331
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "test.fac1"
State = 0x259b8c2c250d963050bba180eb895341
Called-Station-Id = "2C-4D-54-CA-B7-D8:ASUS_D8_2G"
NAS-Port-Type = Wireless-802.11
NAS-Port = 0
Calling-Station-Id = "D4-63-C6-9E-33-BD"
Connect-Info = "CONNECT 0Mbps 802.11b"
Acct-Session-Id = "CC7E34D6-0000000F"
WLAN-Pairwise-Cipher = 1027076
WLAN-Group-Cipher = 1027074
WLAN-AKM-Suite = 1027073
Framed-MTU = 1400
NAS-IP-Address = 103.21.127.8
server {
# Executing section authorize from file /home/setup.radius/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "test.fac1", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "test.fac1"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 150 length 68
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
[ldap] performing user authorization for test.fac1
[ldap] expand: %{Stripped-User-Name} -> test.fac1
[ldap] expand: (&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(policy=accept)(enabledapps=web)) -> (&(uid=test.fac1)(policy=accept)(enabledapps=web))
[ldap] expand: ou=people,dc=x,dc=com -> ou=people,dc=x,dc=com
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in ou=people,dc=x,dc=com, with filter (&(uid=test.fac1)(policy=accept)(enabledapps=web))
[ldap] looking for check items in directory...
[ldap] userPassword -> Password-With-Header == "{SSHA}IDENTITY MASKED"
[ldap] ntPassword -> NT-Password == IDENTITY MASKED
[ldap] lmPassword -> LM-Password == IDENTITY MASKED
[ldap] looking for reply items in directory...
[ldap] departmentNumber -> Dept-Number = "CSE"
[ldap] employeeType -> Filter-Id = "FAC"
[ldap] ldap_release_conn: Release Id: 0
++[ldap] = ok
++[expiration] = noop
++[logintime] = noop
[pap] Normalizing NT-Password from hex encoding
[pap] Normalizing LM-Password from hex encoding
[pap] Normalizing SSHA1-Password from base64 encoding
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /home/setup.radius/etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file /home/setup.radius/etc/raddb/sites-enabled/default
[mschapv2] +group MS-CHAP {
[mschap] Found LM-Password
[mschap] Found NT-Password
[mschap] Creating challenge hash with username: test.fac1
[mschap] Client is using MS-CHAPv2 for test.fac1, we need NT-Password
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] = reject
+} # group MS-CHAP = reject
[eap] Freeing handler
++[eap] = reject
+} # group authenticate = reject
Failed to authenticate the user.
Login incorrect: [test.fac1/<via Auth-Type = EAP>] (from client iitap port 0 cli D4-63-C6-9E-33-BD via TLS tunnel)
Using Post-Auth-Type Reject
# Executing group from file /home/setup.radius/etc/raddb/sites-enabled/default
+group REJECT {
[attr_filter.access_reject] expand: %{User-Name} -> test.fac1
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
} # server
[peap] Got tunneled reply code 3
MS-CHAP-Error = "\226E=691 R=1"
EAP-Message = 0x04960004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code Access-Reject
MS-CHAP-Error = "\226E=691 R=1"
EAP-Message = 0x04960004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 64 to 103.21.127.8 port 36461
EAP-Message = 0x0197002e1900170303002314208a69892760c6d80a328ac500594d0d4490eb89a52ae61d21e1b7b75e6ac66dd5d5
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x44e11138437608b3ddc39d6e6b8fcf3a
Finished request 7.
Going to the next request
Waking up in 4.4 seconds.
rad_recv: Access-Request packet from host 103.21.127.8 port 36461, id=65, length=242
User-Name = "test.fac1"
Called-Station-Id = "2C-4D-54-CA-B7-D8:ASUS_D8_2G"
NAS-Port-Type = Wireless-802.11
NAS-Port = 0
Calling-Station-Id = "D4-63-C6-9E-33-BD"
Connect-Info = "CONNECT 0Mbps 802.11b"
Acct-Session-Id = "CC7E34D6-0000000F"
WLAN-Pairwise-Cipher = 1027076
WLAN-Group-Cipher = 1027074
WLAN-AKM-Suite = 1027073
Framed-MTU = 1400
EAP-Message = 0x0297002e1900170303002300000000000000032c20d0d40984d0150ae6d7f7f1ec0f16cfba56df3cab8b8ffea6fa
State = 0x44e11138437608b3ddc39d6e6b8fcf3a
Message-Authenticator = 0xa3b190fd72bdabffc94e17b43d816c26
# Executing section authorize from file /home/setup.radius/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "test.fac1", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "test.fac1"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 151 length 46
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /home/setup.radius/etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state send tlv failure
[peap] Received EAP-TLV response.
[peap] The users session was previously rejected: returning reject (again.)
[peap] *** This means you need to read the PREVIOUS messages in the debug output
[peap] *** to find out the reason why the user was rejected.
[peap] *** Look for "reject" or "fail". Those earlier messages will tell you.
[peap] *** what went wrong, and how to fix the problem.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] = invalid
+} # group authenticate = invalid
Failed to authenticate the user.
Login incorrect: [test.fac1/<via Auth-Type = EAP>] (from client iitap port 0 cli D4-63-C6-9E-33-BD)
Using Post-Auth-Type Reject
# Executing group from file /home/setup.radius/etc/raddb/sites-enabled/default
+group REJECT {
[attr_filter.access_reject] expand: %{User-Name} -> test.fac1
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
Delaying reject of request 8 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 8
Sending Access-Reject of id 65 to 103.21.127.8 port 36461
EAP-Message = 0x04970004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.4 seconds.
Cleaning up request 0 ID 57 with timestamp +9
Cleaning up request 1 ID 58 with timestamp +9
Cleaning up request 2 ID 59 with timestamp +9
Cleaning up request 3 ID 60 with timestamp +9
Cleaning up request 4 ID 61 with timestamp +9
Cleaning up request 5 ID 62 with timestamp +9
Cleaning up request 6 ID 63 with timestamp +9
Cleaning up request 7 ID 64 with timestamp +9
Waking up in 1.0 seconds.
rad_recv: Access-Request packet from host 103.21.127.8 port 36461, id=66, length=192
User-Name = "test.fac1"
Called-Station-Id = "2C-4D-54-CA-B7-D8:ASUS_D8_2G"
NAS-Port-Type = Wireless-802.11
NAS-Port = 0
Calling-Station-Id = "D4-63-C6-9E-33-BD"
Connect-Info = "CONNECT 0Mbps 802.11b"
Acct-Session-Id = "CC7E34D6-00000010"
WLAN-Pairwise-Cipher = 1027076
WLAN-Group-Cipher = 1027074
WLAN-AKM-Suite = 1027073
Framed-MTU = 1400
EAP-Message = 0x0254000e01746573742e66616331
Message-Authenticator = 0xb1f5642ffb6186f10c15f40d590ad472
# Executing section authorize from file /home/setup.radius/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "test.fac1", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "test.fac1"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 84 length 14
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
[ldap] performing user authorization for test.fac1
[ldap] expand: %{Stripped-User-Name} -> test.fac1
[ldap] expand: (&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(policy=accept)(enabledapps=web)) -> (&(uid=test.fac1)(policy=accept)(enabledapps=web))
[ldap] expand: ou=people,dc=x,dc=com -> ou=people,dc=x,dc=com
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in ou=people,dc=x,dc=com with filter (&(uid=test.fac1)(policy=accept)(enabledapps=web))
[ldap] looking for check items in directory...
[ldap] userPassword -> Password-With-Header == "{SSHA}IDENTITY MASKED"
[ldap] ntPassword -> NT-Password == IDENTITY MASKED
[ldap] lmPassword -> LM-Password == IDENTITY MASKED
[ldap] looking for reply items in directory...
[ldap] departmentNumber -> Dept-Number = "CSE"
[ldap] employeeType -> Filter-Id = "FAC"
[ldap] ldap_release_conn: Release Id: 0
++[ldap] = ok
++[expiration] = noop
++[logintime] = noop
[pap] Normalizing NT-Password from hex encoding
[pap] Normalizing LM-Password from hex encoding
[pap] Normalizing SSHA1-Password from base64 encoding
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /home/setup.radius/etc/raddb/sites-enabled/default
+group authenticate {
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 66 to 103.21.127.8 port 36461
Filter-Id = "FAC"
EAP-Message = 0x015500061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xf64c6d3df6197448b300864323b9fbe1
Finished request 9.
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Request packet from host 103.21.127.8 port 36461, id=67, length=297
User-Name = "test.fac1"
Called-Station-Id = "2C-4D-54-CA-B7-D8:ASUS_D8_2G"
NAS-Port-Type = Wireless-802.11
NAS-Port = 0
Calling-Station-Id = "D4-63-C6-9E-33-BD"
Connect-Info = "CONNECT 0Mbps 802.11b"
Acct-Session-Id = "CC7E34D6-00000010"
WLAN-Pairwise-Cipher = 1027076
WLAN-Group-Cipher = 1027074
WLAN-AKM-Suite = 1027073
Framed-MTU = 1400
EAP-Message = 0x0255006519800000005b1603010056010000520301d678c93bb35b8d588af31841a9e833a163183e106c04f17966853081dc8c11a100000ec009c013c00ac014002f0035000a0100001bff0100010000170000000b00020100000a00080006001d00170018
State = 0xf64c6d3df6197448b300864323b9fbe1
Message-Authenticator = 0x40487db218603f578938282c0342e7f5
# Executing section authorize from file /home/setup.radius/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "test.fac1", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "test.fac1"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 85 length 101
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /home/setup.radius/etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 91
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 0056], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 0039], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 08ee], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange
[peap] TLS_accept: SSLv3 write key exchange A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: SSLv3 read client certificate A
[peap] TLS_accept: Need to read more data: SSLv3 read client key exchange A
[peap] TLS_accept: Need to read more data: SSLv3 read client key exchange A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 67 to 103.21.127.8 port 36461
EAP-Message = 0x0156040019c000000a8a16030100390200003503019e2b6b478b9fe46aa8e79606a1150b2d2d3e31a93be3183372984558b8cd691000c01300000dff01000100000b00040300010216030108ee0b0008ea0008e70003e7308203e3308202cba003020102020101300d06092a864886f70d01010b0500308199310b300906035504061302494e3112301006035504080c094b61726e6174616b613110300e06035504070c074468617277616431143012060355040a0c0b49495420446861727761643122302006092a864886f70d01090116136d6f6e69746f724069697464682e61632e696e312a302806035504030c21494954204468617277616420
EAP-Message = 0x436572746966696361746520417574686f72697479301e170d3139303133303135303530355a170d3231303132393135303530355a307f310b300906035504061302494e3112301006035504080c094b61726e6174616b6131143012060355040a0c0b49495420446861727761643122302006035504030c19526164697573205365727665722043657274696669636174653122302006092a864886f70d01090116136d6f6e69746f724069697464682e61632e696e30820122300d06092a864886f70d01010105000382010f003082010a0282010100c1b0955b319f1f6621f5607ecbb49f744a0a0f78ea4e31d19a0ca744addd9045bb0220d89bbc
EAP-Message = 0x8b6d6169b9fb0c255bc7ade7d879902aa4a060f96cd4e0c25ff660cdf5ecf4492055712b6d334868161dea5f988314bc360df494f987900b0f6fd8b6a0e3e63e7577ad34c71e55cb327d7d57b5fe3c38dacdf153ed5a14a62f438b815cc91102a28033020c8373e7b82484c3f04fe984847437e62d4769ff7c40081dc6651d2736549bf4fa9e3108ef872332aded8f649ed1e11892a3cfa16566b15e183bc0f8c99b698830c692f383b890b8a0730a7458d0b2348bf314efbb066ceaf4bb1f70e0be1255bee09c84db6bb06f77ea9efa36519b644b1f50a79ad90203010001a34f304d30130603551d25040c300a06082b060105050703013036060355
EAP-Message = 0x1d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e636f6d2f6578616d706c655f63612e63726c300d06092a864886f70d01010b050003820101001302ed567f477a828a34effb1be5a87e140173473485fb8d310719ed80a926c14c95b72b15f2e6331a43b733a5ad2fe1e495ae3896a1499c6825a616d6bc51cdcf660a6069172eba30489bec9a8729f2821188bad3678a2a1678f73f6b2fe4fdbaad7a72549c9663e324fcd6c8e08ebed908a58166de237c39ee4f8e295802381abf228dbfa129ca7bfd4c75eafa134590cda55af27e3bbe9a850a6317c41924637b35dd3d0d5534e28f7db9407abe986a46b8cbf387
EAP-Message = 0x593d2de647de76683cb6fd95
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xf64c6d3df71a7448b300864323b9fbe1
Finished request 10.
Going to the next request
Waking up in 0.8 seconds.
rad_recv: Access-Request packet from host 103.21.127.8 port 36461, id=68, length=202
User-Name = "test.fac1"
Called-Station-Id = "2C-4D-54-CA-B7-D8:ASUS_D8_2G"
NAS-Port-Type = Wireless-802.11
NAS-Port = 0
Calling-Station-Id = "D4-63-C6-9E-33-BD"
Connect-Info = "CONNECT 0Mbps 802.11b"
Acct-Session-Id = "CC7E34D6-00000010"
WLAN-Pairwise-Cipher = 1027076
WLAN-Group-Cipher = 1027074
WLAN-AKM-Suite = 1027073
Framed-MTU = 1400
EAP-Message = 0x025600061900
State = 0xf64c6d3df71a7448b300864323b9fbe1
Message-Authenticator = 0x0c7944c040b7dc222f748f85c9c53651
# Executing section authorize from file /home/setup.radius/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "test.fac1", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "test.fac1"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 86 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /home/setup.radius/etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 68 to 103.21.127.8 port 36461
EAP-Message = 0x015703fc1940596fb2deeec8722992cfd5833f268aeb321265faf276fc6fdaaa84e70e7192f149ab519dc832ca469e28473b8f5154c9449aa3f4519393f587349a0d6bfb0004fa308204f6308203dea003020102020900b195ed2925374bc5300d06092a864886f70d01010b0500308199310b300906035504061302494e3112301006035504080c094b61726e6174616b613110300e06035504070c074468617277616431143012060355040a0c0b49495420446861727761643122302006092a864886f70d01090116136d6f6e69746f724069697464682e61632e696e312a302806035504030c214949542044686172776164204365727469666963
EAP-Message = 0x61746520417574686f72697479301e170d3139303133303135303334375a170d3231303132393135303334375a308199310b300906035504061302494e3112301006035504080c094b61726e6174616b613110300e06035504070c074468617277616431143012060355040a0c0b49495420446861727761643122302006092a864886f70d01090116136d6f6e69746f724069697464682e61632e696e312a302806035504030c21494954204468617277616420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100aa60dd6c677c68f395a7930d0684d20cc116ff
EAP-Message = 0x7ab3141d129e8939f7732f3e873fc5c79fe51fa6de2a0cdf01343299207284c9075fafd7ee5bff3bcb284bb9bea69700da15b0bb3e96d640794669c604fd0c2bb7fcf1336cf8cca9debb776889af2e45af9615c27f1f996ca8d1f768406010da1912ad8c7d3ed71e97933b6fd9fab9ce7fe8bfd7a1bb8b7d3c611b8f2f6b5868a4ae7296c4c170a807e2dc553e21c93e9d8cb8f2b3a769999c5060de8b827b069c447fbe7e3707e3855976122cd434f078414c6512c35079db5708ee0f7e5ec3284c30e74c3d8f9f7e8c2d88f12ff557ebbcdc409bb58b339946a61af8198d3ddc55c6b9c3589f473734c7de390203010001a382013d30820139301d06
EAP-Message = 0x03551d0e04160414876f3b6ff4f034850d26e76d1cfa4727e22231683081ce0603551d230481c63081c38014876f3b6ff4f034850d26e76d1cfa4727e2223168a1819fa4819c308199310b300906035504061302494e3112301006035504080c094b61726e6174616b613110300e06035504070c074468617277616431143012060355040a0c0b49495420446861727761643122302006092a864886f70d01090116136d6f6e69746f724069697464682e61632e696e312a302806035504030c21494954204468617277616420436572746966696361746520417574686f72697479820900b195ed2925374bc5300f0603551d130101ff040530030101
EAP-Message = 0xff30360603551d1f
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xf64c6d3df41b7448b300864323b9fbe1
Finished request 11.
Going to the next request
Waking up in 0.8 seconds.
rad_recv: Access-Request packet from host 103.21.127.8 port 36461, id=69, length=202
User-Name = "test.fac1"
Called-Station-Id = "2C-4D-54-CA-B7-D8:ASUS_D8_2G"
NAS-Port-Type = Wireless-802.11
NAS-Port = 0
Calling-Station-Id = "D4-63-C6-9E-33-BD"
Connect-Info = "CONNECT 0Mbps 802.11b"
Acct-Session-Id = "CC7E34D6-00000010"
WLAN-Pairwise-Cipher = 1027076
WLAN-Group-Cipher = 1027074
WLAN-AKM-Suite = 1027073
Framed-MTU = 1400
EAP-Message = 0x025700061900
State = 0xf64c6d3df41b7448b300864323b9fbe1
Message-Authenticator = 0xc98bb4213da02a2bf288105768d12fde
# Executing section authorize from file /home/setup.radius/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "test.fac1", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "test.fac1"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 87 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /home/setup.radius/etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 69 to 103.21.127.8 port 36461
EAP-Message = 0x015802a41900042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e6f72672f6578616d706c655f63612e63726c300d06092a864886f70d01010b0500038201010004198cd9513bbda7757818012765e60d14d05dd60f18760c5e8726bb1c24da7347d6a13aa7feac3e7babaa4c0025d30906dd493ec9b861693893252c170010289afd64d7a9ef04742b44e7483698f7afb4dd629a1ffd15912faacc78959fcbc244600752e2ae04809970f4f3bd066fc6d1106aa64982437ee4ced6f4a9c539416fdd01ad64cfc3f3d2ffd2bdd25cd979e58bfaf16ff856ee621cdfa39093942e0921814b3d00fa00d1d07311be051b5b9967
EAP-Message = 0xdc7a3c57fc2966073ac687529d646828040221acc839d856edd6a4d02fe265cedeea60cd4a6aa6da58de81bc11e002b1a6c00e97633e3781ef0ba790daae2e8f8dd5d5eaa6a4f6ae661d3c4c68e9160301014b0c00014703001741040d841ac3f3b76165676c6d3675c5da6ed6fc2dbe21eafe8bff3a1875a6b09c7fbfa944e627f73f938436e15b2b9cd487c57d174fe30cc58abed44e565165b718010056087dac83ac59634d1490ad81d2e0aad11aa1b28ee3d16a6db5f418034d3fce67cb8197a2cf90e46333a29ecc688bc110737db7d4ef25615a8a935ee2e42d73858a002a7efe6627c0697be76cbcbcfec572418656ef189356114b5cc7f569
EAP-Message = 0x3bde8c68608d63a18194c0331ee8620812a6769028fc2dd85f74c5718635ec6c8660953293de1a319ff9850ff66756040912649cb88451a988d26de947d626e1d8bb98b66a3c913486a1dc5f8fe4c91d694268160236d2b15f4bf87b84fedef58ce0bf5282a83c3f06fd559088fe00c72dd5bcccabcf179afa13a7e6b5edcc047de07ef00c13ddf0bae88c847c1b2172ee09aa4b301f47d30efde6e0d1ff790c0916030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xf64c6d3df5147448b300864323b9fbe1
Finished request 12.
Going to the next request
Waking up in 0.7 seconds.
rad_recv: Access-Request packet from host 103.21.127.8 port 36461, id=70, length=340
User-Name = "test.fac1"
Called-Station-Id = "2C-4D-54-CA-B7-D8:ASUS_D8_2G"
NAS-Port-Type = Wireless-802.11
NAS-Port = 0
Calling-Station-Id = "D4-63-C6-9E-33-BD"
Connect-Info = "CONNECT 0Mbps 802.11b"
Acct-Session-Id = "CC7E34D6-00000010"
WLAN-Pairwise-Cipher = 1027076
WLAN-Group-Cipher = 1027074
WLAN-AKM-Suite = 1027073
Framed-MTU = 1400
EAP-Message = 0x025800901980000000861603010046100000424104584ba16d97871d2891aa9b3bea5e229fb2ce811431686caba1a8d84d812d5a7055114e286242d70be0b23dde2c418e89a88d080094004b18b1e2939714ae26e81403010001011603010030c070f2b7d3c54b88f31acb7bf6319262642b1bd6484bfdb1a741a78e11b953369205f391a8136f425bbfb69ef8d6af4b
State = 0xf64c6d3df5147448b300864323b9fbe1
Message-Authenticator = 0x31c135f80dcf8a27bf0a22d3c94d09f4
# Executing section authorize from file /home/setup.radius/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "test.fac1", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "test.fac1"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 88 length 144
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /home/setup.radius/etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 134
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange
[peap] TLS_accept: SSLv3 read client key exchange A
[peap] TLS_accept: SSLv3 read certificate verify A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 write finished A
[peap] TLS_accept: SSLv3 flush data
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 70 to 103.21.127.8 port 36461
EAP-Message = 0x01590041190014030100010116030100303bc90209e19f2430e55f5cbf00985af02cc61b69f0019ba85b767277063e8e0ed97f0d895170f858cd8a28fc3afb424b
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xf64c6d3df2157448b300864323b9fbe1
Finished request 13.
Going to the next request
Waking up in 0.6 seconds.
rad_recv: Access-Request packet from host 103.21.127.8 port 36461, id=71, length=202
User-Name = "test.fac1"
Called-Station-Id = "2C-4D-54-CA-B7-D8:ASUS_D8_2G"
NAS-Port-Type = Wireless-802.11
NAS-Port = 0
Calling-Station-Id = "D4-63-C6-9E-33-BD"
Connect-Info = "CONNECT 0Mbps 802.11b"
Acct-Session-Id = "CC7E34D6-00000010"
WLAN-Pairwise-Cipher = 1027076
WLAN-Group-Cipher = 1027074
WLAN-AKM-Suite = 1027073
Framed-MTU = 1400
EAP-Message = 0x025900061900
State = 0xf64c6d3df2157448b300864323b9fbe1
Message-Authenticator = 0xab95c807c503f9ad0d789ce03832f569
# Executing section authorize from file /home/setup.radius/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "test.fac1", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "test.fac1"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 89 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /home/setup.radius/etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state TUNNEL ESTABLISHED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 71 to 103.21.127.8 port 36461
EAP-Message = 0x015a002b190017030100206f4920eb854df0451d363d165f7acf473630057ee08cc02c12b201b5f6702598
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xf64c6d3df3167448b300864323b9fbe1
Finished request 14.
Going to the next request
Waking up in 0.5 seconds.
rad_recv: Access-Request packet from host 103.21.127.8 port 36461, id=72, length=239
User-Name = "test.fac1"
Called-Station-Id = "2C-4D-54-CA-B7-D8:ASUS_D8_2G"
NAS-Port-Type = Wireless-802.11
NAS-Port = 0
Calling-Station-Id = "D4-63-C6-9E-33-BD"
Connect-Info = "CONNECT 0Mbps 802.11b"
Acct-Session-Id = "CC7E34D6-00000010"
WLAN-Pairwise-Cipher = 1027076
WLAN-Group-Cipher = 1027074
WLAN-AKM-Suite = 1027073
Framed-MTU = 1400
EAP-Message = 0x025a002b190017030100205c65d1d796601360dcb13de2236f36e89ff35c42816dca8cf98ae434d714ceac
State = 0xf64c6d3df3167448b300864323b9fbe1
Message-Authenticator = 0x006d13f8c9b7a38a4c26610332abd833
# Executing section authorize from file /home/setup.radius/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "test.fac1", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "test.fac1"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 90 length 43
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /home/setup.radius/etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state WAITING FOR INNER IDENTITY
[peap] Identity - test.fac1
[peap] Got inner identity 'test.fac1'
[peap] Setting default EAP type for tunneled EAP session.
[peap] Got tunneled request
EAP-Message = 0x025a000e01746573742e66616331
server {
[peap] Setting User-Name to test.fac1
Sending tunneled request
EAP-Message = 0x025a000e01746573742e66616331
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "test.fac1"
Called-Station-Id = "2C-4D-54-CA-B7-D8:ASUS_D8_2G"
NAS-Port-Type = Wireless-802.11
NAS-Port = 0
Calling-Station-Id = "D4-63-C6-9E-33-BD"
Connect-Info = "CONNECT 0Mbps 802.11b"
Acct-Session-Id = "CC7E34D6-00000010"
WLAN-Pairwise-Cipher = 1027076
WLAN-Group-Cipher = 1027074
WLAN-AKM-Suite = 1027073
Framed-MTU = 1400
NAS-IP-Address = 103.21.127.8
server {
# Executing section authorize from file /home/setup.radius/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "test.fac1", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "test.fac1"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 90 length 14
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
[ldap] performing user authorization for test.fac1
[ldap] expand: %{Stripped-User-Name} -> test.fac1
[ldap] expand: (&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(policy=accept)(enabledapps=web)) -> (&(uid=test.fac1)(policy=accept)(enabledapps=web))
[ldap] expand: ou=people,dc=x,dc=com -> ou=people,dc=x,dc=com
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in ou=people,dc=x,dc=com, with filter (&(uid=test.fac1)(policy=accept)(enabledapps=web))
[ldap] looking for check items in directory...
[ldap] userPassword -> Password-With-Header == "{SSHA}IDENTITY MASKED"
[ldap] ntPassword -> NT-Password == IDENTITY MASKED
[ldap] lmPassword -> LM-Password == IDENTITY MASKED
[ldap] looking for reply items in directory...
[ldap] departmentNumber -> Dept-Number = "CSE"
[ldap] employeeType -> Filter-Id = "FAC"
[ldap] ldap_release_conn: Release Id: 0
++[ldap] = ok
++[expiration] = noop
++[logintime] = noop
[pap] Normalizing NT-Password from hex encoding
[pap] Normalizing LM-Password from hex encoding
[pap] Normalizing SSHA1-Password from base64 encoding
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /home/setup.radius/etc/raddb/sites-enabled/default
+group authenticate {
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] = handled
+} # group authenticate = handled
} # server
[peap] Got tunneled reply code 11
Dept-Number = "CSE"
Filter-Id = "FAC"
EAP-Message = 0x015b00231a015b001e106531f4bf18f818e8e4221a8bd460bf2e746573742e66616331
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x9066a9d2903db333e0a2f21a2e0aad03
[peap] Got tunneled reply RADIUS code Access-Challenge
Dept-Number = "CSE"
Filter-Id = "FAC"
EAP-Message = 0x015b00231a015b001e106531f4bf18f818e8e4221a8bd460bf2e746573742e66616331
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x9066a9d2903db333e0a2f21a2e0aad03
[peap] Got tunneled Access-Challenge
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 72 to 103.21.127.8 port 36461
EAP-Message = 0x015b004b190017030100404b1b14f967f93b961efe2df125d134cf7b14d87cb1bd2cca9eab812b0fb1c55bf3c06d90b7abb0d91e0ad2dd0d41fea13bed09e1b8300d6ffdfd8a6ccd9c7879
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xf64c6d3df0177448b300864323b9fbe1
Finished request 15.
Going to the next request
Waking up in 0.5 seconds.
rad_recv: Access-Request packet from host 103.21.127.8 port 36461, id=73, length=303
User-Name = "test.fac1"
Called-Station-Id = "2C-4D-54-CA-B7-D8:ASUS_D8_2G"
NAS-Port-Type = Wireless-802.11
NAS-Port = 0
Calling-Station-Id = "D4-63-C6-9E-33-BD"
Connect-Info = "CONNECT 0Mbps 802.11b"
Acct-Session-Id = "CC7E34D6-00000010"
WLAN-Pairwise-Cipher = 1027076
WLAN-Group-Cipher = 1027074
WLAN-AKM-Suite = 1027073
Framed-MTU = 1400
EAP-Message = 0x025b006b19001703010060378eb43c3a7e9f6cc65f24c1420572c0011ee5ac5f81d2bf033378dcc7b83f865d841b8d035876eaaa399e63b1a14690a35229e04578007d3bd51e76a41288e8ec1e0637e6643a09c5e0bab192d14fb71c68c742c21d5f0e83064bddcd34c7e3
State = 0xf64c6d3df0177448b300864323b9fbe1
Message-Authenticator = 0x35c0d2f07afba1d971703de5e1484e9c
# Executing section authorize from file /home/setup.radius/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "test.fac1", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "test.fac1"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 91 length 107
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /home/setup.radius/etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message = 0x025b00441a025b003f310c0d01affbc837bc31ce19af039a159500000000000000006a76b0df704322f1aee34d2891a1fcdba145f497f3c5d33300746573742e66616331
server {
[peap] Setting User-Name to test.fac1
Sending tunneled request
EAP-Message = 0x025b00441a025b003f310c0d01affbc837bc31ce19af039a159500000000000000006a76b0df704322f1aee34d2891a1fcdba145f497f3c5d33300746573742e66616331
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "test.fac1"
State = 0x9066a9d2903db333e0a2f21a2e0aad03
Called-Station-Id = "2C-4D-54-CA-B7-D8:ASUS_D8_2G"
NAS-Port-Type = Wireless-802.11
NAS-Port = 0
Calling-Station-Id = "D4-63-C6-9E-33-BD"
Connect-Info = "CONNECT 0Mbps 802.11b"
Acct-Session-Id = "CC7E34D6-00000010"
WLAN-Pairwise-Cipher = 1027076
WLAN-Group-Cipher = 1027074
WLAN-AKM-Suite = 1027073
Framed-MTU = 1400
NAS-IP-Address = 103.21.127.8
server {
# Executing section authorize from file /home/setup.radius/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "test.fac1", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "test.fac1"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 91 length 68
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
[ldap] performing user authorization for test.fac1
[ldap] expand: %{Stripped-User-Name} -> test.fac1
[ldap] expand: (&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(policy=accept)(enabledapps=web)) -> (&(uid=test.fac1)(policy=accept)(enabledapps=web))
[ldap] expand: ou=people,dc=x,dc=com -> ou=people,dc=x,dc=com
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in ou=people,dc=x,dc=com with filter (&(uid=test.fac1)(policy=accept)(enabledapps=web))
[ldap] looking for check items in directory...
[ldap] userPassword -> Password-With-Header == "{SSHA}IDENTITY MASKED"
[ldap] ntPassword -> NT-Password == IDENTITY MASKED
[ldap] lmPassword -> LM-Password == IDENTITY MASKED
[ldap] looking for reply items in directory...
[ldap] departmentNumber -> Dept-Number = "CSE"
[ldap] employeeType -> Filter-Id = "FAC"
[ldap] ldap_release_conn: Release Id: 0
++[ldap] = ok
++[expiration] = noop
++[logintime] = noop
[pap] Normalizing NT-Password from hex encoding
[pap] Normalizing LM-Password from hex encoding
[pap] Normalizing SSHA1-Password from base64 encoding
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /home/setup.radius/etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file /home/setup.radius/etc/raddb/sites-enabled/default
[mschapv2] +group MS-CHAP {
[mschap] Found LM-Password
[mschap] Found NT-Password
[mschap] Creating challenge hash with username: test.fac1
[mschap] Client is using MS-CHAPv2 for test.fac1, we need NT-Password
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] = reject
+} # group MS-CHAP = reject
[eap] Freeing handler
++[eap] = reject
+} # group authenticate = reject
Failed to authenticate the user.
Login incorrect: [test.fac1/<via Auth-Type = EAP>] (from client iitap port 0 cli D4-63-C6-9E-33-BD via TLS tunnel)
Using Post-Auth-Type Reject
# Executing group from file /home/setup.radius/etc/raddb/sites-enabled/default
+group REJECT {
[attr_filter.access_reject] expand: %{User-Name} -> test.fac1
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
} # server
[peap] Got tunneled reply code 3
MS-CHAP-Error = "[E=691 R=1"
EAP-Message = 0x045b0004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code Access-Reject
MS-CHAP-Error = "[E=691 R=1"
EAP-Message = 0x045b0004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 73 to 103.21.127.8 port 36461
EAP-Message = 0x015c002b19001703010020c9b3ce265f03e10c55e890396b6ffdcb8ca7f5811b9169c5d1268f4e16706a49
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xf64c6d3df1107448b300864323b9fbe1
Finished request 16.
Going to the next request
Waking up in 0.4 seconds.
rad_recv: Access-Request packet from host 103.21.127.8 port 36461, id=74, length=239
User-Name = "test.fac1"
Called-Station-Id = "2C-4D-54-CA-B7-D8:ASUS_D8_2G"
NAS-Port-Type = Wireless-802.11
NAS-Port = 0
Calling-Station-Id = "D4-63-C6-9E-33-BD"
Connect-Info = "CONNECT 0Mbps 802.11b"
Acct-Session-Id = "CC7E34D6-00000010"
WLAN-Pairwise-Cipher = 1027076
WLAN-Group-Cipher = 1027074
WLAN-AKM-Suite = 1027073
Framed-MTU = 1400
EAP-Message = 0x025c002b190017030100209a17fa6c0aec67a9c31f4f734b75ca7850221c5039f2b31171ca60a8bb087267
State = 0xf64c6d3df1107448b300864323b9fbe1
Message-Authenticator = 0xda86c8f02d3c4c10537082485fac5efa
# Executing section authorize from file /home/setup.radius/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "test.fac1", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "test.fac1"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 92 length 43
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /home/setup.radius/etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state send tlv failure
[peap] Received EAP-TLV response.
[peap] The users session was previously rejected: returning reject (again.)
[peap] *** This means you need to read the PREVIOUS messages in the debug output
[peap] *** to find out the reason why the user was rejected.
[peap] *** Look for "reject" or "fail". Those earlier messages will tell you.
[peap] *** what went wrong, and how to fix the problem.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] = invalid
+} # group authenticate = invalid
Failed to authenticate the user.
Login incorrect: [test.fac1/<via Auth-Type = EAP>] (from client iitap port 0 cli D4-63-C6-9E-33-BD)
Using Post-Auth-Type Reject
# Executing group from file /home/setup.radius/etc/raddb/sites-enabled/default
+group REJECT {
[attr_filter.access_reject] expand: %{User-Name} -> test.fac1
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
Delaying reject of request 17 for 1 seconds
Going to the next request
Waking up in 0.3 seconds.
Cleaning up request 8 ID 65 with timestamp +9
Waking up in 0.6 seconds.
Sending delayed reject for request 17
Sending Access-Reject of id 74 to 103.21.127.8 port 36461
EAP-Message = 0x045c0004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.4 seconds.
^C
[root at radius ~]#
More information about the Freeradius-Users
mailing list