Password " $ " Sign issue

prasad karulkar prasad at iitdh.ac.in
Fri Mar 29 07:22:12 CET 2019


Dear Alan,

Please find attached debug logs.

Following is the error as per the logs. What can be issue please?

[mschap] Client is using MS-CHAPv2 for test.fac1, we need NT-Password
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] = reject
+} # group MS-CHAP = reject
[eap] Freeing handler
++[eap] = reject
+} # group authenticate = reject
Failed to authenticate the user.
Login incorrect: [test.fac1/<via Auth-Type = EAP>] (from client iitap port
0 cli D4-63-C6-9E-33-BD via TLS tunnel)
Using Post-Auth-Type Reject



On Fri, Mar 22, 2019 at 4:27 PM Alan DeKok <aland at deployingradius.com>
wrote:

> On Mar 22, 2019, at 1:21 AM, prasad karulkar <prasad at iitdh.ac.in> wrote:
> > I have configured FreeRadius server for my cisco wireless authentication
> > through LDAP.
> > I am facing one issue.
> > When a user setting his password which has $ sign the user cannot able to
> > access wireless.
> >
> > e.g. :
> > 1. If user's password is : Pass123$   then it does connects to wireless
> > 2. If user's password is : Pass$123 then it does not connect to wireless
> > 3. If we put $ sign any where in between the password user cant able to
> > connect to wireless.
> >
> > I see from the aaa debugs that the Radius server sent Access-Reject, as
> you
> > see below:
> >
> >                  *radiusTransportThread: Mar 20 10:48:02.130:
> > 3c:f8:62:7e:fd:1a Access-Reject received from RADIUS server 10.250.200.11
> > (qid:10) with port:1812, pktId:167 for mobile 3c:f8:62:7e:fd:1a
> receiveId =
> > 6
>
>   If only FreeRADIUS had debug output you could read.
>
>   Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-------------- next part --------------
[root at radius ~]#
[root at radius ~]# radiusd -X
radiusd: FreeRADIUS Version 2.2.10, for host x86_64-unknown-linux-gnu, built on Jan 30 2019 at 00:05:00
Copyright (C) 1999-2015 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
For more information about these matters, see the file named COPYRIGHT.
Starting - reading configuration files ...
including configuration file /home/setup.radius/etc/raddb/radiusd.conf
including configuration file /home/setup.radius/etc/raddb/proxy.conf
including configuration file /home/setup.radius/etc/raddb/clients.conf
including files in directory /home/setup.radius/etc/raddb/modules/
including configuration file /home/setup.radius/etc/raddb/modules/acct_unique
including configuration file /home/setup.radius/etc/raddb/modules/always
including configuration file /home/setup.radius/etc/raddb/modules/attr_filter
including configuration file /home/setup.radius/etc/raddb/modules/attr_rewrite
including configuration file /home/setup.radius/etc/raddb/modules/cache
including configuration file /home/setup.radius/etc/raddb/modules/chap
including configuration file /home/setup.radius/etc/raddb/modules/checkval
including configuration file /home/setup.radius/etc/raddb/modules/counter
including configuration file /home/setup.radius/etc/raddb/modules/cui
including configuration file /home/setup.radius/etc/raddb/modules/detail
including configuration file /home/setup.radius/etc/raddb/modules/detail.example.com
including configuration file /home/setup.radius/etc/raddb/modules/detail.log
including configuration file /home/setup.radius/etc/raddb/modules/dhcp_sqlippool
including configuration file /home/setup.radius/etc/raddb/sql/mysql/ippool-dhcp.conf
including configuration file /home/setup.radius/etc/raddb/modules/digest
including configuration file /home/setup.radius/etc/raddb/modules/dynamic_clients
including configuration file /home/setup.radius/etc/raddb/modules/echo
including configuration file /home/setup.radius/etc/raddb/modules/etc_group
including configuration file /home/setup.radius/etc/raddb/modules/exec
including configuration file /home/setup.radius/etc/raddb/modules/expiration
including configuration file /home/setup.radius/etc/raddb/modules/expr
including configuration file /home/setup.radius/etc/raddb/modules/files
including configuration file /home/setup.radius/etc/raddb/modules/ippool
including configuration file /home/setup.radius/etc/raddb/modules/krb5
including configuration file /home/setup.radius/etc/raddb/modules/linelog
including configuration file /home/setup.radius/etc/raddb/modules/logintime
including configuration file /home/setup.radius/etc/raddb/modules/mac2ip
including configuration file /home/setup.radius/etc/raddb/modules/mac2vlan
including configuration file /home/setup.radius/etc/raddb/modules/ntlm_auth
including configuration file /home/setup.radius/etc/raddb/modules/opendirectory
including configuration file /home/setup.radius/etc/raddb/modules/otp
including configuration file /home/setup.radius/etc/raddb/modules/pam
including configuration file /home/setup.radius/etc/raddb/modules/pap
including configuration file /home/setup.radius/etc/raddb/modules/passwd
including configuration file /home/setup.radius/etc/raddb/modules/perl
including configuration file /home/setup.radius/etc/raddb/modules/policy
including configuration file /home/setup.radius/etc/raddb/modules/preprocess
including configuration file /home/setup.radius/etc/raddb/modules/radrelay
including configuration file /home/setup.radius/etc/raddb/modules/radutmp
including configuration file /home/setup.radius/etc/raddb/modules/realm
including configuration file /home/setup.radius/etc/raddb/modules/redis
including configuration file /home/setup.radius/etc/raddb/modules/rediswho
including configuration file /home/setup.radius/etc/raddb/modules/replicate
including configuration file /home/setup.radius/etc/raddb/modules/smbpasswd
including configuration file /home/setup.radius/etc/raddb/modules/smsotp
including configuration file /home/setup.radius/etc/raddb/modules/soh
including configuration file /home/setup.radius/etc/raddb/modules/sql_log
including configuration file /home/setup.radius/etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /home/setup.radius/etc/raddb/modules/sradutmp
including configuration file /home/setup.radius/etc/raddb/modules/unix
including configuration file /home/setup.radius/etc/raddb/modules/wimax
including configuration file /home/setup.radius/etc/raddb/modules/inner-eap
including configuration file /home/setup.radius/etc/raddb/modules/mschap
including configuration file /home/setup.radius/etc/raddb/modules/ldap
including configuration file /home/setup.radius/etc/raddb/modules/f_ticks
including configuration file /home/setup.radius/etc/raddb/eap.conf
including configuration file /home/setup.radius/etc/raddb/policy.conf
including files in directory /home/setup.radius/etc/raddb/sites-enabled/
including configuration file /home/setup.radius/etc/raddb/sites-enabled/default
including configuration file /home/setup.radius/etc/raddb/sites-enabled/inner-tunnel
including configuration file /home/setup.radius/etc/raddb/sites-enabled/control-socket
including configuration file /home/setup.radius/etc/raddb/sites-enabled/eduroam
including configuration file /home/setup.radius/etc/raddb/sites-enabled/eduroam-inner-tunnel
main {
        user = "radiusd"
        group = "radiusd"
        allow_core_dumps = no
}
including dictionary file /home/setup.radius/etc/raddb/dictionary
main {
        name = "radiusd"
        prefix = "/home/setup.radius"
        localstatedir = "/home/setup.radius/var"
        sbindir = "/home/setup.radius/sbin"
        logdir = "/home/setup.radius/var/log/radius"
        run_dir = "/home/setup.radius/var/run/radiusd"
        libdir = "/home/setup.radius/lib"
        radacctdir = "/home/setup.radius/var/log/radius/radacct"
        hostname_lookups = no
        max_request_time = 30
        cleanup_delay = 5
        max_requests = 1024
        pidfile = "/home/setup.radius/var/run/radiusd/radiusd.pid"
        checkrad = "/home/setup.radius/sbin/checkrad"
        debug_level = 0
        proxy_requests = yes
 log {
        stripped_names = no
        auth = yes
        auth_badpass = yes
        auth_goodpass = yes
 }
 security {
        max_attributes = 200
        reject_delay = 1
        status_server = yes
        allow_vulnerable_openssl = no
 }
}
radiusd: #### Loading Realms and Home Servers ####
 proxy server {
        retry_delay = 5
        retry_count = 3
        default_fallback = no
        dead_time = 120
        wake_all_if_all_dead = no
 }
 home_server localhost {
        ipaddr = 127.0.0.1
        port = 1812
        type = "auth"
        secret = "IDENTITY MASKED"
        response_window = 20
        max_outstanding = 65536
        require_message_authenticator = yes
        zombie_period = 40
        status_check = "status-server"
        ping_interval = 30
        check_interval = 30
        num_answers_to_alive = 3
        num_pings_to_alive = 3
        revive_interval = 120
        status_check_timeout = 4
  coa {
        irt = 2
        mrt = 16
        mrc = 5
        mrd = 30
  }
 }
 home_server_pool my_auth_failover {
        type = fail-over
        home_server = localhost
 }
 realm example.com {
        auth_pool = my_auth_failover
 }
 realm LOCAL {
 }
 realm NULL {
        authhost = LOCAL
 }
 realm x.com {
        authhost = LOCAL
 }
 realm DEFAULT {
        nostrip
        authhost = flr1.eduroam.ernet.in
        secret = IDENTITY MASKED
 }
radiusd: #### Loading Clients ####
 client localhost {
        ipaddr = 127.0.0.1
        require_message_authenticator = no
        secret = "IDENTITY MASKED"
        nastype = "other"
 }
 client 10.250.200.52 {
        require_message_authenticator = no
        secret = "IDENTITY MASKED"
 }
 client iitap {
        ipaddr = 103.21.127.8
        require_message_authenticator = no
        secret = "IDENTITY MASKED"
 }
 client cisco-controller {
        ipaddr = 10.196.3.252
        require_message_authenticator = no
        secret = "IDENTITY MASKED"
 }
 client 10.250.1.0/24 {
        require_message_authenticator = no
        secret = "IDENTITY MASKED"
        shortname = "mojo-dc"
 }
 client 10.250.9.0/24 {
        require_message_authenticator = no
        secret = "IDENTITY MASKED"
        shortname = "classrooms-left"
 }
 client 10.250.10.0/24 {
        require_message_authenticator = no
        secret = "IDENTITY MASKED"
        shortname = "classrooms-middle"
 }
 client 10.250.11.0/24 {
        require_message_authenticator = no
        secret = "IDENTITY MASKED"
        shortname = "classrooms-right"
 }
 client 10.250.12.0/24 {
        require_message_authenticator = no
        secret = "IDENTITY MASKED"
        shortname = "lcr-lab"
 }
 client 10.250.26.0/24 {
        require_message_authenticator = no
        secret = "IDENTITY MASKED"
        shortname = "mess-building"
 }
 client 10.250.27.0/24 {
        require_message_authenticator = no
        secret = "IDENTITY MASKED"
        shortname = "hostel-1"
 }
 client 10.250.28.0/24 {
        require_message_authenticator = no
        secret = "IDENTITY MASKED"
        shortname = "hostel-2"
 }
 client 10.250.29.0/24 {
        require_message_authenticator = no
        secret = "IDENTITY MASKED"
        shortname = "hostel-3"
 }
 client 10.250.30.0/24 {
        require_message_authenticator = no
        secret = "IDENTITY MASKED"
        shortname = "hostel-4"
 }
 client 10.250.31.0/24 {
        require_message_authenticator = no
        secret = "IDENTITY MASKED"
        shortname = "hostel-5"
 }
 client 10.250.32.0/24 {
        require_message_authenticator = no
        secret = "IDENTITY MASKED"
        shortname = "hostel-6"
 }
 client 10.250.33.0/24 {
        require_message_authenticator = no
        secret = "IDENTITY MASKED"
        shortname = "hostel-7"
 }
 client 10.250.34.0/24 {
        require_message_authenticator = no
        secret = "IDENTITY MASKED"
        shortname = "hostel-8"
 }
 client 10.250.35.0/24 {
        require_message_authenticator = no
        secret = "IDENTITY MASKED"
        shortname = "hostel-9"
 }
 client 10.250.36.0/24 {
        require_message_authenticator = no
        secret = "IDENTITY MASKED"
        shortname = "hostel-10"
 }
 client flr1.eduroam.ernet.in {
        require_message_authenticator = no
        secret = "IDENTITY MASKED"
        shortname = "flr1"
 }
radiusd: #### Instantiating modules ####
 instantiate {
 Module: Linked to module rlm_exec
 Module: Instantiating module "exec" from file /home/setup.radius/etc/raddb/modules/exec
  exec {
        wait = no
        input_pairs = "request"
        shell_escape = yes
        timeout = 10
  }
 Module: Linked to module rlm_expr
 Module: Instantiating module "expr" from file /home/setup.radius/etc/raddb/modules/expr
 Module: Linked to module rlm_expiration
 Module: Instantiating module "expiration" from file /home/setup.radius/etc/raddb/modules/expiration
  expiration {
        reply-message = "Password Has Expired  "
  }
 Module: Linked to module rlm_logintime
 Module: Instantiating module "logintime" from file /home/setup.radius/etc/raddb/modules/logintime
  logintime {
        reply-message = "You are calling outside your allowed timespan  "
        minimum-timeout = 60
  }
 }
radiusd: #### Loading Virtual Servers ####
server { # from file /home/setup.radius/etc/raddb/radiusd.conf
 modules {
  Module: Creating Auth-Type = digest
  Module: Creating Auth-Type = LDAP
 Module: Checking authenticate {...} for more modules to load
 Module: Linked to module rlm_pap
 Module: Instantiating module "pap" from file /home/setup.radius/etc/raddb/modules/pap
  pap {
        encryption_scheme = "auto"
        auto_header = no
  }
 Module: Linked to module rlm_chap
 Module: Instantiating module "chap" from file /home/setup.radius/etc/raddb/modules/chap
 Module: Linked to module rlm_mschap
 Module: Instantiating module "mschap" from file /home/setup.radius/etc/raddb/modules/mschap
  mschap {
        use_mppe = yes
        require_encryption = yes
        require_strong = yes
        with_ntdomain_hack = no
        allow_retry = yes
  }
 Module: Linked to module rlm_digest
 Module: Instantiating module "digest" from file /home/setup.radius/etc/raddb/modules/digest
 Module: Linked to module rlm_unix
 Module: Instantiating module "unix" from file /home/setup.radius/etc/raddb/modules/unix
  unix {
        radwtmp = "/home/setup.radius/var/log/radius/radwtmp"
  }
 Module: Linked to module rlm_ldap
 Module: Instantiating module "ldap" from file /home/setup.radius/etc/raddb/modules/ldap
  ldap {
        server = "ldap.x.com"
        port = 389
        password = "IDENTITY MASKED"
        expect_password = yes
        identity = "cn=wireless,ou=people,dc=x,dc=com"
        net_timeout = 1
        timeout = 4
        timelimit = 3
        max_uses = 0
        tls_mode = no
        start_tls = no
        tls_require_cert = "allow"
   tls {
        start_tls = no
        require_cert = "allow"
   }
        basedn = "ou=people,dc=x,dc=com"
        filter = "(&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(policy=accept)(enabledapps=web))"
        base_filter = "(objectclass=posixAccount)"
        auto_header = no
        access_attr_used_for_allow = yes
        groupname_attribute = "cn"
        groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))"
        dictionary_mapping = "/home/setup.radius/etc/raddb/ldap.attrmap"
        ldap_debug = 0
        ldap_connections_number = 5
        compare_check_items = no
        do_xlat = yes
        set_auth_type = yes
   keepalive {
        idle = 60
        probes = 3
        interval = 3
   }
  }
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap
rlm_ldap: reading ldap<->radius mappings from file /home/setup.radius/etc/raddb/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password
rlm_ldap: LDAP userPassword mapped to RADIUS Password-With-Header
rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP employeeType mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
rlm_ldap: LDAP radiusClass mapped to RADIUS Class
rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link
rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network
rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone
rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message
rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type
rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type
rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-Id
rlm_ldap: LDAP departmentNumber mapped to RADIUS Dept-Number
conns: 0x1ce6f80
 Module: Linked to module rlm_eap
 Module: Instantiating module "eap" from file /home/setup.radius/etc/raddb/eap.conf
  eap {
        default_eap_type = "peap"
        timer_expire = 60
        ignore_unknown_eap_types = no
        cisco_accounting_username_bug = no
        max_sessions = 2048
  }
 Module: Linked to sub-module rlm_eap_tls
 Module: Instantiating eap-tls
   tls {
        rsa_key_exchange = no
        dh_key_exchange = yes
        rsa_key_length = 512
        dh_key_length = 512
        verify_depth = 0
        pem_file_type = yes
        private_key_file = "/home/setup.radius/etc/raddb/certs/server.key"
        certificate_file = "/home/setup.radius/etc/raddb/certs/server.pem"
        CA_file = "/home/setup.radius/etc/raddb/certs/ca.pem"
        private_key_password = "IDENTITY MASKED"
        dh_file = "/home/setup.radius/etc/raddb/certs/dh"
        random_file = "/dev/urandom"
        fragment_size = 1024
        include_length = yes
        check_crl = no
        check_all_crl = no
        cipher_list = "DEFAULT"
        ecdh_curve = "prime256v1"
   }
 Module: Linked to sub-module rlm_eap_ttls
 Module: Instantiating eap-ttls
   ttls {
        default_eap_type = "mschapv2"
        copy_request_to_tunnel = yes
        use_tunneled_reply = yes
        virtual_server = "eduroam-inner-tunnel"
        include_length = yes
   }
 Module: Linked to sub-module rlm_eap_peap
 Module: Instantiating eap-peap
   peap {
        default_eap_type = "mschapv2"
        copy_request_to_tunnel = yes
        use_tunneled_reply = yes
        proxy_tunneled_request_as_eap = yes
        soh = no
   }
 Module: Linked to sub-module rlm_eap_mschapv2
 Module: Instantiating eap-mschapv2
   mschapv2 {
        with_ntdomain_hack = no
        send_error = no
   }
 Module: Checking authorize {...} for more modules to load
 Module: Linked to module rlm_preprocess
 Module: Instantiating module "preprocess" from file /home/setup.radius/etc/raddb/modules/preprocess
  preprocess {
        huntgroups = "/home/setup.radius/etc/raddb/huntgroups"
        hints = "/home/setup.radius/etc/raddb/hints"
        with_ascend_hack = no
        ascend_channels_per_line = 23
        with_ntdomain_hack = no
        with_specialix_jetstream_hack = no
        with_cisco_vsa_hack = no
        with_alvarion_vsa_hack = no
  }
reading pairlist file /home/setup.radius/etc/raddb/huntgroups
reading pairlist file /home/setup.radius/etc/raddb/hints
 Module: Linked to module rlm_realm
 Module: Instantiating module "suffix" from file /home/setup.radius/etc/raddb/modules/realm
  realm suffix {
        format = "suffix"
        delimiter = "@"
        ignore_default = no
        ignore_null = no
  }
 Module: Linked to module rlm_files
 Module: Instantiating module "files" from file /home/setup.radius/etc/raddb/modules/files
  files {
        usersfile = "/home/setup.radius/etc/raddb/users"
        acctusersfile = "/home/setup.radius/etc/raddb/acct_users"
        preproxy_usersfile = "/home/setup.radius/etc/raddb/preproxy_users"
        compat = "no"
  }
reading pairlist file /home/setup.radius/etc/raddb/users
reading pairlist file /home/setup.radius/etc/raddb/acct_users
reading pairlist file /home/setup.radius/etc/raddb/preproxy_users
 Module: Checking preacct {...} for more modules to load
 Module: Linked to module rlm_acct_unique
 Module: Instantiating module "acct_unique" from file /home/setup.radius/etc/raddb/modules/acct_unique
  acct_unique {
        key = "User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Identifier, NAS-Port"
  }
 Module: Checking accounting {...} for more modules to load
 Module: Linked to module rlm_detail
 Module: Instantiating module "detail" from file /home/setup.radius/etc/raddb/modules/detail
  detail {
        detailfile = "/home/setup.radius/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
        header = "%t"
        detailperm = 384
        dirperm = 493
        locking = no
        log_packet_header = no
        escape_filenames = no
  }
 Module: Linked to module rlm_attr_filter
 Module: Instantiating module "attr_filter.accounting_response" from file /home/setup.radius/etc/raddb/modules/attr_filter
  attr_filter attr_filter.accounting_response {
        attrsfile = "/home/setup.radius/etc/raddb/attrs.accounting_response"
        key = "%{User-Name}"
        relaxed = no
  }
reading pairlist file /home/setup.radius/etc/raddb/attrs.accounting_response
 Module: Checking session {...} for more modules to load
 Module: Linked to module rlm_radutmp
 Module: Instantiating module "radutmp" from file /home/setup.radius/etc/raddb/modules/radutmp
  radutmp {
        filename = "/home/setup.radius/var/log/radius/radutmp"
        username = "%{User-Name}"
        case_sensitive = yes
        check_with_nas = yes
        perm = 384
        callerid = yes
  }
 Module: Checking post-proxy {...} for more modules to load
 Module: Checking post-auth {...} for more modules to load
 Module: Instantiating module "attr_filter.access_reject" from file /home/setup.radius/etc/raddb/modules/attr_filter
  attr_filter attr_filter.access_reject {
        attrsfile = "/home/setup.radius/etc/raddb/attrs.access_reject"
        key = "%{User-Name}"
        relaxed = no
  }
reading pairlist file /home/setup.radius/etc/raddb/attrs.access_reject
 } # modules
} # server
server inner-tunnel { # from file /home/setup.radius/etc/raddb/sites-enabled/inner-tunnel
 modules {
 Module: Checking authenticate {...} for more modules to load
 Module: Checking authorize {...} for more modules to load
 Module: Checking session {...} for more modules to load
 Module: Checking post-proxy {...} for more modules to load
 Module: Checking post-auth {...} for more modules to load
 } # modules
} # server
server eduroam { # from file /home/setup.radius/etc/raddb/sites-enabled/eduroam
 modules {
 Module: Checking authenticate {...} for more modules to load
 Module: Checking authorize {...} for more modules to load
 Module: Instantiating module "auth_log" from file /home/setup.radius/etc/raddb/modules/detail.log
  detail auth_log {
        detailfile = "/home/setup.radius/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
        header = "%t"
        detailperm = 384
        dirperm = 493
        locking = no
        log_packet_header = no
        escape_filenames = no
  }
 Module: Checking preacct {...} for more modules to load
 Module: Checking pre-proxy {...} for more modules to load
 Module: Instantiating module "pre_proxy_log" from file /home/setup.radius/etc/raddb/modules/detail.log
  detail pre_proxy_log {
        detailfile = "/home/setup.radius/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
        header = "%t"
        detailperm = 384
        dirperm = 493
        locking = no
        log_packet_header = no
        escape_filenames = no
  }
 Module: Instantiating module "attr_filter.pre-proxy" from file /home/setup.radius/etc/raddb/modules/attr_filter
  attr_filter attr_filter.pre-proxy {
        attrsfile = "/home/setup.radius/etc/raddb/attrs.pre-proxy"
        key = "%{Realm}"
        relaxed = no
  }
reading pairlist file /home/setup.radius/etc/raddb/attrs.pre-proxy
 Module: Checking post-proxy {...} for more modules to load
 Module: Instantiating module "post_proxy_log" from file /home/setup.radius/etc/raddb/modules/detail.log
  detail post_proxy_log {
        detailfile = "/home/setup.radius/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
        header = "%t"
        detailperm = 384
        dirperm = 493
        locking = no
        log_packet_header = no
        escape_filenames = no
  }
 Module: Instantiating module "attr_filter.post-proxy" from file /home/setup.radius/etc/raddb/modules/attr_filter
  attr_filter attr_filter.post-proxy {
        attrsfile = "/home/setup.radius/etc/raddb/attrs"
        key = "%{Realm}"
        relaxed = no
  }
reading pairlist file /home/setup.radius/etc/raddb/attrs
 Module: Checking post-auth {...} for more modules to load
 Module: Instantiating module "reply_log" from file /home/setup.radius/etc/raddb/modules/detail.log
  detail reply_log {
        detailfile = "/home/setup.radius/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
        header = "%t"
        detailperm = 384
        dirperm = 493
        locking = no
        log_packet_header = no
        escape_filenames = no
  }
 Module: Linked to module rlm_linelog
 Module: Instantiating module "f_ticks" from file /home/setup.radius/etc/raddb/modules/f_ticks
  linelog f_ticks {
        filename = "syslog"
        permissions = 384
        format = ""
        reference = "f_ticks.%{%{reply:Packet-Type}:-format}"
  }
 } # modules
} # server
server eduroam-inner-tunnel { # from file /home/setup.radius/etc/raddb/sites-enabled/eduroam-inner-tunnel
 modules {
 Module: Checking authenticate {...} for more modules to load
 Module: Checking authorize {...} for more modules to load
 Module: Checking post-auth {...} for more modules to load
 } # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
        type = "auth"
        ipaddr = *
        port = 0
}
listen {
        type = "acct"
        ipaddr = *
        port = 0
}
listen {
        type = "control"
 listen {
        socket = "/home/setup.radius/var/run/radiusd/radiusd.sock"
 }
}
listen {
        type = "auth"
        ipaddr = 127.0.0.1
        port = 18120
}
 ... adding new socket proxy address * port 51478
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /home/setup.radius/var/run/radiusd/radiusd.sock
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 103.21.127.8 port 36461, id=57, length=192
        User-Name = "test.fac1"
        Called-Station-Id = "2C-4D-54-CA-B7-D8:ASUS_D8_2G"
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 0
        Calling-Station-Id = "D4-63-C6-9E-33-BD"
        Connect-Info = "CONNECT 0Mbps 802.11b"
        Acct-Session-Id = "CC7E34D6-0000000F"
        WLAN-Pairwise-Cipher = 1027076
        WLAN-Group-Cipher = 1027074
        WLAN-AKM-Suite = 1027073
        Framed-MTU = 1400
        EAP-Message = 0x028f000e01746573742e66616331
        Message-Authenticator = 0x2dd69a2b06c00a9de727d4d4910b6878
# Executing section authorize from file /home/setup.radius/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "test.fac1", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "test.fac1"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 143 length 14
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
[ldap] performing user authorization for test.fac1
[ldap]  expand: %{Stripped-User-Name} -> test.fac1
[ldap]  expand: (&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(policy=accept)(enabledapps=web)) -> (&(uid=test.fac1)(policy=accept)(enabledapps=web))
[ldap]  expand: ou=people,dc=x,dc=com -> ou=people,dc=x,dc=com
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] attempting LDAP reconnection
  [ldap] (re)connect to ldap.x.com:389, authentication 0
  [ldap] bind as cn=wireless,ou=people,dc=x,dc=com/IDENTITY MASKED to ldap.x.com:389
  [ldap] waiting for bind result ...
  [ldap] Bind was successful
  [ldap] performing search in ou=people,dc=x,dc=com with filter (&(uid=test.fac1)(policy=accept)(enabledapps=web))
[ldap] looking for check items in directory...
  [ldap] userPassword -> Password-With-Header == "{SSHA}IDENTITY MASKED"
  [ldap] ntPassword -> NT-Password == IDENTITY MASKED
  [ldap] lmPassword -> LM-Password == IDENTITY MASKED
[ldap] looking for reply items in directory...
  [ldap] departmentNumber -> Dept-Number = "CSE"
  [ldap] employeeType -> Filter-Id = "FAC"
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] = ok
++[expiration] = noop
++[logintime] = noop
[pap] Normalizing NT-Password from hex encoding
[pap] Normalizing LM-Password from hex encoding
[pap] Normalizing SSHA1-Password from base64 encoding
[pap] WARNING: Auth-Type already set.  Not setting to PAP
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /home/setup.radius/etc/raddb/sites-enabled/default
+group authenticate {
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 57 to 103.21.127.8 port 36461
        Filter-Id = "FAC"
        EAP-Message = 0x019000061920
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x44e11138447108b3ddc39d6e6b8fcf3a
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 103.21.127.8 port 36461, id=58, length=345
        User-Name = "test.fac1"
        Called-Station-Id = "2C-4D-54-CA-B7-D8:ASUS_D8_2G"
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 0
        Calling-Station-Id = "D4-63-C6-9E-33-BD"
        Connect-Info = "CONNECT 0Mbps 802.11b"
        Acct-Session-Id = "CC7E34D6-0000000F"
        WLAN-Pairwise-Cipher = 1027076
        WLAN-Group-Cipher = 1027074
        WLAN-AKM-Suite = 1027073
        Framed-MTU = 1400
        EAP-Message = 0x0290009519800000008b1603010086010000820303d2d0dcb341329d470a66620c85cd9ca95100b951585a83e2f3322088b8f8249d00002ac02bc02fc02cc030cca9cca8c009c023c013c027c00ac024c014c028009c009d002f003c0035003d000a0100002fff0100010000170000000d0010000e0403040105030501060306010201000b00020100000a00080006001d00170018
        State = 0x44e11138447108b3ddc39d6e6b8fcf3a
        Message-Authenticator = 0xd3225adc21222bbe08c40088f3124cca
# Executing section authorize from file /home/setup.radius/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "test.fac1", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "test.fac1"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 144 length 149
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /home/setup.radius/etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
  TLS Length 139
[peap] Length Included
[peap] eaptls_verify returned 11
[peap]     (other): before/accept initialization
[peap]     TLS_accept: before/accept initialization
[peap] <<< Unknown TLS version [length 0086]
[peap]     TLS_accept: SSLv3 read client hello A
[peap] >>> Unknown TLS version [length 0039]
[peap]     TLS_accept: SSLv3 write server hello A
[peap] >>> Unknown TLS version [length 08ee]
[peap]     TLS_accept: SSLv3 write certificate A
[peap] >>> Unknown TLS version [length 014d]
[peap]     TLS_accept: SSLv3 write key exchange A
[peap] >>> Unknown TLS version [length 0004]
[peap]     TLS_accept: SSLv3 write server done A
[peap]     TLS_accept: SSLv3 flush data
[peap]     TLS_accept: SSLv3 read client certificate A
[peap]     TLS_accept: Need to read more data: SSLv3 read client key exchange A
[peap]     TLS_accept: Need to read more data: SSLv3 read client key exchange A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 58 to 103.21.127.8 port 36461
        EAP-Message = 0x0191040019c000000a8c16030300390200003503038a81216071d4a6c42a243fe76ac8ac6975080bef93f45b079d6679283f973ca100c02f00000dff01000100000b00040300010216030308ee0b0008ea0008e70003e7308203e3308202cba003020102020101300d06092a864886f70d01010b0500308199310b300906035504061302494e3112301006035504080c094b61726e6174616b613110300e06035504070c074468617277616431143012060355040a0c0b49495420446861727761643122302006092a864886f70d01090116136d6f6e69746f724069697464682e61632e696e312a302806035504030c21494954204468617277616420
        EAP-Message = 0x436572746966696361746520417574686f72697479301e170d3139303133303135303530355a170d3231303132393135303530355a307f310b300906035504061302494e3112301006035504080c094b61726e6174616b6131143012060355040a0c0b49495420446861727761643122302006035504030c19526164697573205365727665722043657274696669636174653122302006092a864886f70d01090116136d6f6e69746f724069697464682e61632e696e30820122300d06092a864886f70d01010105000382010f003082010a0282010100c1b0955b319f1f6621f5607ecbb49f744a0a0f78ea4e31d19a0ca744addd9045bb0220d89bbc
        EAP-Message = 0x8b6d6169b9fb0c255bc7ade7d879902aa4a060f96cd4e0c25ff660cdf5ecf4492055712b6d334868161dea5f988314bc360df494f987900b0f6fd8b6a0e3e63e7577ad34c71e55cb327d7d57b5fe3c38dacdf153ed5a14a62f438b815cc91102a28033020c8373e7b82484c3f04fe984847437e62d4769ff7c40081dc6651d2736549bf4fa9e3108ef872332aded8f649ed1e11892a3cfa16566b15e183bc0f8c99b698830c692f383b890b8a0730a7458d0b2348bf314efbb066ceaf4bb1f70e0be1255bee09c84db6bb06f77ea9efa36519b644b1f50a79ad90203010001a34f304d30130603551d25040c300a06082b060105050703013036060355
        EAP-Message = 0x1d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e636f6d2f6578616d706c655f63612e63726c300d06092a864886f70d01010b050003820101001302ed567f477a828a34effb1be5a87e140173473485fb8d310719ed80a926c14c95b72b15f2e6331a43b733a5ad2fe1e495ae3896a1499c6825a616d6bc51cdcf660a6069172eba30489bec9a8729f2821188bad3678a2a1678f73f6b2fe4fdbaad7a72549c9663e324fcd6c8e08ebed908a58166de237c39ee4f8e295802381abf228dbfa129ca7bfd4c75eafa134590cda55af27e3bbe9a850a6317c41924637b35dd3d0d5534e28f7db9407abe986a46b8cbf387
        EAP-Message = 0x593d2de647de76683cb6fd95
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x44e11138457008b3ddc39d6e6b8fcf3a
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 103.21.127.8 port 36461, id=59, length=202
        User-Name = "test.fac1"
        Called-Station-Id = "2C-4D-54-CA-B7-D8:ASUS_D8_2G"
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 0
        Calling-Station-Id = "D4-63-C6-9E-33-BD"
        Connect-Info = "CONNECT 0Mbps 802.11b"
        Acct-Session-Id = "CC7E34D6-0000000F"
        WLAN-Pairwise-Cipher = 1027076
        WLAN-Group-Cipher = 1027074
        WLAN-AKM-Suite = 1027073
        Framed-MTU = 1400
        EAP-Message = 0x029100061900
        State = 0x44e11138457008b3ddc39d6e6b8fcf3a
        Message-Authenticator = 0x3ee8595df00a1545ca24ced1373b4224
# Executing section authorize from file /home/setup.radius/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "test.fac1", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "test.fac1"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 145 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /home/setup.radius/etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 59 to 103.21.127.8 port 36461
        EAP-Message = 0x019203fc1940596fb2deeec8722992cfd5833f268aeb321265faf276fc6fdaaa84e70e7192f149ab519dc832ca469e28473b8f5154c9449aa3f4519393f587349a0d6bfb0004fa308204f6308203dea003020102020900b195ed2925374bc5300d06092a864886f70d01010b0500308199310b300906035504061302494e3112301006035504080c094b61726e6174616b613110300e06035504070c074468617277616431143012060355040a0c0b49495420446861727761643122302006092a864886f70d01090116136d6f6e69746f724069697464682e61632e696e312a302806035504030c214949542044686172776164204365727469666963
        EAP-Message = 0x61746520417574686f72697479301e170d3139303133303135303334375a170d3231303132393135303334375a308199310b300906035504061302494e3112301006035504080c094b61726e6174616b613110300e06035504070c074468617277616431143012060355040a0c0b49495420446861727761643122302006092a864886f70d01090116136d6f6e69746f724069697464682e61632e696e312a302806035504030c21494954204468617277616420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100aa60dd6c677c68f395a7930d0684d20cc116ff
        EAP-Message = 0x7ab3141d129e8939f7732f3e873fc5c79fe51fa6de2a0cdf01343299207284c9075fafd7ee5bff3bcb284bb9bea69700da15b0bb3e96d640794669c604fd0c2bb7fcf1336cf8cca9debb776889af2e45af9615c27f1f996ca8d1f768406010da1912ad8c7d3ed71e97933b6fd9fab9ce7fe8bfd7a1bb8b7d3c611b8f2f6b5868a4ae7296c4c170a807e2dc553e21c93e9d8cb8f2b3a769999c5060de8b827b069c447fbe7e3707e3855976122cd434f078414c6512c35079db5708ee0f7e5ec3284c30e74c3d8f9f7e8c2d88f12ff557ebbcdc409bb58b339946a61af8198d3ddc55c6b9c3589f473734c7de390203010001a382013d30820139301d06
        EAP-Message = 0x03551d0e04160414876f3b6ff4f034850d26e76d1cfa4727e22231683081ce0603551d230481c63081c38014876f3b6ff4f034850d26e76d1cfa4727e2223168a1819fa4819c308199310b300906035504061302494e3112301006035504080c094b61726e6174616b613110300e06035504070c074468617277616431143012060355040a0c0b49495420446861727761643122302006092a864886f70d01090116136d6f6e69746f724069697464682e61632e696e312a302806035504030c21494954204468617277616420436572746966696361746520417574686f72697479820900b195ed2925374bc5300f0603551d130101ff040530030101
        EAP-Message = 0xff30360603551d1f
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x44e11138467308b3ddc39d6e6b8fcf3a
Finished request 2.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 103.21.127.8 port 36461, id=60, length=202
        User-Name = "test.fac1"
        Called-Station-Id = "2C-4D-54-CA-B7-D8:ASUS_D8_2G"
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 0
        Calling-Station-Id = "D4-63-C6-9E-33-BD"
        Connect-Info = "CONNECT 0Mbps 802.11b"
        Acct-Session-Id = "CC7E34D6-0000000F"
        WLAN-Pairwise-Cipher = 1027076
        WLAN-Group-Cipher = 1027074
        WLAN-AKM-Suite = 1027073
        Framed-MTU = 1400
        EAP-Message = 0x029200061900
        State = 0x44e11138467308b3ddc39d6e6b8fcf3a
        Message-Authenticator = 0xfb8fd96993eb4d189d63eb354bdcaf70
# Executing section authorize from file /home/setup.radius/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "test.fac1", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "test.fac1"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 146 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /home/setup.radius/etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 60 to 103.21.127.8 port 36461
        EAP-Message = 0x019302a61900042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e6f72672f6578616d706c655f63612e63726c300d06092a864886f70d01010b0500038201010004198cd9513bbda7757818012765e60d14d05dd60f18760c5e8726bb1c24da7347d6a13aa7feac3e7babaa4c0025d30906dd493ec9b861693893252c170010289afd64d7a9ef04742b44e7483698f7afb4dd629a1ffd15912faacc78959fcbc244600752e2ae04809970f4f3bd066fc6d1106aa64982437ee4ced6f4a9c539416fdd01ad64cfc3f3d2ffd2bdd25cd979e58bfaf16ff856ee621cdfa39093942e0921814b3d00fa00d1d07311be051b5b9967
        EAP-Message = 0xdc7a3c57fc2966073ac687529d646828040221acc839d856edd6a4d02fe265cedeea60cd4a6aa6da58de81bc11e002b1a6c00e97633e3781ef0ba790daae2e8f8dd5d5eaa6a4f6ae661d3c4c68e9160303014d0c00014903001741048157f67ad47b7975a3d5ef988ece4a22b7943cc6f4c831e12728f5469326775a6a2dd6bbdd06b86fa847470a73979f1a5cc1a2680d2f773243a2e954628a9f15040101008f382e96ba39664314647b136fa536cb5a74eda264fcdb9b369d9ee871ea3481ae4e7e1bc70e235e618fa403256a2636b9dfca45f6a1cd3751e6d6e164454e4e1b41a071187a5b139e0a40dff98594f42ce8de431658c12f452353a6e1
        EAP-Message = 0xd2cf8ab2d0a2254b5a8701c3bdaa36f7078c26514d266e58200d425e1975c768b816581ab3324a7250a97157b66418b6680b70bf18e5d1d6220e2d4200844a39658722c27b08663766a3b7bb1d0adac8895c7dc0907234867ad31ba910819b1d7be6b41a54ce2e2486b27b1655c10a0842cf0ff4066307d425b368413da5c067f0913b9ca5e7165fac1eb81f8bd2e7c50d717dcdc15c07d340bf65dfc308b68682b32916030300040e000000
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x44e11138477208b3ddc39d6e6b8fcf3a
Finished request 3.
Going to the next request
Waking up in 4.7 seconds.
rad_recv: Access-Request packet from host 103.21.127.8 port 36461, id=61, length=332
        User-Name = "test.fac1"
        Called-Station-Id = "2C-4D-54-CA-B7-D8:ASUS_D8_2G"
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 0
        Calling-Station-Id = "D4-63-C6-9E-33-BD"
        Connect-Info = "CONNECT 0Mbps 802.11b"
        Acct-Session-Id = "CC7E34D6-0000000F"
        WLAN-Pairwise-Cipher = 1027076
        WLAN-Group-Cipher = 1027074
        WLAN-AKM-Suite = 1027073
        Framed-MTU = 1400
        EAP-Message = 0x0293008819800000007e160303004610000042410441c65da909b29363fb6d94d11341d1a63737fc33858564e4777d1fba3938d34f6b6cde48fddbeaaa5b57166b057abae5919baef12bff79e808bb1c48fe2181dd14030300010116030300280000000000000000b56cff1d8d1a458245408995a7011c578778ff8cc1f11b05a84277633e87496c
        State = 0x44e11138477208b3ddc39d6e6b8fcf3a
        Message-Authenticator = 0xeebfb14c48e28cd794fa1ef51956772b
# Executing section authorize from file /home/setup.radius/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "test.fac1", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "test.fac1"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 147 length 136
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /home/setup.radius/etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
  TLS Length 126
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< Unknown TLS version [length 0046]
[peap]     TLS_accept: SSLv3 read client key exchange A
[peap]     TLS_accept: SSLv3 read certificate verify A
[peap] <<< Unknown TLS version [length 0001]
[peap] <<< Unknown TLS version [length 0010]
[peap]     TLS_accept: SSLv3 read finished A
[peap] >>> Unknown TLS version [length 0001]
[peap]     TLS_accept: SSLv3 write change cipher spec A
[peap] >>> Unknown TLS version [length 0010]
[peap]     TLS_accept: SSLv3 write finished A
[peap]     TLS_accept: SSLv3 flush data
[peap]     (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 61 to 103.21.127.8 port 36461
        EAP-Message = 0x019400391900140303000101160303002814208a69892760c3d1a54ca7591eb5f1381a96fcf9ce7e665ca765a62869c80ebc159d7b5abf84d5
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x44e11138407508b3ddc39d6e6b8fcf3a
Finished request 4.
Going to the next request
Waking up in 4.6 seconds.
rad_recv: Access-Request packet from host 103.21.127.8 port 36461, id=62, length=202
        User-Name = "test.fac1"
        Called-Station-Id = "2C-4D-54-CA-B7-D8:ASUS_D8_2G"
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 0
        Calling-Station-Id = "D4-63-C6-9E-33-BD"
        Connect-Info = "CONNECT 0Mbps 802.11b"
        Acct-Session-Id = "CC7E34D6-0000000F"
        WLAN-Pairwise-Cipher = 1027076
        WLAN-Group-Cipher = 1027074
        WLAN-AKM-Suite = 1027073
        Framed-MTU = 1400
        EAP-Message = 0x029400061900
        State = 0x44e11138407508b3ddc39d6e6b8fcf3a
        Message-Authenticator = 0x4924f62a9f2a41b5c9ac17caab27d7ee
# Executing section authorize from file /home/setup.radius/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "test.fac1", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "test.fac1"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 148 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /home/setup.radius/etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state TUNNEL ESTABLISHED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 62 to 103.21.127.8 port 36461
        EAP-Message = 0x019500281900170303001d14208a69892760c405708180ee60e4d4a6b47310941d12bd78d06c7e3a
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x44e11138417408b3ddc39d6e6b8fcf3a
Finished request 5.
Going to the next request
Waking up in 4.6 seconds.
rad_recv: Access-Request packet from host 103.21.127.8 port 36461, id=63, length=241
        User-Name = "test.fac1"
        Called-Station-Id = "2C-4D-54-CA-B7-D8:ASUS_D8_2G"
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 0
        Calling-Station-Id = "D4-63-C6-9E-33-BD"
        Connect-Info = "CONNECT 0Mbps 802.11b"
        Acct-Session-Id = "CC7E34D6-0000000F"
        WLAN-Pairwise-Cipher = 1027076
        WLAN-Group-Cipher = 1027074
        WLAN-AKM-Suite = 1027073
        Framed-MTU = 1400
        EAP-Message = 0x0295002d190017030300220000000000000001dca5af0083d483ffafd631c034efed7ea97d0207ef4bd21fb770
        State = 0x44e11138417408b3ddc39d6e6b8fcf3a
        Message-Authenticator = 0x002dc507d8c58f08dc250b9e135fa976
# Executing section authorize from file /home/setup.radius/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "test.fac1", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "test.fac1"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 149 length 45
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /home/setup.radius/etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state WAITING FOR INNER IDENTITY
[peap] Identity - test.fac1
[peap] Got inner identity 'test.fac1'
[peap] Setting default EAP type for tunneled EAP session.
[peap] Got tunneled request
        EAP-Message = 0x0295000e01746573742e66616331
server  {
[peap] Setting User-Name to test.fac1
Sending tunneled request
        EAP-Message = 0x0295000e01746573742e66616331
        FreeRADIUS-Proxied-To = 127.0.0.1
        User-Name = "test.fac1"
        Called-Station-Id = "2C-4D-54-CA-B7-D8:ASUS_D8_2G"
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 0
        Calling-Station-Id = "D4-63-C6-9E-33-BD"
        Connect-Info = "CONNECT 0Mbps 802.11b"
        Acct-Session-Id = "CC7E34D6-0000000F"
        WLAN-Pairwise-Cipher = 1027076
        WLAN-Group-Cipher = 1027074
        WLAN-AKM-Suite = 1027073
        Framed-MTU = 1400
        NAS-IP-Address = 103.21.127.8
server  {
# Executing section authorize from file /home/setup.radius/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "test.fac1", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "test.fac1"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 149 length 14
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
[ldap] performing user authorization for test.fac1
[ldap]  expand: %{Stripped-User-Name} -> test.fac1
[ldap]  expand: (&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(policy=accept)(enabledapps=web)) -> (&(uid=test.fac1)(policy=accept)(enabledapps=web))
[ldap]  expand: ou=people,dc=x,dc=com -> ou=people,dc=x,dc=com
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in ou=people,dc=x,dc=com with filter (&(uid=test.fac1)(policy=accept)(enabledapps=web))
[ldap] looking for check items in directory...
  [ldap] userPassword -> Password-With-Header == "{SSHA}IDENTITY MASKED"
  [ldap] ntPassword -> NT-Password == IDENTITY MASKED
  [ldap] lmPassword -> LM-Password == IDENTITY MASKED
[ldap] looking for reply items in directory...
  [ldap] departmentNumber -> Dept-Number = "CSE"
  [ldap] employeeType -> Filter-Id = "FAC"
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] = ok
++[expiration] = noop
++[logintime] = noop
[pap] Normalizing NT-Password from hex encoding
[pap] Normalizing LM-Password from hex encoding
[pap] Normalizing SSHA1-Password from base64 encoding
[pap] WARNING: Auth-Type already set.  Not setting to PAP
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /home/setup.radius/etc/raddb/sites-enabled/default
+group authenticate {
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] = handled
+} # group authenticate = handled
} # server
[peap] Got tunneled reply code 11
        Dept-Number = "CSE"
        Filter-Id = "FAC"
        EAP-Message = 0x019600231a0196001e1081d4aede15f3e759d816150f9f90d0d9746573742e66616331
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x259b8c2c250d963050bba180eb895341
[peap] Got tunneled reply RADIUS code Access-Challenge
        Dept-Number = "CSE"
        Filter-Id = "FAC"
        EAP-Message = 0x019600231a0196001e1081d4aede15f3e759d816150f9f90d0d9746573742e66616331
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x259b8c2c250d963050bba180eb895341
[peap] Got tunneled Access-Challenge
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 63 to 103.21.127.8 port 36461
        EAP-Message = 0x019600421900170303003714208a69892760c5976feee0c355b169fb0c3d9fdc4724796bc532c9fb4ed9af0fcefb0d4bcfbee14863a2ffb97e47b5414a148ead167d
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x44e11138427708b3ddc39d6e6b8fcf3a
Finished request 6.
Going to the next request
Waking up in 4.5 seconds.
rad_recv: Access-Request packet from host 103.21.127.8 port 36461, id=64, length=295
        User-Name = "test.fac1"
        Called-Station-Id = "2C-4D-54-CA-B7-D8:ASUS_D8_2G"
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 0
        Calling-Station-Id = "D4-63-C6-9E-33-BD"
        Connect-Info = "CONNECT 0Mbps 802.11b"
        Acct-Session-Id = "CC7E34D6-0000000F"
        WLAN-Pairwise-Cipher = 1027076
        WLAN-Group-Cipher = 1027074
        WLAN-AKM-Suite = 1027073
        Framed-MTU = 1400
        EAP-Message = 0x02960063190017030300580000000000000002f46448f8de434237a7801a1bfb84e5ab19879f21b09ec99ec48d2d6c970acd1b419056751d7ab0301ad2bbe80d1fe0150900afecd21455e9e133df368545eee2b5b9e6666278a19158420a986f896fd6
        State = 0x44e11138427708b3ddc39d6e6b8fcf3a
        Message-Authenticator = 0xca1c9218629941b0c5afe8dbf00724ab
# Executing section authorize from file /home/setup.radius/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "test.fac1", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "test.fac1"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 150 length 99
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /home/setup.radius/etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
        EAP-Message = 0x029600441a0296003f310b504e9d0939a2a45337a15051a7e9c50000000000000000d4337995d2e6033e7ada08d52e715f700cc345f3ce7f619100746573742e66616331
server  {
[peap] Setting User-Name to test.fac1
Sending tunneled request
        EAP-Message = 0x029600441a0296003f310b504e9d0939a2a45337a15051a7e9c50000000000000000d4337995d2e6033e7ada08d52e715f700cc345f3ce7f619100746573742e66616331
        FreeRADIUS-Proxied-To = 127.0.0.1
        User-Name = "test.fac1"
        State = 0x259b8c2c250d963050bba180eb895341
        Called-Station-Id = "2C-4D-54-CA-B7-D8:ASUS_D8_2G"
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 0
        Calling-Station-Id = "D4-63-C6-9E-33-BD"
        Connect-Info = "CONNECT 0Mbps 802.11b"
        Acct-Session-Id = "CC7E34D6-0000000F"
        WLAN-Pairwise-Cipher = 1027076
        WLAN-Group-Cipher = 1027074
        WLAN-AKM-Suite = 1027073
        Framed-MTU = 1400
        NAS-IP-Address = 103.21.127.8
server  {
# Executing section authorize from file /home/setup.radius/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "test.fac1", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "test.fac1"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 150 length 68
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
[ldap] performing user authorization for test.fac1
[ldap]  expand: %{Stripped-User-Name} -> test.fac1
[ldap]  expand: (&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(policy=accept)(enabledapps=web)) -> (&(uid=test.fac1)(policy=accept)(enabledapps=web))
[ldap]  expand: ou=people,dc=x,dc=com -> ou=people,dc=x,dc=com
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in ou=people,dc=x,dc=com, with filter (&(uid=test.fac1)(policy=accept)(enabledapps=web))
[ldap] looking for check items in directory...
  [ldap] userPassword -> Password-With-Header == "{SSHA}IDENTITY MASKED"
  [ldap] ntPassword -> NT-Password == IDENTITY MASKED
  [ldap] lmPassword -> LM-Password == IDENTITY MASKED
[ldap] looking for reply items in directory...
  [ldap] departmentNumber -> Dept-Number = "CSE"
  [ldap] employeeType -> Filter-Id = "FAC"
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] = ok
++[expiration] = noop
++[logintime] = noop
[pap] Normalizing NT-Password from hex encoding
[pap] Normalizing LM-Password from hex encoding
[pap] Normalizing SSHA1-Password from base64 encoding
[pap] WARNING: Auth-Type already set.  Not setting to PAP
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /home/setup.radius/etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file /home/setup.radius/etc/raddb/sites-enabled/default
[mschapv2] +group MS-CHAP {
[mschap] Found LM-Password
[mschap] Found NT-Password
[mschap] Creating challenge hash with username: test.fac1
[mschap] Client is using MS-CHAPv2 for test.fac1, we need NT-Password
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] = reject
+} # group MS-CHAP = reject
[eap] Freeing handler
++[eap] = reject
+} # group authenticate = reject
Failed to authenticate the user.
Login incorrect: [test.fac1/<via Auth-Type = EAP>] (from client iitap port 0 cli D4-63-C6-9E-33-BD via TLS tunnel)
Using Post-Auth-Type Reject
# Executing group from file /home/setup.radius/etc/raddb/sites-enabled/default
+group REJECT {
[attr_filter.access_reject]     expand: %{User-Name} -> test.fac1
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
} # server
[peap] Got tunneled reply code 3
        MS-CHAP-Error = "\226E=691 R=1"
        EAP-Message = 0x04960004
        Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code Access-Reject
        MS-CHAP-Error = "\226E=691 R=1"
        EAP-Message = 0x04960004
        Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 64 to 103.21.127.8 port 36461
        EAP-Message = 0x0197002e1900170303002314208a69892760c6d80a328ac500594d0d4490eb89a52ae61d21e1b7b75e6ac66dd5d5
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x44e11138437608b3ddc39d6e6b8fcf3a
Finished request 7.
Going to the next request
Waking up in 4.4 seconds.
rad_recv: Access-Request packet from host 103.21.127.8 port 36461, id=65, length=242
        User-Name = "test.fac1"
        Called-Station-Id = "2C-4D-54-CA-B7-D8:ASUS_D8_2G"
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 0
        Calling-Station-Id = "D4-63-C6-9E-33-BD"
        Connect-Info = "CONNECT 0Mbps 802.11b"
        Acct-Session-Id = "CC7E34D6-0000000F"
        WLAN-Pairwise-Cipher = 1027076
        WLAN-Group-Cipher = 1027074
        WLAN-AKM-Suite = 1027073
        Framed-MTU = 1400
        EAP-Message = 0x0297002e1900170303002300000000000000032c20d0d40984d0150ae6d7f7f1ec0f16cfba56df3cab8b8ffea6fa
        State = 0x44e11138437608b3ddc39d6e6b8fcf3a
        Message-Authenticator = 0xa3b190fd72bdabffc94e17b43d816c26
# Executing section authorize from file /home/setup.radius/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "test.fac1", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "test.fac1"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 151 length 46
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /home/setup.radius/etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state send tlv failure
[peap] Received EAP-TLV response.
[peap]  The users session was previously rejected: returning reject (again.)
[peap]  *** This means you need to read the PREVIOUS messages in the debug output
[peap]  *** to find out the reason why the user was rejected.
[peap]  *** Look for "reject" or "fail".  Those earlier messages will tell you.
[peap]  *** what went wrong, and how to fix the problem.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] = invalid
+} # group authenticate = invalid
Failed to authenticate the user.
Login incorrect: [test.fac1/<via Auth-Type = EAP>] (from client iitap port 0 cli D4-63-C6-9E-33-BD)
Using Post-Auth-Type Reject
# Executing group from file /home/setup.radius/etc/raddb/sites-enabled/default
+group REJECT {
[attr_filter.access_reject]     expand: %{User-Name} -> test.fac1
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
Delaying reject of request 8 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 8
Sending Access-Reject of id 65 to 103.21.127.8 port 36461
        EAP-Message = 0x04970004
        Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.4 seconds.
Cleaning up request 0 ID 57 with timestamp +9
Cleaning up request 1 ID 58 with timestamp +9
Cleaning up request 2 ID 59 with timestamp +9
Cleaning up request 3 ID 60 with timestamp +9
Cleaning up request 4 ID 61 with timestamp +9
Cleaning up request 5 ID 62 with timestamp +9
Cleaning up request 6 ID 63 with timestamp +9
Cleaning up request 7 ID 64 with timestamp +9
Waking up in 1.0 seconds.
rad_recv: Access-Request packet from host 103.21.127.8 port 36461, id=66, length=192
        User-Name = "test.fac1"
        Called-Station-Id = "2C-4D-54-CA-B7-D8:ASUS_D8_2G"
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 0
        Calling-Station-Id = "D4-63-C6-9E-33-BD"
        Connect-Info = "CONNECT 0Mbps 802.11b"
        Acct-Session-Id = "CC7E34D6-00000010"
        WLAN-Pairwise-Cipher = 1027076
        WLAN-Group-Cipher = 1027074
        WLAN-AKM-Suite = 1027073
        Framed-MTU = 1400
        EAP-Message = 0x0254000e01746573742e66616331
        Message-Authenticator = 0xb1f5642ffb6186f10c15f40d590ad472
# Executing section authorize from file /home/setup.radius/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "test.fac1", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "test.fac1"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 84 length 14
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
[ldap] performing user authorization for test.fac1
[ldap]  expand: %{Stripped-User-Name} -> test.fac1
[ldap]  expand: (&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(policy=accept)(enabledapps=web)) -> (&(uid=test.fac1)(policy=accept)(enabledapps=web))
[ldap]  expand: ou=people,dc=x,dc=com -> ou=people,dc=x,dc=com
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in ou=people,dc=x,dc=com with filter (&(uid=test.fac1)(policy=accept)(enabledapps=web))
[ldap] looking for check items in directory...
  [ldap] userPassword -> Password-With-Header == "{SSHA}IDENTITY MASKED"
  [ldap] ntPassword -> NT-Password == IDENTITY MASKED
  [ldap] lmPassword -> LM-Password == IDENTITY MASKED
[ldap] looking for reply items in directory...
  [ldap] departmentNumber -> Dept-Number = "CSE"
  [ldap] employeeType -> Filter-Id = "FAC"
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] = ok
++[expiration] = noop
++[logintime] = noop
[pap] Normalizing NT-Password from hex encoding
[pap] Normalizing LM-Password from hex encoding
[pap] Normalizing SSHA1-Password from base64 encoding
[pap] WARNING: Auth-Type already set.  Not setting to PAP
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /home/setup.radius/etc/raddb/sites-enabled/default
+group authenticate {
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 66 to 103.21.127.8 port 36461
        Filter-Id = "FAC"
        EAP-Message = 0x015500061920
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xf64c6d3df6197448b300864323b9fbe1
Finished request 9.
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Request packet from host 103.21.127.8 port 36461, id=67, length=297
        User-Name = "test.fac1"
        Called-Station-Id = "2C-4D-54-CA-B7-D8:ASUS_D8_2G"
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 0
        Calling-Station-Id = "D4-63-C6-9E-33-BD"
        Connect-Info = "CONNECT 0Mbps 802.11b"
        Acct-Session-Id = "CC7E34D6-00000010"
        WLAN-Pairwise-Cipher = 1027076
        WLAN-Group-Cipher = 1027074
        WLAN-AKM-Suite = 1027073
        Framed-MTU = 1400
        EAP-Message = 0x0255006519800000005b1603010056010000520301d678c93bb35b8d588af31841a9e833a163183e106c04f17966853081dc8c11a100000ec009c013c00ac014002f0035000a0100001bff0100010000170000000b00020100000a00080006001d00170018
        State = 0xf64c6d3df6197448b300864323b9fbe1
        Message-Authenticator = 0x40487db218603f578938282c0342e7f5
# Executing section authorize from file /home/setup.radius/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "test.fac1", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "test.fac1"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 85 length 101
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /home/setup.radius/etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
  TLS Length 91
[peap] Length Included
[peap] eaptls_verify returned 11
[peap]     (other): before/accept initialization
[peap]     TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 0056], ClientHello
[peap]     TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 0039], ServerHello
[peap]     TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 08ee], Certificate
[peap]     TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange
[peap]     TLS_accept: SSLv3 write key exchange A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap]     TLS_accept: SSLv3 write server done A
[peap]     TLS_accept: SSLv3 flush data
[peap]     TLS_accept: SSLv3 read client certificate A
[peap]     TLS_accept: Need to read more data: SSLv3 read client key exchange A
[peap]     TLS_accept: Need to read more data: SSLv3 read client key exchange A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 67 to 103.21.127.8 port 36461
        EAP-Message = 0x0156040019c000000a8a16030100390200003503019e2b6b478b9fe46aa8e79606a1150b2d2d3e31a93be3183372984558b8cd691000c01300000dff01000100000b00040300010216030108ee0b0008ea0008e70003e7308203e3308202cba003020102020101300d06092a864886f70d01010b0500308199310b300906035504061302494e3112301006035504080c094b61726e6174616b613110300e06035504070c074468617277616431143012060355040a0c0b49495420446861727761643122302006092a864886f70d01090116136d6f6e69746f724069697464682e61632e696e312a302806035504030c21494954204468617277616420
        EAP-Message = 0x436572746966696361746520417574686f72697479301e170d3139303133303135303530355a170d3231303132393135303530355a307f310b300906035504061302494e3112301006035504080c094b61726e6174616b6131143012060355040a0c0b49495420446861727761643122302006035504030c19526164697573205365727665722043657274696669636174653122302006092a864886f70d01090116136d6f6e69746f724069697464682e61632e696e30820122300d06092a864886f70d01010105000382010f003082010a0282010100c1b0955b319f1f6621f5607ecbb49f744a0a0f78ea4e31d19a0ca744addd9045bb0220d89bbc
        EAP-Message = 0x8b6d6169b9fb0c255bc7ade7d879902aa4a060f96cd4e0c25ff660cdf5ecf4492055712b6d334868161dea5f988314bc360df494f987900b0f6fd8b6a0e3e63e7577ad34c71e55cb327d7d57b5fe3c38dacdf153ed5a14a62f438b815cc91102a28033020c8373e7b82484c3f04fe984847437e62d4769ff7c40081dc6651d2736549bf4fa9e3108ef872332aded8f649ed1e11892a3cfa16566b15e183bc0f8c99b698830c692f383b890b8a0730a7458d0b2348bf314efbb066ceaf4bb1f70e0be1255bee09c84db6bb06f77ea9efa36519b644b1f50a79ad90203010001a34f304d30130603551d25040c300a06082b060105050703013036060355
        EAP-Message = 0x1d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e636f6d2f6578616d706c655f63612e63726c300d06092a864886f70d01010b050003820101001302ed567f477a828a34effb1be5a87e140173473485fb8d310719ed80a926c14c95b72b15f2e6331a43b733a5ad2fe1e495ae3896a1499c6825a616d6bc51cdcf660a6069172eba30489bec9a8729f2821188bad3678a2a1678f73f6b2fe4fdbaad7a72549c9663e324fcd6c8e08ebed908a58166de237c39ee4f8e295802381abf228dbfa129ca7bfd4c75eafa134590cda55af27e3bbe9a850a6317c41924637b35dd3d0d5534e28f7db9407abe986a46b8cbf387
        EAP-Message = 0x593d2de647de76683cb6fd95
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xf64c6d3df71a7448b300864323b9fbe1
Finished request 10.
Going to the next request
Waking up in 0.8 seconds.
rad_recv: Access-Request packet from host 103.21.127.8 port 36461, id=68, length=202
        User-Name = "test.fac1"
        Called-Station-Id = "2C-4D-54-CA-B7-D8:ASUS_D8_2G"
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 0
        Calling-Station-Id = "D4-63-C6-9E-33-BD"
        Connect-Info = "CONNECT 0Mbps 802.11b"
        Acct-Session-Id = "CC7E34D6-00000010"
        WLAN-Pairwise-Cipher = 1027076
        WLAN-Group-Cipher = 1027074
        WLAN-AKM-Suite = 1027073
        Framed-MTU = 1400
        EAP-Message = 0x025600061900
        State = 0xf64c6d3df71a7448b300864323b9fbe1
        Message-Authenticator = 0x0c7944c040b7dc222f748f85c9c53651
# Executing section authorize from file /home/setup.radius/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "test.fac1", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "test.fac1"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 86 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /home/setup.radius/etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 68 to 103.21.127.8 port 36461
        EAP-Message = 0x015703fc1940596fb2deeec8722992cfd5833f268aeb321265faf276fc6fdaaa84e70e7192f149ab519dc832ca469e28473b8f5154c9449aa3f4519393f587349a0d6bfb0004fa308204f6308203dea003020102020900b195ed2925374bc5300d06092a864886f70d01010b0500308199310b300906035504061302494e3112301006035504080c094b61726e6174616b613110300e06035504070c074468617277616431143012060355040a0c0b49495420446861727761643122302006092a864886f70d01090116136d6f6e69746f724069697464682e61632e696e312a302806035504030c214949542044686172776164204365727469666963
        EAP-Message = 0x61746520417574686f72697479301e170d3139303133303135303334375a170d3231303132393135303334375a308199310b300906035504061302494e3112301006035504080c094b61726e6174616b613110300e06035504070c074468617277616431143012060355040a0c0b49495420446861727761643122302006092a864886f70d01090116136d6f6e69746f724069697464682e61632e696e312a302806035504030c21494954204468617277616420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100aa60dd6c677c68f395a7930d0684d20cc116ff
        EAP-Message = 0x7ab3141d129e8939f7732f3e873fc5c79fe51fa6de2a0cdf01343299207284c9075fafd7ee5bff3bcb284bb9bea69700da15b0bb3e96d640794669c604fd0c2bb7fcf1336cf8cca9debb776889af2e45af9615c27f1f996ca8d1f768406010da1912ad8c7d3ed71e97933b6fd9fab9ce7fe8bfd7a1bb8b7d3c611b8f2f6b5868a4ae7296c4c170a807e2dc553e21c93e9d8cb8f2b3a769999c5060de8b827b069c447fbe7e3707e3855976122cd434f078414c6512c35079db5708ee0f7e5ec3284c30e74c3d8f9f7e8c2d88f12ff557ebbcdc409bb58b339946a61af8198d3ddc55c6b9c3589f473734c7de390203010001a382013d30820139301d06
        EAP-Message = 0x03551d0e04160414876f3b6ff4f034850d26e76d1cfa4727e22231683081ce0603551d230481c63081c38014876f3b6ff4f034850d26e76d1cfa4727e2223168a1819fa4819c308199310b300906035504061302494e3112301006035504080c094b61726e6174616b613110300e06035504070c074468617277616431143012060355040a0c0b49495420446861727761643122302006092a864886f70d01090116136d6f6e69746f724069697464682e61632e696e312a302806035504030c21494954204468617277616420436572746966696361746520417574686f72697479820900b195ed2925374bc5300f0603551d130101ff040530030101
        EAP-Message = 0xff30360603551d1f
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xf64c6d3df41b7448b300864323b9fbe1
Finished request 11.
Going to the next request
Waking up in 0.8 seconds.
rad_recv: Access-Request packet from host 103.21.127.8 port 36461, id=69, length=202
        User-Name = "test.fac1"
        Called-Station-Id = "2C-4D-54-CA-B7-D8:ASUS_D8_2G"
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 0
        Calling-Station-Id = "D4-63-C6-9E-33-BD"
        Connect-Info = "CONNECT 0Mbps 802.11b"
        Acct-Session-Id = "CC7E34D6-00000010"
        WLAN-Pairwise-Cipher = 1027076
        WLAN-Group-Cipher = 1027074
        WLAN-AKM-Suite = 1027073
        Framed-MTU = 1400
        EAP-Message = 0x025700061900
        State = 0xf64c6d3df41b7448b300864323b9fbe1
        Message-Authenticator = 0xc98bb4213da02a2bf288105768d12fde
# Executing section authorize from file /home/setup.radius/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "test.fac1", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "test.fac1"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 87 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /home/setup.radius/etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 69 to 103.21.127.8 port 36461
        EAP-Message = 0x015802a41900042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e6f72672f6578616d706c655f63612e63726c300d06092a864886f70d01010b0500038201010004198cd9513bbda7757818012765e60d14d05dd60f18760c5e8726bb1c24da7347d6a13aa7feac3e7babaa4c0025d30906dd493ec9b861693893252c170010289afd64d7a9ef04742b44e7483698f7afb4dd629a1ffd15912faacc78959fcbc244600752e2ae04809970f4f3bd066fc6d1106aa64982437ee4ced6f4a9c539416fdd01ad64cfc3f3d2ffd2bdd25cd979e58bfaf16ff856ee621cdfa39093942e0921814b3d00fa00d1d07311be051b5b9967
        EAP-Message = 0xdc7a3c57fc2966073ac687529d646828040221acc839d856edd6a4d02fe265cedeea60cd4a6aa6da58de81bc11e002b1a6c00e97633e3781ef0ba790daae2e8f8dd5d5eaa6a4f6ae661d3c4c68e9160301014b0c00014703001741040d841ac3f3b76165676c6d3675c5da6ed6fc2dbe21eafe8bff3a1875a6b09c7fbfa944e627f73f938436e15b2b9cd487c57d174fe30cc58abed44e565165b718010056087dac83ac59634d1490ad81d2e0aad11aa1b28ee3d16a6db5f418034d3fce67cb8197a2cf90e46333a29ecc688bc110737db7d4ef25615a8a935ee2e42d73858a002a7efe6627c0697be76cbcbcfec572418656ef189356114b5cc7f569
        EAP-Message = 0x3bde8c68608d63a18194c0331ee8620812a6769028fc2dd85f74c5718635ec6c8660953293de1a319ff9850ff66756040912649cb88451a988d26de947d626e1d8bb98b66a3c913486a1dc5f8fe4c91d694268160236d2b15f4bf87b84fedef58ce0bf5282a83c3f06fd559088fe00c72dd5bcccabcf179afa13a7e6b5edcc047de07ef00c13ddf0bae88c847c1b2172ee09aa4b301f47d30efde6e0d1ff790c0916030100040e000000
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xf64c6d3df5147448b300864323b9fbe1
Finished request 12.
Going to the next request
Waking up in 0.7 seconds.
rad_recv: Access-Request packet from host 103.21.127.8 port 36461, id=70, length=340
        User-Name = "test.fac1"
        Called-Station-Id = "2C-4D-54-CA-B7-D8:ASUS_D8_2G"
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 0
        Calling-Station-Id = "D4-63-C6-9E-33-BD"
        Connect-Info = "CONNECT 0Mbps 802.11b"
        Acct-Session-Id = "CC7E34D6-00000010"
        WLAN-Pairwise-Cipher = 1027076
        WLAN-Group-Cipher = 1027074
        WLAN-AKM-Suite = 1027073
        Framed-MTU = 1400
        EAP-Message = 0x025800901980000000861603010046100000424104584ba16d97871d2891aa9b3bea5e229fb2ce811431686caba1a8d84d812d5a7055114e286242d70be0b23dde2c418e89a88d080094004b18b1e2939714ae26e81403010001011603010030c070f2b7d3c54b88f31acb7bf6319262642b1bd6484bfdb1a741a78e11b953369205f391a8136f425bbfb69ef8d6af4b
        State = 0xf64c6d3df5147448b300864323b9fbe1
        Message-Authenticator = 0x31c135f80dcf8a27bf0a22d3c94d09f4
# Executing section authorize from file /home/setup.radius/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "test.fac1", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "test.fac1"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 88 length 144
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /home/setup.radius/etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
  TLS Length 134
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange
[peap]     TLS_accept: SSLv3 read client key exchange A
[peap]     TLS_accept: SSLv3 read certificate verify A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap]     TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap]     TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap]     TLS_accept: SSLv3 write finished A
[peap]     TLS_accept: SSLv3 flush data
[peap]     (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 70 to 103.21.127.8 port 36461
        EAP-Message = 0x01590041190014030100010116030100303bc90209e19f2430e55f5cbf00985af02cc61b69f0019ba85b767277063e8e0ed97f0d895170f858cd8a28fc3afb424b
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xf64c6d3df2157448b300864323b9fbe1
Finished request 13.
Going to the next request
Waking up in 0.6 seconds.
rad_recv: Access-Request packet from host 103.21.127.8 port 36461, id=71, length=202
        User-Name = "test.fac1"
        Called-Station-Id = "2C-4D-54-CA-B7-D8:ASUS_D8_2G"
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 0
        Calling-Station-Id = "D4-63-C6-9E-33-BD"
        Connect-Info = "CONNECT 0Mbps 802.11b"
        Acct-Session-Id = "CC7E34D6-00000010"
        WLAN-Pairwise-Cipher = 1027076
        WLAN-Group-Cipher = 1027074
        WLAN-AKM-Suite = 1027073
        Framed-MTU = 1400
        EAP-Message = 0x025900061900
        State = 0xf64c6d3df2157448b300864323b9fbe1
        Message-Authenticator = 0xab95c807c503f9ad0d789ce03832f569
# Executing section authorize from file /home/setup.radius/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "test.fac1", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "test.fac1"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 89 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /home/setup.radius/etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state TUNNEL ESTABLISHED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 71 to 103.21.127.8 port 36461
        EAP-Message = 0x015a002b190017030100206f4920eb854df0451d363d165f7acf473630057ee08cc02c12b201b5f6702598
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xf64c6d3df3167448b300864323b9fbe1
Finished request 14.
Going to the next request
Waking up in 0.5 seconds.
rad_recv: Access-Request packet from host 103.21.127.8 port 36461, id=72, length=239
        User-Name = "test.fac1"
        Called-Station-Id = "2C-4D-54-CA-B7-D8:ASUS_D8_2G"
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 0
        Calling-Station-Id = "D4-63-C6-9E-33-BD"
        Connect-Info = "CONNECT 0Mbps 802.11b"
        Acct-Session-Id = "CC7E34D6-00000010"
        WLAN-Pairwise-Cipher = 1027076
        WLAN-Group-Cipher = 1027074
        WLAN-AKM-Suite = 1027073
        Framed-MTU = 1400
        EAP-Message = 0x025a002b190017030100205c65d1d796601360dcb13de2236f36e89ff35c42816dca8cf98ae434d714ceac
        State = 0xf64c6d3df3167448b300864323b9fbe1
        Message-Authenticator = 0x006d13f8c9b7a38a4c26610332abd833
# Executing section authorize from file /home/setup.radius/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "test.fac1", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "test.fac1"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 90 length 43
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /home/setup.radius/etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state WAITING FOR INNER IDENTITY
[peap] Identity - test.fac1
[peap] Got inner identity 'test.fac1'
[peap] Setting default EAP type for tunneled EAP session.
[peap] Got tunneled request
        EAP-Message = 0x025a000e01746573742e66616331
server  {
[peap] Setting User-Name to test.fac1
Sending tunneled request
        EAP-Message = 0x025a000e01746573742e66616331
        FreeRADIUS-Proxied-To = 127.0.0.1
        User-Name = "test.fac1"
        Called-Station-Id = "2C-4D-54-CA-B7-D8:ASUS_D8_2G"
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 0
        Calling-Station-Id = "D4-63-C6-9E-33-BD"
        Connect-Info = "CONNECT 0Mbps 802.11b"
        Acct-Session-Id = "CC7E34D6-00000010"
        WLAN-Pairwise-Cipher = 1027076
        WLAN-Group-Cipher = 1027074
        WLAN-AKM-Suite = 1027073
        Framed-MTU = 1400
        NAS-IP-Address = 103.21.127.8
server  {
# Executing section authorize from file /home/setup.radius/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "test.fac1", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "test.fac1"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 90 length 14
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
[ldap] performing user authorization for test.fac1
[ldap]  expand: %{Stripped-User-Name} -> test.fac1
[ldap]  expand: (&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(policy=accept)(enabledapps=web)) -> (&(uid=test.fac1)(policy=accept)(enabledapps=web))
[ldap]  expand: ou=people,dc=x,dc=com -> ou=people,dc=x,dc=com
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in ou=people,dc=x,dc=com, with filter (&(uid=test.fac1)(policy=accept)(enabledapps=web))
[ldap] looking for check items in directory...
  [ldap] userPassword -> Password-With-Header == "{SSHA}IDENTITY MASKED"
  [ldap] ntPassword -> NT-Password == IDENTITY MASKED
  [ldap] lmPassword -> LM-Password == IDENTITY MASKED
[ldap] looking for reply items in directory...
  [ldap] departmentNumber -> Dept-Number = "CSE"
  [ldap] employeeType -> Filter-Id = "FAC"
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] = ok
++[expiration] = noop
++[logintime] = noop
[pap] Normalizing NT-Password from hex encoding
[pap] Normalizing LM-Password from hex encoding
[pap] Normalizing SSHA1-Password from base64 encoding
[pap] WARNING: Auth-Type already set.  Not setting to PAP
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /home/setup.radius/etc/raddb/sites-enabled/default
+group authenticate {
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] = handled
+} # group authenticate = handled
} # server
[peap] Got tunneled reply code 11
        Dept-Number = "CSE"
        Filter-Id = "FAC"
        EAP-Message = 0x015b00231a015b001e106531f4bf18f818e8e4221a8bd460bf2e746573742e66616331
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x9066a9d2903db333e0a2f21a2e0aad03
[peap] Got tunneled reply RADIUS code Access-Challenge
        Dept-Number = "CSE"
        Filter-Id = "FAC"
        EAP-Message = 0x015b00231a015b001e106531f4bf18f818e8e4221a8bd460bf2e746573742e66616331
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x9066a9d2903db333e0a2f21a2e0aad03
[peap] Got tunneled Access-Challenge
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 72 to 103.21.127.8 port 36461
        EAP-Message = 0x015b004b190017030100404b1b14f967f93b961efe2df125d134cf7b14d87cb1bd2cca9eab812b0fb1c55bf3c06d90b7abb0d91e0ad2dd0d41fea13bed09e1b8300d6ffdfd8a6ccd9c7879
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xf64c6d3df0177448b300864323b9fbe1
Finished request 15.
Going to the next request
Waking up in 0.5 seconds.
rad_recv: Access-Request packet from host 103.21.127.8 port 36461, id=73, length=303
        User-Name = "test.fac1"
        Called-Station-Id = "2C-4D-54-CA-B7-D8:ASUS_D8_2G"
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 0
        Calling-Station-Id = "D4-63-C6-9E-33-BD"
        Connect-Info = "CONNECT 0Mbps 802.11b"
        Acct-Session-Id = "CC7E34D6-00000010"
        WLAN-Pairwise-Cipher = 1027076
        WLAN-Group-Cipher = 1027074
        WLAN-AKM-Suite = 1027073
        Framed-MTU = 1400
        EAP-Message = 0x025b006b19001703010060378eb43c3a7e9f6cc65f24c1420572c0011ee5ac5f81d2bf033378dcc7b83f865d841b8d035876eaaa399e63b1a14690a35229e04578007d3bd51e76a41288e8ec1e0637e6643a09c5e0bab192d14fb71c68c742c21d5f0e83064bddcd34c7e3
        State = 0xf64c6d3df0177448b300864323b9fbe1
        Message-Authenticator = 0x35c0d2f07afba1d971703de5e1484e9c
# Executing section authorize from file /home/setup.radius/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "test.fac1", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "test.fac1"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 91 length 107
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /home/setup.radius/etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
        EAP-Message = 0x025b00441a025b003f310c0d01affbc837bc31ce19af039a159500000000000000006a76b0df704322f1aee34d2891a1fcdba145f497f3c5d33300746573742e66616331
server  {
[peap] Setting User-Name to test.fac1
Sending tunneled request
        EAP-Message = 0x025b00441a025b003f310c0d01affbc837bc31ce19af039a159500000000000000006a76b0df704322f1aee34d2891a1fcdba145f497f3c5d33300746573742e66616331
        FreeRADIUS-Proxied-To = 127.0.0.1
        User-Name = "test.fac1"
        State = 0x9066a9d2903db333e0a2f21a2e0aad03
        Called-Station-Id = "2C-4D-54-CA-B7-D8:ASUS_D8_2G"
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 0
        Calling-Station-Id = "D4-63-C6-9E-33-BD"
        Connect-Info = "CONNECT 0Mbps 802.11b"
        Acct-Session-Id = "CC7E34D6-00000010"
        WLAN-Pairwise-Cipher = 1027076
        WLAN-Group-Cipher = 1027074
        WLAN-AKM-Suite = 1027073
        Framed-MTU = 1400
        NAS-IP-Address = 103.21.127.8
server  {
# Executing section authorize from file /home/setup.radius/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "test.fac1", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "test.fac1"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 91 length 68
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
[ldap] performing user authorization for test.fac1
[ldap]  expand: %{Stripped-User-Name} -> test.fac1
[ldap]  expand: (&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(policy=accept)(enabledapps=web)) -> (&(uid=test.fac1)(policy=accept)(enabledapps=web))
[ldap]  expand: ou=people,dc=x,dc=com -> ou=people,dc=x,dc=com
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in ou=people,dc=x,dc=com with filter (&(uid=test.fac1)(policy=accept)(enabledapps=web))
[ldap] looking for check items in directory...
  [ldap] userPassword -> Password-With-Header == "{SSHA}IDENTITY MASKED"
  [ldap] ntPassword -> NT-Password == IDENTITY MASKED
  [ldap] lmPassword -> LM-Password == IDENTITY MASKED
[ldap] looking for reply items in directory...
  [ldap] departmentNumber -> Dept-Number = "CSE"
  [ldap] employeeType -> Filter-Id = "FAC"
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] = ok
++[expiration] = noop
++[logintime] = noop
[pap] Normalizing NT-Password from hex encoding
[pap] Normalizing LM-Password from hex encoding
[pap] Normalizing SSHA1-Password from base64 encoding
[pap] WARNING: Auth-Type already set.  Not setting to PAP
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /home/setup.radius/etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file /home/setup.radius/etc/raddb/sites-enabled/default
[mschapv2] +group MS-CHAP {
[mschap] Found LM-Password
[mschap] Found NT-Password
[mschap] Creating challenge hash with username: test.fac1
[mschap] Client is using MS-CHAPv2 for test.fac1, we need NT-Password
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] = reject
+} # group MS-CHAP = reject
[eap] Freeing handler
++[eap] = reject
+} # group authenticate = reject
Failed to authenticate the user.
Login incorrect: [test.fac1/<via Auth-Type = EAP>] (from client iitap port 0 cli D4-63-C6-9E-33-BD via TLS tunnel)
Using Post-Auth-Type Reject
# Executing group from file /home/setup.radius/etc/raddb/sites-enabled/default
+group REJECT {
[attr_filter.access_reject]     expand: %{User-Name} -> test.fac1
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
} # server
[peap] Got tunneled reply code 3
        MS-CHAP-Error = "[E=691 R=1"
        EAP-Message = 0x045b0004
        Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code Access-Reject
        MS-CHAP-Error = "[E=691 R=1"
        EAP-Message = 0x045b0004
        Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 73 to 103.21.127.8 port 36461
        EAP-Message = 0x015c002b19001703010020c9b3ce265f03e10c55e890396b6ffdcb8ca7f5811b9169c5d1268f4e16706a49
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xf64c6d3df1107448b300864323b9fbe1
Finished request 16.
Going to the next request
Waking up in 0.4 seconds.
rad_recv: Access-Request packet from host 103.21.127.8 port 36461, id=74, length=239
        User-Name = "test.fac1"
        Called-Station-Id = "2C-4D-54-CA-B7-D8:ASUS_D8_2G"
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 0
        Calling-Station-Id = "D4-63-C6-9E-33-BD"
        Connect-Info = "CONNECT 0Mbps 802.11b"
        Acct-Session-Id = "CC7E34D6-00000010"
        WLAN-Pairwise-Cipher = 1027076
        WLAN-Group-Cipher = 1027074
        WLAN-AKM-Suite = 1027073
        Framed-MTU = 1400
        EAP-Message = 0x025c002b190017030100209a17fa6c0aec67a9c31f4f734b75ca7850221c5039f2b31171ca60a8bb087267
        State = 0xf64c6d3df1107448b300864323b9fbe1
        Message-Authenticator = 0xda86c8f02d3c4c10537082485fac5efa
# Executing section authorize from file /home/setup.radius/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "test.fac1", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "test.fac1"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 92 length 43
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /home/setup.radius/etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state send tlv failure
[peap] Received EAP-TLV response.
[peap]  The users session was previously rejected: returning reject (again.)
[peap]  *** This means you need to read the PREVIOUS messages in the debug output
[peap]  *** to find out the reason why the user was rejected.
[peap]  *** Look for "reject" or "fail".  Those earlier messages will tell you.
[peap]  *** what went wrong, and how to fix the problem.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] = invalid
+} # group authenticate = invalid
Failed to authenticate the user.
Login incorrect: [test.fac1/<via Auth-Type = EAP>] (from client iitap port 0 cli D4-63-C6-9E-33-BD)
Using Post-Auth-Type Reject
# Executing group from file /home/setup.radius/etc/raddb/sites-enabled/default
+group REJECT {
[attr_filter.access_reject]     expand: %{User-Name} -> test.fac1
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
Delaying reject of request 17 for 1 seconds
Going to the next request
Waking up in 0.3 seconds.
Cleaning up request 8 ID 65 with timestamp +9
Waking up in 0.6 seconds.
Sending delayed reject for request 17
Sending Access-Reject of id 74 to 103.21.127.8 port 36461
        EAP-Message = 0x045c0004
        Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.4 seconds.
^C
[root at radius ~]#


More information about the Freeradius-Users mailing list