MS-CHAP2-Request is rejected
william steen
wjsteen at talktalk.net
Tue May 21 21:33:51 CEST 2019
Matthew
Thank you for the observations. Mea cupla - the password was wrong. Having corrected that I am getting a WICED 1064 error back on the device which I believe means EAPOL_KEY_FAILURE. I am really struggling the read the full debug and understand why it is not working. I can’t see anything in the output that says it is not working in fact I see at the end SUCCESS - so is this a device issue?
(36) Received Access-Request Id 208 from 192.168.1.38:55602 to 192.168.1.33:1812 length 174
(36) User-Name = "anonymous"
(36) NAS-IP-Address = 192.168.1.38
(36) NAS-Identifier = "b4fbe4c348ab"
(36) NAS-Port = 0
(36) Called-Station-Id = "B4-FB-E4-C4-48-AB:Armorwpa2"
(36) Calling-Station-Id = "E0-4F-43-36-B1-F1"
(36) Framed-MTU = 1400
(36) NAS-Port-Type = Wireless-802.11
(36) Connect-Info = "CONNECT 0Mbps 802.11b"
(36) EAP-Message = 0x02b5000e01616e6f6e796d6f7573
(36) Message-Authenticator = 0x25509f16a2da40b886f964a9fb289b2a
(36) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(36) authorize {
(36) policy filter_username {
(36) if (&User-Name) {
(36) if (&User-Name) -> TRUE
(36) if (&User-Name) {
(36) if (&User-Name =~ / /) {
(36) if (&User-Name =~ / /) -> FALSE
(36) if (&User-Name =~ /@[^@]*@/ ) {
(36) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(36) if (&User-Name =~ /\.\./ ) {
(36) if (&User-Name =~ /\.\./ ) -> FALSE
(36) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(36) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(36) if (&User-Name =~ /\.$/) {
(36) if (&User-Name =~ /\.$/) -> FALSE
(36) if (&User-Name =~ /@\./) {
(36) if (&User-Name =~ /@\./) -> FALSE
(36) } # if (&User-Name) = notfound
(36) } # policy filter_username = notfound
(36) [preprocess] = ok
(36) [chap] = noop
(36) [mschap] = noop
(36) [digest] = noop
(36) suffix: Checking for suffix after "@"
(36) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(36) suffix: No such realm "NULL"
(36) [suffix] = noop
(36) eap: Peer sent EAP Response (code 2) ID 181 length 14
(36) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(36) [eap] = ok
(36) } # authorize = ok
(36) Found Auth-Type = eap
(36) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(36) authenticate {
(36) eap: Peer sent packet with method EAP Identity (1)
(36) eap: Calling submodule eap_md5 to process data
(36) eap_md5: Issuing MD5 Challenge
(36) eap: Sending EAP Request (code 1) ID 182 length 22
(36) eap: EAP session adding &reply:State = 0x2a8581bd2a3385df
(36) [eap] = handled
(36) } # authenticate = handled
(36) Using Post-Auth-Type Challenge
(36) Post-Auth-Type sub-section not found. Ignoring.
(36) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(36) Sent Access-Challenge Id 208 from 192.168.1.33:1812 to 192.168.1.38:55602 length 0
(36) EAP-Message = 0x01b600160410ff129213cf36dc9899010133da42091f
(36) Message-Authenticator = 0x00000000000000000000000000000000
(36) State = 0x2a8581bd2a3385df1e814808369ac970
(36) Finished request
Waking up in 4.9 seconds.
(37) Received Access-Request Id 209 from 192.168.1.38:55602 to 192.168.1.33:1812 length 184
(37) User-Name = "anonymous"
(37) NAS-IP-Address = 192.168.1.38
(37) NAS-Identifier = "b4fbe4c348ab"
(37) NAS-Port = 0
(37) Called-Station-Id = "B4-FB-E4-C4-48-AB:Armorwpa2"
(37) Calling-Station-Id = "E0-4F-43-36-B1-F1"
(37) Framed-MTU = 1400
(37) NAS-Port-Type = Wireless-802.11
(37) Connect-Info = "CONNECT 0Mbps 802.11b"
(37) EAP-Message = 0x02b600060319
(37) State = 0x2a8581bd2a3385df1e814808369ac970
(37) Message-Authenticator = 0x8119d40b649a68faa58453efa4c195eb
(37) session-state: No cached attributes
(37) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(37) authorize {
(37) policy filter_username {
(37) if (&User-Name) {
(37) if (&User-Name) -> TRUE
(37) if (&User-Name) {
(37) if (&User-Name =~ / /) {
(37) if (&User-Name =~ / /) -> FALSE
(37) if (&User-Name =~ /@[^@]*@/ ) {
(37) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(37) if (&User-Name =~ /\.\./ ) {
(37) if (&User-Name =~ /\.\./ ) -> FALSE
(37) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(37) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(37) if (&User-Name =~ /\.$/) {
(37) if (&User-Name =~ /\.$/) -> FALSE
(37) if (&User-Name =~ /@\./) {
(37) if (&User-Name =~ /@\./) -> FALSE
(37) } # if (&User-Name) = notfound
(37) } # policy filter_username = notfound
(37) [preprocess] = ok
(37) [chap] = noop
(37) [mschap] = noop
(37) [digest] = noop
(37) suffix: Checking for suffix after "@"
(37) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(37) suffix: No such realm "NULL"
(37) [suffix] = noop
(37) eap: Peer sent EAP Response (code 2) ID 182 length 6
(37) eap: No EAP Start, assuming it's an on-going EAP conversation
(37) [eap] = updated
(37) [files] = noop
(37) [expiration] = noop
(37) [logintime] = noop
(37) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type
(37) pap: WARNING: Authentication will fail unless a "known good" password is available
(37) [pap] = noop
(37) } # authorize = updated
(37) Found Auth-Type = eap
(37) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(37) authenticate {
(37) eap: Expiring EAP session with state 0x2a8581bd2a3385df
(37) eap: Finished EAP session with state 0x2a8581bd2a3385df
(37) eap: Previous EAP request found for state 0x2a8581bd2a3385df, released from the list
(37) eap: Peer sent packet with method EAP NAK (3)
(37) eap: Found mutually acceptable type PEAP (25)
(37) eap: Calling submodule eap_peap to process data
(37) eap_peap: Initiating new EAP-TLS session
(37) eap_peap: [eaptls start] = request
(37) eap: Sending EAP Request (code 1) ID 183 length 6
(37) eap: EAP session adding &reply:State = 0x2a8581bd2b3298df
(37) [eap] = handled
(37) } # authenticate = handled
(37) Using Post-Auth-Type Challenge
(37) Post-Auth-Type sub-section not found. Ignoring.
(37) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(37) Sent Access-Challenge Id 209 from 192.168.1.33:1812 to 192.168.1.38:55602 length 0
(37) EAP-Message = 0x01b700061920
(37) Message-Authenticator = 0x00000000000000000000000000000000
(37) State = 0x2a8581bd2b3298df1e814808369ac970
(37) Finished request
Waking up in 4.9 seconds.
(38) Received Access-Request Id 210 from 192.168.1.38:55602 to 192.168.1.33:1812 length 274
(38) User-Name = "anonymous"
(38) NAS-IP-Address = 192.168.1.38
(38) NAS-Identifier = "b4fbe4c348ab"
(38) NAS-Port = 0
(38) Called-Station-Id = "B4-FB-E4-C4-48-AB:Armorwpa2"
(38) Calling-Station-Id = "E0-4F-43-36-B1-F1"
(38) Framed-MTU = 1400
(38) NAS-Port-Type = Wireless-802.11
(38) Connect-Info = "CONNECT 0Mbps 802.11b"
(38) EAP-Message = 0x02b7006019800000005616030300510100004d0303000000281cdc9b2252c07aa2864276d5d684b9f771cff5a17b5c280169d1bf8a000004003c002f01000020000a000400020017000b00020100000d000e000c020102030301030304010403
(38) State = 0x2a8581bd2b3298df1e814808369ac970
(38) Message-Authenticator = 0xb616b97bb086ec34a2c8ef9911d0ea09
(38) session-state: No cached attributes
(38) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(38) authorize {
(38) policy filter_username {
(38) if (&User-Name) {
(38) if (&User-Name) -> TRUE
(38) if (&User-Name) {
(38) if (&User-Name =~ / /) {
(38) if (&User-Name =~ / /) -> FALSE
(38) if (&User-Name =~ /@[^@]*@/ ) {
(38) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(38) if (&User-Name =~ /\.\./ ) {
(38) if (&User-Name =~ /\.\./ ) -> FALSE
(38) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(38) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(38) if (&User-Name =~ /\.$/) {
(38) if (&User-Name =~ /\.$/) -> FALSE
(38) if (&User-Name =~ /@\./) {
(38) if (&User-Name =~ /@\./) -> FALSE
(38) } # if (&User-Name) = notfound
(38) } # policy filter_username = notfound
(38) [preprocess] = ok
(38) [chap] = noop
(38) [mschap] = noop
(38) [digest] = noop
(38) suffix: Checking for suffix after "@"
(38) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(38) suffix: No such realm "NULL"
(38) [suffix] = noop
(38) eap: Peer sent EAP Response (code 2) ID 183 length 96
(38) eap: Continuing tunnel setup
(38) [eap] = ok
(38) } # authorize = ok
(38) Found Auth-Type = eap
(38) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(38) authenticate {
(38) eap: Expiring EAP session with state 0x2a8581bd2b3298df
(38) eap: Finished EAP session with state 0x2a8581bd2b3298df
(38) eap: Previous EAP request found for state 0x2a8581bd2b3298df, released from the list
(38) eap: Peer sent packet with method EAP PEAP (25)
(38) eap: Calling submodule eap_peap to process data
(38) eap_peap: Continuing EAP-TLS
(38) eap_peap: Peer indicated complete TLS record size will be 86 bytes
(38) eap_peap: Got complete TLS record (86 bytes)
(38) eap_peap: [eaptls verify] = length included
(38) eap_peap: (other): before SSL initialization
(38) eap_peap: TLS_accept: before SSL initialization
(38) eap_peap: TLS_accept: before SSL initialization
(38) eap_peap: <<< recv TLS 1.2 [length 0051]
(38) eap_peap: TLS_accept: SSLv3/TLS read client hello
(38) eap_peap: >>> send TLS 1.2 [length 002a]
(38) eap_peap: TLS_accept: SSLv3/TLS write server hello
(38) eap_peap: >>> send TLS 1.2 [length 02f1]
(38) eap_peap: TLS_accept: SSLv3/TLS write certificate
(38) eap_peap: >>> send TLS 1.2 [length 0004]
(38) eap_peap: TLS_accept: SSLv3/TLS write server done
(38) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write server done
(38) eap_peap: In SSL Handshake Phase
(38) eap_peap: In SSL Accept mode
(38) eap_peap: [eaptls process] = handled
(38) eap: Sending EAP Request (code 1) ID 184 length 820
(38) eap: EAP session adding &reply:State = 0x2a8581bd283d98df
(38) [eap] = handled
(38) } # authenticate = handled
(38) Using Post-Auth-Type Challenge
(38) Post-Auth-Type sub-section not found. Ignoring.
(38) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(38) Sent Access-Challenge Id 210 from 192.168.1.33:1812 to 192.168.1.38:55602 length 0
(38) EAP-Message = 0x01b803341900160303002a020000260303cf3c4b0e5ed60e104aad4ed9b51fb76b9896b63ef4a31d3e772041f6e35b257200003c0016030302f10b0002ed0002ea0002e7308202e3308201cba003020102020900a170e33eaa8a04e7300d06092a864886f70d01010b0500301b3119301706035504030c
(38) Message-Authenticator = 0x00000000000000000000000000000000
(38) State = 0x2a8581bd283d98df1e814808369ac970
(38) Finished request
Waking up in 4.9 seconds.
(39) Received Access-Request Id 211 from 192.168.1.38:55602 to 192.168.1.33:1812 length 548
(39) User-Name = "anonymous"
(39) NAS-IP-Address = 192.168.1.38
(39) NAS-Identifier = "b4fbe4c348ab"
(39) NAS-Port = 0
(39) Called-Station-Id = "B4-FB-E4-C4-48-AB:Armorwpa2"
(39) Calling-Station-Id = "E0-4F-43-36-B1-F1"
(39) Framed-MTU = 1400
(39) NAS-Port-Type = Wireless-802.11
(39) Connect-Info = "CONNECT 0Mbps 802.11b"
(39) EAP-Message = 0x02b80170198000000166160303010610000102010071e19621b125c24ad8dad747ca68b5f71eedd73d928788b92dcffb97d102f453587e37ecc1fa3d8fd8b80b6db2ef5bb91b0452e39652df4324e7251c3ca8401dc5d7565b8b87187452af469f979e0f7e89441a02251a4da163c0cd6fcd7faa357fac
(39) State = 0x2a8581bd283d98df1e814808369ac970
(39) Message-Authenticator = 0x04bed256ea91148ae84b66643a916080
(39) session-state: No cached attributes
(39) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(39) authorize {
(39) policy filter_username {
(39) if (&User-Name) {
(39) if (&User-Name) -> TRUE
(39) if (&User-Name) {
(39) if (&User-Name =~ / /) {
(39) if (&User-Name =~ / /) -> FALSE
(39) if (&User-Name =~ /@[^@]*@/ ) {
(39) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(39) if (&User-Name =~ /\.\./ ) {
(39) if (&User-Name =~ /\.\./ ) -> FALSE
(39) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(39) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(39) if (&User-Name =~ /\.$/) {
(39) if (&User-Name =~ /\.$/) -> FALSE
(39) if (&User-Name =~ /@\./) {
(39) if (&User-Name =~ /@\./) -> FALSE
(39) } # if (&User-Name) = notfound
(39) } # policy filter_username = notfound
(39) [preprocess] = ok
(39) [chap] = noop
(39) [mschap] = noop
(39) [digest] = noop
(39) suffix: Checking for suffix after "@"
(39) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(39) suffix: No such realm "NULL"
(39) [suffix] = noop
(39) eap: Peer sent EAP Response (code 2) ID 184 length 368
(39) eap: Continuing tunnel setup
(39) [eap] = ok
(39) } # authorize = ok
(39) Found Auth-Type = eap
(39) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(39) authenticate {
(39) eap: Expiring EAP session with state 0x2a8581bd283d98df
(39) eap: Finished EAP session with state 0x2a8581bd283d98df
(39) eap: Previous EAP request found for state 0x2a8581bd283d98df, released from the list
(39) eap: Peer sent packet with method EAP PEAP (25)
(39) eap: Calling submodule eap_peap to process data
(39) eap_peap: Continuing EAP-TLS
(39) eap_peap: Peer indicated complete TLS record size will be 358 bytes
(39) eap_peap: Got complete TLS record (358 bytes)
(39) eap_peap: [eaptls verify] = length included
(39) eap_peap: TLS_accept: SSLv3/TLS write server done
(39) eap_peap: <<< recv TLS 1.2 [length 0106]
(39) eap_peap: TLS_accept: SSLv3/TLS read client key exchange
(39) eap_peap: TLS_accept: SSLv3/TLS read change cipher spec
(39) eap_peap: <<< recv TLS 1.2 [length 0010]
(39) eap_peap: TLS_accept: SSLv3/TLS read finished
(39) eap_peap: >>> send TLS 1.2 [length 0001]
(39) eap_peap: TLS_accept: SSLv3/TLS write change cipher spec
(39) eap_peap: >>> send TLS 1.2 [length 0010]
(39) eap_peap: TLS_accept: SSLv3/TLS write finished
(39) eap_peap: (other): SSL negotiation finished successfully
(39) eap_peap: SSL Connection Established
(39) eap_peap: [eaptls process] = handled
(39) eap: Sending EAP Request (code 1) ID 185 length 97
(39) eap: EAP session adding &reply:State = 0x2a8581bd293c98df
(39) [eap] = handled
(39) } # authenticate = handled
(39) Using Post-Auth-Type Challenge
(39) Post-Auth-Type sub-section not found. Ignoring.
(39) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(39) Sent Access-Challenge Id 211 from 192.168.1.33:1812 to 192.168.1.38:55602 length 0
(39) EAP-Message = 0x01b9006119001403030001011603030050b0b0d9af69f459f35b4b47f71ed961ad39a4d03368daf9ae1b1438e2c5f6586f3396151c1e6d9b8d815db52d93a0b1df8be145d56c2a3dd6b1133e231ee64be468f9dafc1529bac1bb8da84d57fe81d0
(39) Message-Authenticator = 0x00000000000000000000000000000000
(39) State = 0x2a8581bd293c98df1e814808369ac970
(39) Finished request
Waking up in 4.8 seconds.
(40) Received Access-Request Id 212 from 192.168.1.38:55602 to 192.168.1.33:1812 length 184
(40) User-Name = "anonymous"
(40) NAS-IP-Address = 192.168.1.38
(40) NAS-Identifier = "b4fbe4c348ab"
(40) NAS-Port = 0
(40) Called-Station-Id = "B4-FB-E4-C4-48-AB:Armorwpa2"
(40) Calling-Station-Id = "E0-4F-43-36-B1-F1"
(40) Framed-MTU = 1400
(40) NAS-Port-Type = Wireless-802.11
(40) Connect-Info = "CONNECT 0Mbps 802.11b"
(40) EAP-Message = 0x02b900061900
(40) State = 0x2a8581bd293c98df1e814808369ac970
(40) Message-Authenticator = 0xe886a2afdad2cabad78f25fbe33d4914
(40) session-state: No cached attributes
(40) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(40) authorize {
(40) policy filter_username {
(40) if (&User-Name) {
(40) if (&User-Name) -> TRUE
(40) if (&User-Name) {
(40) if (&User-Name =~ / /) {
(40) if (&User-Name =~ / /) -> FALSE
(40) if (&User-Name =~ /@[^@]*@/ ) {
(40) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(40) if (&User-Name =~ /\.\./ ) {
(40) if (&User-Name =~ /\.\./ ) -> FALSE
(40) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(40) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(40) if (&User-Name =~ /\.$/) {
(40) if (&User-Name =~ /\.$/) -> FALSE
(40) if (&User-Name =~ /@\./) {
(40) if (&User-Name =~ /@\./) -> FALSE
(40) } # if (&User-Name) = notfound
(40) } # policy filter_username = notfound
(40) [preprocess] = ok
(40) [chap] = noop
(40) [mschap] = noop
(40) [digest] = noop
(40) suffix: Checking for suffix after "@"
(40) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(40) suffix: No such realm "NULL"
(40) [suffix] = noop
(40) eap: Peer sent EAP Response (code 2) ID 185 length 6
(40) eap: Continuing tunnel setup
(40) [eap] = ok
(40) } # authorize = ok
(40) Found Auth-Type = eap
(40) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(40) authenticate {
(40) eap: Expiring EAP session with state 0x2a8581bd293c98df
(40) eap: Finished EAP session with state 0x2a8581bd293c98df
(40) eap: Previous EAP request found for state 0x2a8581bd293c98df, released from the list
(40) eap: Peer sent packet with method EAP PEAP (25)
(40) eap: Calling submodule eap_peap to process data
(40) eap_peap: Continuing EAP-TLS
(40) eap_peap: Peer ACKed our handshake fragment. handshake is finished
(40) eap_peap: [eaptls verify] = success
(40) eap_peap: [eaptls process] = success
(40) eap_peap: Session established. Decoding tunneled attributes
(40) eap_peap: PEAP state TUNNEL ESTABLISHED
(40) eap: Sending EAP Request (code 1) ID 186 length 75
(40) eap: EAP session adding &reply:State = 0x2a8581bd2e3f98df
(40) [eap] = handled
(40) } # authenticate = handled
(40) Using Post-Auth-Type Challenge
(40) Post-Auth-Type sub-section not found. Ignoring.
(40) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(40) Sent Access-Challenge Id 212 from 192.168.1.33:1812 to 192.168.1.38:55602 length 0
(40) EAP-Message = 0x01ba004b1900170303004050c7ff5a029d65ebb5f58ad75a43ea64eac1cd728a20be159fe3b332033e212a25fff20cf216db3542a33712cec541299cc1be4e818a681e6170a7ef0f0b36fd
(40) Message-Authenticator = 0x00000000000000000000000000000000
(40) State = 0x2a8581bd2e3f98df1e814808369ac970
(40) Finished request
Waking up in 4.7 seconds.
(41) Received Access-Request Id 213 from 192.168.1.38:55602 to 192.168.1.33:1812 length 253
(41) User-Name = "anonymous"
(41) NAS-IP-Address = 192.168.1.38
(41) NAS-Identifier = "b4fbe4c348ab"
(41) NAS-Port = 0
(41) Called-Station-Id = "B4-FB-E4-C4-48-AB:Armorwpa2"
(41) Calling-Station-Id = "E0-4F-43-36-B1-F1"
(41) Framed-MTU = 1400
(41) NAS-Port-Type = Wireless-802.11
(41) Connect-Info = "CONNECT 0Mbps 802.11b"
(41) EAP-Message = 0x02ba004b190017030300400afc0335cdebda0b8aedef718917f7a9266c20e51e93d29843d1d72b4692f912508ecd700311673ed582be464091945f62ecef71c226614b11d7520ed1411b3e
(41) State = 0x2a8581bd2e3f98df1e814808369ac970
(41) Message-Authenticator = 0x9fb73be30fe0f94516f4b1eb6ca07baf
(41) session-state: No cached attributes
(41) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(41) authorize {
(41) policy filter_username {
(41) if (&User-Name) {
(41) if (&User-Name) -> TRUE
(41) if (&User-Name) {
(41) if (&User-Name =~ / /) {
(41) if (&User-Name =~ / /) -> FALSE
(41) if (&User-Name =~ /@[^@]*@/ ) {
(41) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(41) if (&User-Name =~ /\.\./ ) {
(41) if (&User-Name =~ /\.\./ ) -> FALSE
(41) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(41) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(41) if (&User-Name =~ /\.$/) {
(41) if (&User-Name =~ /\.$/) -> FALSE
(41) if (&User-Name =~ /@\./) {
(41) if (&User-Name =~ /@\./) -> FALSE
(41) } # if (&User-Name) = notfound
(41) } # policy filter_username = notfound
(41) [preprocess] = ok
(41) [chap] = noop
(41) [mschap] = noop
(41) [digest] = noop
(41) suffix: Checking for suffix after "@"
(41) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(41) suffix: No such realm "NULL"
(41) [suffix] = noop
(41) eap: Peer sent EAP Response (code 2) ID 186 length 75
(41) eap: Continuing tunnel setup
(41) [eap] = ok
(41) } # authorize = ok
(41) Found Auth-Type = eap
(41) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(41) authenticate {
(41) eap: Expiring EAP session with state 0x2a8581bd2e3f98df
(41) eap: Finished EAP session with state 0x2a8581bd2e3f98df
(41) eap: Previous EAP request found for state 0x2a8581bd2e3f98df, released from the list
(41) eap: Peer sent packet with method EAP PEAP (25)
(41) eap: Calling submodule eap_peap to process data
(41) eap_peap: Continuing EAP-TLS
(41) eap_peap: [eaptls verify] = ok
(41) eap_peap: Done initial handshake
(41) eap_peap: [eaptls process] = ok
(41) eap_peap: Session established. Decoding tunneled attributes
(41) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(41) eap_peap: Identity - particle
(41) eap_peap: Got inner identity 'particle'
(41) eap_peap: Setting default EAP type for tunneled EAP session
(41) eap_peap: Got tunneled request
(41) eap_peap: EAP-Message = 0x02ba000d017061727469636c65
(41) eap_peap: Setting User-Name to particle
(41) eap_peap: Sending tunneled request to inner-tunnel
(41) eap_peap: EAP-Message = 0x02ba000d017061727469636c65
(41) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(41) eap_peap: User-Name = "particle"
(41) Virtual server inner-tunnel received request
(41) EAP-Message = 0x02ba000d017061727469636c65
(41) FreeRADIUS-Proxied-To = 127.0.0.1
(41) User-Name = "particle"
(41) server inner-tunnel {
(41) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(41) authorize {
(41) policy filter_username {
(41) if (&User-Name) {
(41) if (&User-Name) -> TRUE
(41) if (&User-Name) {
(41) if (&User-Name =~ / /) {
(41) if (&User-Name =~ / /) -> FALSE
(41) if (&User-Name =~ /@[^@]*@/ ) {
(41) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(41) if (&User-Name =~ /\.\./ ) {
(41) if (&User-Name =~ /\.\./ ) -> FALSE
(41) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(41) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(41) if (&User-Name =~ /\.$/) {
(41) if (&User-Name =~ /\.$/) -> FALSE
(41) if (&User-Name =~ /@\./) {
(41) if (&User-Name =~ /@\./) -> FALSE
(41) } # if (&User-Name) = notfound
(41) } # policy filter_username = notfound
(41) [chap] = noop
(41) [mschap] = noop
(41) suffix: Checking for suffix after "@"
(41) suffix: No '@' in User-Name = "particle", looking up realm NULL
(41) suffix: No such realm "NULL"
(41) [suffix] = noop
(41) update control {
(41) &Proxy-To-Realm := LOCAL
(41) } # update control = noop
(41) eap: Peer sent EAP Response (code 2) ID 186 length 13
(41) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(41) [eap] = ok
(41) } # authorize = ok
(41) Found Auth-Type = eap
(41) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(41) authenticate {
(41) eap: Peer sent packet with method EAP Identity (1)
(41) eap: Calling submodule eap_mschapv2 to process data
(41) eap_mschapv2: Issuing Challenge
(41) eap: Sending EAP Request (code 1) ID 187 length 43
(41) eap: EAP session adding &reply:State = 0xc826a0d6c89dba78
(41) [eap] = handled
(41) } # authenticate = handled
(41) } # server inner-tunnel
(41) Virtual server sending reply
(41) EAP-Message = 0x01bb002b1a01bb0026106f4ce167e77644b791c3f64990af9d0a667265657261646975732d332e302e3132
(41) Message-Authenticator = 0x00000000000000000000000000000000
(41) State = 0xc826a0d6c89dba78a72f2090812f4b12
(41) eap_peap: Got tunneled reply code 11
(41) eap_peap: EAP-Message = 0x01bb002b1a01bb0026106f4ce167e77644b791c3f64990af9d0a667265657261646975732d332e302e3132
(41) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(41) eap_peap: State = 0xc826a0d6c89dba78a72f2090812f4b12
(41) eap_peap: Got tunneled reply RADIUS code 11
(41) eap_peap: EAP-Message = 0x01bb002b1a01bb0026106f4ce167e77644b791c3f64990af9d0a667265657261646975732d332e302e3132
(41) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(41) eap_peap: State = 0xc826a0d6c89dba78a72f2090812f4b12
(41) eap_peap: Got tunneled Access-Challenge
(41) eap: Sending EAP Request (code 1) ID 187 length 107
(41) eap: EAP session adding &reply:State = 0x2a8581bd2f3e98df
(41) [eap] = handled
(41) } # authenticate = handled
(41) Using Post-Auth-Type Challenge
(41) Post-Auth-Type sub-section not found. Ignoring.
(41) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(41) Sent Access-Challenge Id 213 from 192.168.1.33:1812 to 192.168.1.38:55602 length 0
(41) EAP-Message = 0x01bb006b1900170303006079feffc6710fc43792c394a4889d930fe8c6c16d764af16d1d3976d6e621e36843745d0bffc55524283b9bd53ea806ced6df2dbbdde549e3e5cc38979d5cb49ad0da91db6f806722c0e8a4d302d8271e25e76be953888bdd43cae59c2735c288
(41) Message-Authenticator = 0x00000000000000000000000000000000
(41) State = 0x2a8581bd2f3e98df1e814808369ac970
(41) Finished request
Waking up in 4.7 seconds.
(42) Received Access-Request Id 214 from 192.168.1.38:55602 to 192.168.1.33:1812 length 301
(42) User-Name = "anonymous"
(42) NAS-IP-Address = 192.168.1.38
(42) NAS-Identifier = "b4fbe4c348ab"
(42) NAS-Port = 0
(42) Called-Station-Id = "B4-FB-E4-C4-48-AB:Armorwpa2"
(42) Calling-Station-Id = "E0-4F-43-36-B1-F1"
(42) Framed-MTU = 1400
(42) NAS-Port-Type = Wireless-802.11
(42) Connect-Info = "CONNECT 0Mbps 802.11b"
(42) EAP-Message = 0x02bb007b190017030300700afc0335cdebda0b8aedef718917f7a9c3609e53fed2947c5461a170ad04e646ead20718e53d64b3e64bfa32cbc4920565fd84e50ee59a599ef81f5b234f495ceb2429aed13228f79886d1231139863a94e38688d4bf00844977159f1ab54839398774564992f36bdca50f16
(42) State = 0x2a8581bd2f3e98df1e814808369ac970
(42) Message-Authenticator = 0x03cd878b5c6e2070f2fe065228980db3
(42) session-state: No cached attributes
(42) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(42) authorize {
(42) policy filter_username {
(42) if (&User-Name) {
(42) if (&User-Name) -> TRUE
(42) if (&User-Name) {
(42) if (&User-Name =~ / /) {
(42) if (&User-Name =~ / /) -> FALSE
(42) if (&User-Name =~ /@[^@]*@/ ) {
(42) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(42) if (&User-Name =~ /\.\./ ) {
(42) if (&User-Name =~ /\.\./ ) -> FALSE
(42) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(42) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(42) if (&User-Name =~ /\.$/) {
(42) if (&User-Name =~ /\.$/) -> FALSE
(42) if (&User-Name =~ /@\./) {
(42) if (&User-Name =~ /@\./) -> FALSE
(42) } # if (&User-Name) = notfound
(42) } # policy filter_username = notfound
(42) [preprocess] = ok
(42) [chap] = noop
(42) [mschap] = noop
(42) [digest] = noop
(42) suffix: Checking for suffix after "@"
(42) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(42) suffix: No such realm "NULL"
(42) [suffix] = noop
(42) eap: Peer sent EAP Response (code 2) ID 187 length 123
(42) eap: Continuing tunnel setup
(42) [eap] = ok
(42) } # authorize = ok
(42) Found Auth-Type = eap
(42) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(42) authenticate {
(42) eap: Expiring EAP session with state 0xc826a0d6c89dba78
(42) eap: Finished EAP session with state 0x2a8581bd2f3e98df
(42) eap: Previous EAP request found for state 0x2a8581bd2f3e98df, released from the list
(42) eap: Peer sent packet with method EAP PEAP (25)
(42) eap: Calling submodule eap_peap to process data
(42) eap_peap: Continuing EAP-TLS
(42) eap_peap: [eaptls verify] = ok
(42) eap_peap: Done initial handshake
(42) eap_peap: [eaptls process] = ok
(42) eap_peap: Session established. Decoding tunneled attributes
(42) eap_peap: PEAP state phase2
(42) eap_peap: EAP method MSCHAPv2 (26)
(42) eap_peap: Got tunneled request
(42) eap_peap: EAP-Message = 0x02bb00431a02bb003e312f2fa421ed073e5f4e6ffa2ac0392cf50000000000000000fd328695c49903d233c34dacdd44570b0aa2ef23d5078df9007061727469636c65
(42) eap_peap: Setting User-Name to particle
(42) eap_peap: Sending tunneled request to inner-tunnel
(42) eap_peap: EAP-Message = 0x02bb00431a02bb003e312f2fa421ed073e5f4e6ffa2ac0392cf50000000000000000fd328695c49903d233c34dacdd44570b0aa2ef23d5078df9007061727469636c65
(42) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(42) eap_peap: User-Name = "particle"
(42) eap_peap: State = 0xc826a0d6c89dba78a72f2090812f4b12
(42) Virtual server inner-tunnel received request
(42) EAP-Message = 0x02bb00431a02bb003e312f2fa421ed073e5f4e6ffa2ac0392cf50000000000000000fd328695c49903d233c34dacdd44570b0aa2ef23d5078df9007061727469636c65
(42) FreeRADIUS-Proxied-To = 127.0.0.1
(42) User-Name = "particle"
(42) State = 0xc826a0d6c89dba78a72f2090812f4b12
(42) server inner-tunnel {
(42) session-state: No cached attributes
(42) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(42) authorize {
(42) policy filter_username {
(42) if (&User-Name) {
(42) if (&User-Name) -> TRUE
(42) if (&User-Name) {
(42) if (&User-Name =~ / /) {
(42) if (&User-Name =~ / /) -> FALSE
(42) if (&User-Name =~ /@[^@]*@/ ) {
(42) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(42) if (&User-Name =~ /\.\./ ) {
(42) if (&User-Name =~ /\.\./ ) -> FALSE
(42) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(42) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(42) if (&User-Name =~ /\.$/) {
(42) if (&User-Name =~ /\.$/) -> FALSE
(42) if (&User-Name =~ /@\./) {
(42) if (&User-Name =~ /@\./) -> FALSE
(42) } # if (&User-Name) = notfound
(42) } # policy filter_username = notfound
(42) [chap] = noop
(42) [mschap] = noop
(42) suffix: Checking for suffix after "@"
(42) suffix: No '@' in User-Name = "particle", looking up realm NULL
(42) suffix: No such realm "NULL"
(42) [suffix] = noop
(42) update control {
(42) &Proxy-To-Realm := LOCAL
(42) } # update control = noop
(42) eap: Peer sent EAP Response (code 2) ID 187 length 67
(42) eap: No EAP Start, assuming it's an on-going EAP conversation
(42) [eap] = updated
(42) files: users: Matched entry particle at line 1
(42) [files] = ok
(42) [expiration] = noop
(42) [logintime] = noop
(42) pap: WARNING: Auth-Type already set. Not setting to PAP
(42) [pap] = noop
(42) } # authorize = updated
(42) Found Auth-Type = eap
(42) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(42) authenticate {
(42) eap: Expiring EAP session with state 0xc826a0d6c89dba78
(42) eap: Finished EAP session with state 0xc826a0d6c89dba78
(42) eap: Previous EAP request found for state 0xc826a0d6c89dba78, released from the list
(42) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(42) eap: Calling submodule eap_mschapv2 to process data
(42) eap_mschapv2: # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(42) eap_mschapv2: authenticate {
(42) mschap: Found Cleartext-Password, hashing to create NT-Password
(42) mschap: Found Cleartext-Password, hashing to create LM-Password
(42) mschap: Creating challenge hash with username: particle
(42) mschap: Client is using MS-CHAPv2
(42) mschap: Adding MS-CHAPv2 MPPE keys
(42) [mschap] = ok
(42) } # authenticate = ok
(42) MSCHAP Success
(42) eap: Sending EAP Request (code 1) ID 188 length 51
(42) eap: EAP session adding &reply:State = 0xc826a0d6c99aba78
(42) [eap] = handled
(42) } # authenticate = handled
(42) } # server inner-tunnel
(42) Virtual server sending reply
(42) EAP-Message = 0x01bc00331a03bb002e533d46394438374233353045373638353639363642334230453831344530314234394638393739463836
(42) Message-Authenticator = 0x00000000000000000000000000000000
(42) State = 0xc826a0d6c99aba78a72f2090812f4b12
(42) eap_peap: Got tunneled reply code 11
(42) eap_peap: EAP-Message = 0x01bc00331a03bb002e533d46394438374233353045373638353639363642334230453831344530314234394638393739463836
(42) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(42) eap_peap: State = 0xc826a0d6c99aba78a72f2090812f4b12
(42) eap_peap: Got tunneled reply RADIUS code 11
(42) eap_peap: EAP-Message = 0x01bc00331a03bb002e533d46394438374233353045373638353639363642334230453831344530314234394638393739463836
(42) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(42) eap_peap: State = 0xc826a0d6c99aba78a72f2090812f4b12
(42) eap_peap: Got tunneled Access-Challenge
(42) eap: Sending EAP Request (code 1) ID 188 length 107
(42) eap: EAP session adding &reply:State = 0x2a8581bd2c3998df
(42) [eap] = handled
(42) } # authenticate = handled
(42) Using Post-Auth-Type Challenge
(42) Post-Auth-Type sub-section not found. Ignoring.
(42) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(42) Sent Access-Challenge Id 214 from 192.168.1.33:1812 to 192.168.1.38:55602 length 0
(42) EAP-Message = 0x01bc006b19001703030060b9f4e0a42efec0bee4d249cc360bda244ef5eb4368b4b4f327f7a7f7576312b11aae4a061cc97e76ec3e4c0e9082190d0bc9a581a909759c1c2baf22bb29c97fc63d71bd9b875c4bddb657eaa082997f34f48f5fce577bf5132ae26e47af86da
(42) Message-Authenticator = 0x00000000000000000000000000000000
(42) State = 0x2a8581bd2c3998df1e814808369ac970
(42) Finished request
Waking up in 4.7 seconds.
(43) Received Access-Request Id 215 from 192.168.1.38:55602 to 192.168.1.33:1812 length 253
(43) User-Name = "anonymous"
(43) NAS-IP-Address = 192.168.1.38
(43) NAS-Identifier = "b4fbe4c348ab"
(43) NAS-Port = 0
(43) Called-Station-Id = "B4-FB-E4-C4-48-AB:Armorwpa2"
(43) Calling-Station-Id = "E0-4F-43-36-B1-F1"
(43) Framed-MTU = 1400
(43) NAS-Port-Type = Wireless-802.11
(43) Connect-Info = "CONNECT 0Mbps 802.11b"
(43) EAP-Message = 0x02bc004b190017030300400afc0335cdebda0b8aedef718917f7a9b9754affb9dde8383a0f060aa61ccd734c8dbe21fb029818558ea1f8df0577fb7e74b2b1209df846f6fc5555f5161caf
(43) State = 0x2a8581bd2c3998df1e814808369ac970
(43) Message-Authenticator = 0xbf55ee3fc671fa161a966a884ed075db
(43) session-state: No cached attributes
(43) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(43) authorize {
(43) policy filter_username {
(43) if (&User-Name) {
(43) if (&User-Name) -> TRUE
(43) if (&User-Name) {
(43) if (&User-Name =~ / /) {
(43) if (&User-Name =~ / /) -> FALSE
(43) if (&User-Name =~ /@[^@]*@/ ) {
(43) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(43) if (&User-Name =~ /\.\./ ) {
(43) if (&User-Name =~ /\.\./ ) -> FALSE
(43) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(43) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(43) if (&User-Name =~ /\.$/) {
(43) if (&User-Name =~ /\.$/) -> FALSE
(43) if (&User-Name =~ /@\./) {
(43) if (&User-Name =~ /@\./) -> FALSE
(43) } # if (&User-Name) = notfound
(43) } # policy filter_username = notfound
(43) [preprocess] = ok
(43) [chap] = noop
(43) [mschap] = noop
(43) [digest] = noop
(43) suffix: Checking for suffix after "@"
(43) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(43) suffix: No such realm "NULL"
(43) [suffix] = noop
(43) eap: Peer sent EAP Response (code 2) ID 188 length 75
(43) eap: Continuing tunnel setup
(43) [eap] = ok
(43) } # authorize = ok
(43) Found Auth-Type = eap
(43) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(43) authenticate {
(43) eap: Expiring EAP session with state 0xc826a0d6c99aba78
(43) eap: Finished EAP session with state 0x2a8581bd2c3998df
(43) eap: Previous EAP request found for state 0x2a8581bd2c3998df, released from the list
(43) eap: Peer sent packet with method EAP PEAP (25)
(43) eap: Calling submodule eap_peap to process data
(43) eap_peap: Continuing EAP-TLS
(43) eap_peap: [eaptls verify] = ok
(43) eap_peap: Done initial handshake
(43) eap_peap: [eaptls process] = ok
(43) eap_peap: Session established. Decoding tunneled attributes
(43) eap_peap: PEAP state phase2
(43) eap_peap: EAP method MSCHAPv2 (26)
(43) eap_peap: Got tunneled request
(43) eap_peap: EAP-Message = 0x02bc00061a03
(43) eap_peap: Setting User-Name to particle
(43) eap_peap: Sending tunneled request to inner-tunnel
(43) eap_peap: EAP-Message = 0x02bc00061a03
(43) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(43) eap_peap: User-Name = "particle"
(43) eap_peap: State = 0xc826a0d6c99aba78a72f2090812f4b12
(43) Virtual server inner-tunnel received request
(43) EAP-Message = 0x02bc00061a03
(43) FreeRADIUS-Proxied-To = 127.0.0.1
(43) User-Name = "particle"
(43) State = 0xc826a0d6c99aba78a72f2090812f4b12
(43) server inner-tunnel {
(43) session-state: No cached attributes
(43) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(43) authorize {
(43) policy filter_username {
(43) if (&User-Name) {
(43) if (&User-Name) -> TRUE
(43) if (&User-Name) {
(43) if (&User-Name =~ / /) {
(43) if (&User-Name =~ / /) -> FALSE
(43) if (&User-Name =~ /@[^@]*@/ ) {
(43) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(43) if (&User-Name =~ /\.\./ ) {
(43) if (&User-Name =~ /\.\./ ) -> FALSE
(43) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(43) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(43) if (&User-Name =~ /\.$/) {
(43) if (&User-Name =~ /\.$/) -> FALSE
(43) if (&User-Name =~ /@\./) {
(43) if (&User-Name =~ /@\./) -> FALSE
(43) } # if (&User-Name) = notfound
(43) } # policy filter_username = notfound
(43) [chap] = noop
(43) [mschap] = noop
(43) suffix: Checking for suffix after "@"
(43) suffix: No '@' in User-Name = "particle", looking up realm NULL
(43) suffix: No such realm "NULL"
(43) [suffix] = noop
(43) update control {
(43) &Proxy-To-Realm := LOCAL
(43) } # update control = noop
(43) eap: Peer sent EAP Response (code 2) ID 188 length 6
(43) eap: No EAP Start, assuming it's an on-going EAP conversation
(43) [eap] = updated
(43) files: users: Matched entry particle at line 1
(43) [files] = ok
(43) [expiration] = noop
(43) [logintime] = noop
(43) pap: WARNING: Auth-Type already set. Not setting to PAP
(43) [pap] = noop
(43) } # authorize = updated
(43) Found Auth-Type = eap
(43) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(43) authenticate {
(43) eap: Expiring EAP session with state 0xc826a0d6c99aba78
(43) eap: Finished EAP session with state 0xc826a0d6c99aba78
(43) eap: Previous EAP request found for state 0xc826a0d6c99aba78, released from the list
(43) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(43) eap: Calling submodule eap_mschapv2 to process data
(43) eap: Sending EAP Success (code 3) ID 188 length 4
(43) eap: Freeing handler
(43) [eap] = ok
(43) } # authenticate = ok
(43) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(43) post-auth { ... } # empty sub-section is ignored
(43) } # server inner-tunnel
(43) Virtual server sending reply
(43) MS-MPPE-Encryption-Policy = Encryption-Allowed
(43) MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(43) MS-MPPE-Send-Key = 0xa3fa08811509145500a1ebcdf3d7eb5d
(43) MS-MPPE-Recv-Key = 0xc972a035aa182fad81e28936609efb98
(43) EAP-Message = 0x03bc0004
(43) Message-Authenticator = 0x00000000000000000000000000000000
(43) User-Name = "particle"
(43) eap_peap: Got tunneled reply code 2
(43) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed
(43) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(43) eap_peap: MS-MPPE-Send-Key = 0xa3fa08811509145500a1ebcdf3d7eb5d
(43) eap_peap: MS-MPPE-Recv-Key = 0xc972a035aa182fad81e28936609efb98
(43) eap_peap: EAP-Message = 0x03bc0004
(43) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(43) eap_peap: User-Name = "particle"
(43) eap_peap: Got tunneled reply RADIUS code 2
(43) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed
(43) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(43) eap_peap: MS-MPPE-Send-Key = 0xa3fa08811509145500a1ebcdf3d7eb5d
(43) eap_peap: MS-MPPE-Recv-Key = 0xc972a035aa182fad81e28936609efb98
(43) eap_peap: EAP-Message = 0x03bc0004
(43) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(43) eap_peap: User-Name = "particle"
(43) eap_peap: Tunneled authentication was successful
(43) eap_peap: SUCCESS
(43) eap: Sending EAP Request (code 1) ID 189 length 75
(43) eap: EAP session adding &reply:State = 0x2a8581bd2d3898df
(43) [eap] = handled
(43) } # authenticate = handled
(43) Using Post-Auth-Type Challenge
(43) Post-Auth-Type sub-section not found. Ignoring.
(43) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(43) Sent Access-Challenge Id 215 from 192.168.1.33:1812 to 192.168.1.38:55602 length 0
(43) EAP-Message = 0x01bd004b19001703030040b9bfa8da3c157aefbb79072add6550d5c358cb82d3e35524a00affd2bac853f94e6bab78f4d1ff4a9a67f2887ef428052762834010a626cdf516ba109ff8dd11
(43) Message-Authenticator = 0x00000000000000000000000000000000
(43) State = 0x2a8581bd2d3898df1e814808369ac970
(43) Finished request
William Steen
wjsteen at talktalk.net
> On 20 May 2019, at 09:45, william steen via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
>
> First time using freeradius, attempting to setup freeradius server on a RPi to create a testing environment for WPA2 Enterprise use on an IoT device. Any help to understand where I am going wrong gratefully received.
>
> Included below is the debug output on startup and when an attempt to connect using PEAP-MSCHAPv2 using just username and password (no certificate). The startup contains a few warnings which I assume are not material. The login debug has an error MS-CHAP2-Response is incorrect which comes after a WARNING: Auth-Type already set. Not setting to PAP?
>
> FreeRADIUS Version 3.0.12
>
> [/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT".
> [/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT".
>
> Ready to process requests
>
> Below is what debug output when trying to connect to the WAP.
>
> (0) Received Access-Request Id 37 from 192.168.1.38:52437 to 192.168.1.33:1812 length 172
> (0) User-Name = "particle"
> (0) NAS-IP-Address = 192.168.1.38
> (0) NAS-Identifier = "b4fbe4c348ab"
> (0) NAS-Port = 0
> (0) Called-Station-Id = "B4-FB-E4-C4-48-AB:Armorwpa2"
> (0) Calling-Station-Id = "E0-4F-43-36-B1-F1"
> (0) Framed-MTU = 1400
> (0) NAS-Port-Type = Wireless-802.11
> (0) Connect-Info = "CONNECT 0Mbps 802.11b"
> (0) EAP-Message = 0x0205000d017061727469636c65
> (0) Message-Authenticator = 0x3d7c5462881eb85ae3c3e8b1e7f2dcd8
> (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
> (0) authorize {
> (0) policy filter_username {
> (0) if (&User-Name) {
> (0) if (&User-Name) -> TRUE
> (0) if (&User-Name) {
> (0) if (&User-Name =~ / /) {
> (0) if (&User-Name =~ / /) -> FALSE
> (0) if (&User-Name =~ /@[^@]*@/ ) {
> (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (0) if (&User-Name =~ /\.\./ ) {
> (0) if (&User-Name =~ /\.\./ ) -> FALSE
> (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
> (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
> (0) if (&User-Name =~ /\.$/) {
> (0) if (&User-Name =~ /\.$/) -> FALSE
> (0) if (&User-Name =~ /@\./) {
> (0) if (&User-Name =~ /@\./) -> FALSE
> (0) } # if (&User-Name) = notfound
> (0) } # policy filter_username = notfound
> (0) [preprocess] = ok
> (0) [chap] = noop
> (0) [mschap] = noop
> (0) [digest] = noop
> (0) suffix: Checking for suffix after "@"
> (0) suffix: No '@' in User-Name = "particle", looking up realm NULL
> (0) suffix: No such realm "NULL"
> (0) [suffix] = noop
> (0) eap: Peer sent EAP Response (code 2) ID 5 length 13
> (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
> (0) [eap] = ok
> (0) } # authorize = ok
> (0) Found Auth-Type = eap
> (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (0) authenticate {
> (0) eap: Peer sent packet with method EAP Identity (1)
> (0) eap: Calling submodule eap_md5 to process data
> (0) eap_md5: Issuing MD5 Challenge
> (0) eap: Sending EAP Request (code 1) ID 6 length 22
> (0) eap: EAP session adding &reply:State = 0x792e584479285c88
> (0) [eap] = handled
> (0) } # authenticate = handled
> (0) Using Post-Auth-Type Challenge
> (0) Post-Auth-Type sub-section not found. Ignoring.
> (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (0) Sent Access-Challenge Id 37 from 192.168.1.33:1812 to 192.168.1.38:52437 length 0
> (0) EAP-Message = 0x0106001604101e0a216dfaac8434a1e13f61d8e18c5f
> (0) Message-Authenticator = 0x00000000000000000000000000000000
> (0) State = 0x792e584479285c88d729d5f4b5ba04a4
> (0) Finished request
> Waking up in 4.9 seconds.
> (1) Received Access-Request Id 38 from 192.168.1.38:52437 to 192.168.1.33:1812 length 183
> (1) User-Name = "particle"
> (1) NAS-IP-Address = 192.168.1.38
> (1) NAS-Identifier = "b4fbe4c348ab"
> (1) NAS-Port = 0
> (1) Called-Station-Id = "B4-FB-E4-C4-48-AB:Armorwpa2"
> (1) Calling-Station-Id = "E0-4F-43-36-B1-F1"
> (1) Framed-MTU = 1400
> (1) NAS-Port-Type = Wireless-802.11
> (1) Connect-Info = "CONNECT 0Mbps 802.11b"
> (1) EAP-Message = 0x020600060319
> (1) State = 0x792e584479285c88d729d5f4b5ba04a4
> (1) Message-Authenticator = 0x81a3bc304acaf36767e74474836e1265
> (1) session-state: No cached attributes
> (1) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
> (1) authorize {
> (1) policy filter_username {
> (1) if (&User-Name) {
> (1) if (&User-Name) -> TRUE
> (1) if (&User-Name) {
> (1) if (&User-Name =~ / /) {
> (1) if (&User-Name =~ / /) -> FALSE
> (1) if (&User-Name =~ /@[^@]*@/ ) {
> (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (1) if (&User-Name =~ /\.\./ ) {
> (1) if (&User-Name =~ /\.\./ ) -> FALSE
> (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
> (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
> (1) if (&User-Name =~ /\.$/) {
> (1) if (&User-Name =~ /\.$/) -> FALSE
> (1) if (&User-Name =~ /@\./) {
> (1) if (&User-Name =~ /@\./) -> FALSE
> (1) } # if (&User-Name) = notfound
> (1) } # policy filter_username = notfound
> (1) [preprocess] = ok
> (1) [chap] = noop
> (1) [mschap] = noop
> (1) [digest] = noop
> (1) suffix: Checking for suffix after "@"
> (1) suffix: No '@' in User-Name = "particle", looking up realm NULL
> (1) suffix: No such realm "NULL"
> (1) [suffix] = noop
> (1) eap: Peer sent EAP Response (code 2) ID 6 length 6
> (1) eap: No EAP Start, assuming it's an on-going EAP conversation
> (1) [eap] = updated
> (1) files: users: Matched entry particle at line 1
> (1) [files] = ok
> (1) [expiration] = noop
> (1) [logintime] = noop
> (1) pap: WARNING: Auth-Type already set. Not setting to PAP
> (1) [pap] = noop
> (1) } # authorize = updated
> (1) Found Auth-Type = eap
> (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (1) authenticate {
> (1) eap: Expiring EAP session with state 0x792e584479285c88
> (1) eap: Finished EAP session with state 0x792e584479285c88
> (1) eap: Previous EAP request found for state 0x792e584479285c88, released from the list
> (1) eap: Peer sent packet with method EAP NAK (3)
> (1) eap: Found mutually acceptable type PEAP (25)
> (1) eap: Calling submodule eap_peap to process data
> (1) eap_peap: Initiating new EAP-TLS session
> (1) eap_peap: [eaptls start] = request
> (1) eap: Sending EAP Request (code 1) ID 7 length 6
> (1) eap: EAP session adding &reply:State = 0x792e584478294188
> (1) [eap] = handled
> (1) } # authenticate = handled
> (1) Using Post-Auth-Type Challenge
> (1) Post-Auth-Type sub-section not found. Ignoring.
> (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (1) Sent Access-Challenge Id 38 from 192.168.1.33:1812 to 192.168.1.38:52437 length 0
> (1) EAP-Message = 0x010700061920
> (1) Message-Authenticator = 0x00000000000000000000000000000000
> (1) State = 0x792e584478294188d729d5f4b5ba04a4
> (1) Finished request
> Waking up in 4.9 seconds.
> (2) Received Access-Request Id 39 from 192.168.1.38:52437 to 192.168.1.33:1812 length 273
> (2) User-Name = "particle"
> (2) NAS-IP-Address = 192.168.1.38
> (2) NAS-Identifier = "b4fbe4c348ab"
> (2) NAS-Port = 0
> (2) Called-Station-Id = "B4-FB-E4-C4-48-AB:Armorwpa2"
> (2) Calling-Station-Id = "E0-4F-43-36-B1-F1"
> (2) Framed-MTU = 1400
> (2) NAS-Port-Type = Wireless-802.11
> (2) Connect-Info = "CONNECT 0Mbps 802.11b"
> (2) EAP-Message = 0x0207006019800000005616030300510100004d030300000013d1a5ed06c133a6582eb8f8b59713a271b38c51af54d5ef2e0cc8b6d6000004003c002f01000020000a000400020017000b00020100000d000e000c020102030301030304010403
> (2) State = 0x792e584478294188d729d5f4b5ba04a4
> (2) Message-Authenticator = 0xbf54c5bcfb0c4aae623b313a7cec24bf
> (2) session-state: No cached attributes
> (2) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
> (2) authorize {
> (2) policy filter_username {
> (2) if (&User-Name) {
> (2) if (&User-Name) -> TRUE
> (2) if (&User-Name) {
> (2) if (&User-Name =~ / /) {
> (2) if (&User-Name =~ / /) -> FALSE
> (2) if (&User-Name =~ /@[^@]*@/ ) {
> (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (2) if (&User-Name =~ /\.\./ ) {
> (2) if (&User-Name =~ /\.\./ ) -> FALSE
> (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
> (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
> (2) if (&User-Name =~ /\.$/) {
> (2) if (&User-Name =~ /\.$/) -> FALSE
> (2) if (&User-Name =~ /@\./) {
> (2) if (&User-Name =~ /@\./) -> FALSE
> (2) } # if (&User-Name) = notfound
> (2) } # policy filter_username = notfound
> (2) [preprocess] = ok
> (2) [chap] = noop
> (2) [mschap] = noop
> (2) [digest] = noop
> (2) suffix: Checking for suffix after "@"
> (2) suffix: No '@' in User-Name = "particle", looking up realm NULL
> (2) suffix: No such realm "NULL"
> (2) [suffix] = noop
> (2) eap: Peer sent EAP Response (code 2) ID 7 length 96
> (2) eap: Continuing tunnel setup
> (2) [eap] = ok
> (2) } # authorize = ok
> (2) Found Auth-Type = eap
> (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (2) authenticate {
> (2) eap: Expiring EAP session with state 0x792e584478294188
> (2) eap: Finished EAP session with state 0x792e584478294188
> (2) eap: Previous EAP request found for state 0x792e584478294188, released from the list
> (2) eap: Peer sent packet with method EAP PEAP (25)
> (2) eap: Calling submodule eap_peap to process data
> (2) eap_peap: Continuing EAP-TLS
> (2) eap_peap: Peer indicated complete TLS record size will be 86 bytes
> (2) eap_peap: Got complete TLS record (86 bytes)
> (2) eap_peap: [eaptls verify] = length included
> (2) eap_peap: (other): before SSL initialization
> (2) eap_peap: TLS_accept: before SSL initialization
> (2) eap_peap: TLS_accept: before SSL initialization
> (2) eap_peap: <<< recv TLS 1.2 [length 0051]
> (2) eap_peap: TLS_accept: SSLv3/TLS read client hello
> (2) eap_peap: >>> send TLS 1.2 [length 002a]
> (2) eap_peap: TLS_accept: SSLv3/TLS write server hello
> (2) eap_peap: >>> send TLS 1.2 [length 02f1]
> (2) eap_peap: TLS_accept: SSLv3/TLS write certificate
> (2) eap_peap: >>> send TLS 1.2 [length 0004]
> (2) eap_peap: TLS_accept: SSLv3/TLS write server done
> (2) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write server done
> (2) eap_peap: In SSL Handshake Phase
> (2) eap_peap: In SSL Accept mode
> (2) eap_peap: [eaptls process] = handled
> (2) eap: Sending EAP Request (code 1) ID 8 length 820
> (2) eap: EAP session adding &reply:State = 0x792e58447b264188
> (2) [eap] = handled
> (2) } # authenticate = handled
> (2) Using Post-Auth-Type Challenge
> (2) Post-Auth-Type sub-section not found. Ignoring.
> (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (2) Sent Access-Challenge Id 39 from 192.168.1.33:1812 to 192.168.1.38:52437 length 0
> (2) EAP-Message = 0x010803341900160303002a0200002603035010c628e6c3e571ecdfcb7ed14e02f944e131af1f1483cff17b618c02935b4200003c0016030302f10b0002ed0002ea0002e7308202e3308201cba003020102020900a170e33eaa8a04e7300d06092a864886f70d01010b0500301b3119301706035504030c
> (2) Message-Authenticator = 0x00000000000000000000000000000000
> (2) State = 0x792e58447b264188d729d5f4b5ba04a4
> (2) Finished request
> Waking up in 4.9 seconds.
> (3) Received Access-Request Id 40 from 192.168.1.38:52437 to 192.168.1.33:1812 length 547
> (3) User-Name = "particle"
> (3) NAS-IP-Address = 192.168.1.38
> (3) NAS-Identifier = "b4fbe4c348ab"
> (3) NAS-Port = 0
> (3) Called-Station-Id = "B4-FB-E4-C4-48-AB:Armorwpa2"
> (3) Calling-Station-Id = "E0-4F-43-36-B1-F1"
> (3) Framed-MTU = 1400
> (3) NAS-Port-Type = Wireless-802.11
> (3) Connect-Info = "CONNECT 0Mbps 802.11b"
> (3) EAP-Message = 0x02080170198000000166160303010610000102010070ac8a7222a41f5fab40c2a114f343932b699e7629ee25a0ef96616b1582f4e105812e9efb79e3696823f69a931188eeb04bd2f4d9b67869db2d585364c2515a1d44414cc41bc6d87ba8df2ad36e6ba1e57e10fbeb14fc76837d57b50d95a780dc67
> (3) State = 0x792e58447b264188d729d5f4b5ba04a4
> (3) Message-Authenticator = 0xe80722a96c83d29962b7c6216f7a1b24
> (3) session-state: No cached attributes
> (3) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
> (3) authorize {
> (3) policy filter_username {
> (3) if (&User-Name) {
> (3) if (&User-Name) -> TRUE
> (3) if (&User-Name) {
> (3) if (&User-Name =~ / /) {
> (3) if (&User-Name =~ / /) -> FALSE
> (3) if (&User-Name =~ /@[^@]*@/ ) {
> (3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (3) if (&User-Name =~ /\.\./ ) {
> (3) if (&User-Name =~ /\.\./ ) -> FALSE
> (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
> (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
> (3) if (&User-Name =~ /\.$/) {
> (3) if (&User-Name =~ /\.$/) -> FALSE
> (3) if (&User-Name =~ /@\./) {
> (3) if (&User-Name =~ /@\./) -> FALSE
> (3) } # if (&User-Name) = notfound
> (3) } # policy filter_username = notfound
> (3) [preprocess] = ok
> (3) [chap] = noop
> (3) [mschap] = noop
> (3) [digest] = noop
> (3) suffix: Checking for suffix after "@"
> (3) suffix: No '@' in User-Name = "particle", looking up realm NULL
> (3) suffix: No such realm "NULL"
> (3) [suffix] = noop
> (3) eap: Peer sent EAP Response (code 2) ID 8 length 368
> (3) eap: Continuing tunnel setup
> (3) [eap] = ok
> (3) } # authorize = ok
> (3) Found Auth-Type = eap
> (3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (3) authenticate {
> (3) eap: Expiring EAP session with state 0x792e58447b264188
> (3) eap: Finished EAP session with state 0x792e58447b264188
> (3) eap: Previous EAP request found for state 0x792e58447b264188, released from the list
> (3) eap: Peer sent packet with method EAP PEAP (25)
> (3) eap: Calling submodule eap_peap to process data
> (3) eap_peap: Continuing EAP-TLS
> (3) eap_peap: Peer indicated complete TLS record size will be 358 bytes
> (3) eap_peap: Got complete TLS record (358 bytes)
> (3) eap_peap: [eaptls verify] = length included
> (3) eap_peap: TLS_accept: SSLv3/TLS write server done
> (3) eap_peap: <<< recv TLS 1.2 [length 0106]
> (3) eap_peap: TLS_accept: SSLv3/TLS read client key exchange
> (3) eap_peap: TLS_accept: SSLv3/TLS read change cipher spec
> (3) eap_peap: <<< recv TLS 1.2 [length 0010]
> (3) eap_peap: TLS_accept: SSLv3/TLS read finished
> (3) eap_peap: >>> send TLS 1.2 [length 0001]
> (3) eap_peap: TLS_accept: SSLv3/TLS write change cipher spec
> (3) eap_peap: >>> send TLS 1.2 [length 0010]
> (3) eap_peap: TLS_accept: SSLv3/TLS write finished
> (3) eap_peap: (other): SSL negotiation finished successfully
> (3) eap_peap: SSL Connection Established
> (3) eap_peap: [eaptls process] = handled
> (3) eap: Sending EAP Request (code 1) ID 9 length 97
> (3) eap: EAP session adding &reply:State = 0x792e58447a274188
> (3) [eap] = handled
> (3) } # authenticate = handled
> (3) Using Post-Auth-Type Challenge
> (3) Post-Auth-Type sub-section not found. Ignoring.
> (3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (3) Sent Access-Challenge Id 40 from 192.168.1.33:1812 to 192.168.1.38:52437 length 0
> (3) EAP-Message = 0x0109006119001403030001011603030050e4ccfeb29d521f23bceec5b5a6d2086989af54bf30c104ebd10fcadeda3e144e401aeac50e2f2d6fb28711841f9bff03cac82c6e94eb8082d4da10ef0950f6eae7f637b23f93d14e28952fa0735e8273
> (3) Message-Authenticator = 0x00000000000000000000000000000000
> (3) State = 0x792e58447a274188d729d5f4b5ba04a4
> (3) Finished request
> Waking up in 4.8 seconds.
> (4) Received Access-Request Id 41 from 192.168.1.38:52437 to 192.168.1.33:1812 length 183
> (4) User-Name = "particle"
> (4) NAS-IP-Address = 192.168.1.38
> (4) NAS-Identifier = "b4fbe4c348ab"
> (4) NAS-Port = 0
> (4) Called-Station-Id = "B4-FB-E4-C4-48-AB:Armorwpa2"
> (4) Calling-Station-Id = "E0-4F-43-36-B1-F1"
> (4) Framed-MTU = 1400
> (4) NAS-Port-Type = Wireless-802.11
> (4) Connect-Info = "CONNECT 0Mbps 802.11b"
> (4) EAP-Message = 0x020900061900
> (4) State = 0x792e58447a274188d729d5f4b5ba04a4
> (4) Message-Authenticator = 0x95b4fe0eef8a5368d718ba97543624d1
> (4) session-state: No cached attributes
> (4) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
> (4) authorize {
> (4) policy filter_username {
> (4) if (&User-Name) {
> (4) if (&User-Name) -> TRUE
> (4) if (&User-Name) {
> (4) if (&User-Name =~ / /) {
> (4) if (&User-Name =~ / /) -> FALSE
> (4) if (&User-Name =~ /@[^@]*@/ ) {
> (4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (4) if (&User-Name =~ /\.\./ ) {
> (4) if (&User-Name =~ /\.\./ ) -> FALSE
> (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
> (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
> (4) if (&User-Name =~ /\.$/) {
> (4) if (&User-Name =~ /\.$/) -> FALSE
> (4) if (&User-Name =~ /@\./) {
> (4) if (&User-Name =~ /@\./) -> FALSE
> (4) } # if (&User-Name) = notfound
> (4) } # policy filter_username = notfound
> (4) [preprocess] = ok
> (4) [chap] = noop
> (4) [mschap] = noop
> (4) [digest] = noop
> (4) suffix: Checking for suffix after "@"
> (4) suffix: No '@' in User-Name = "particle", looking up realm NULL
> (4) suffix: No such realm "NULL"
> (4) [suffix] = noop
> (4) eap: Peer sent EAP Response (code 2) ID 9 length 6
> (4) eap: Continuing tunnel setup
> (4) [eap] = ok
> (4) } # authorize = ok
> (4) Found Auth-Type = eap
> (4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (4) authenticate {
> (4) eap: Expiring EAP session with state 0x792e58447a274188
> (4) eap: Finished EAP session with state 0x792e58447a274188
> (4) eap: Previous EAP request found for state 0x792e58447a274188, released from the list
> (4) eap: Peer sent packet with method EAP PEAP (25)
> (4) eap: Calling submodule eap_peap to process data
> (4) eap_peap: Continuing EAP-TLS
> (4) eap_peap: Peer ACKed our handshake fragment. handshake is finished
> (4) eap_peap: [eaptls verify] = success
> (4) eap_peap: [eaptls process] = success
> (4) eap_peap: Session established. Decoding tunneled attributes
> (4) eap_peap: PEAP state TUNNEL ESTABLISHED
> (4) eap: Sending EAP Request (code 1) ID 10 length 75
> (4) eap: EAP session adding &reply:State = 0x792e58447d244188
> (4) [eap] = handled
> (4) } # authenticate = handled
> (4) Using Post-Auth-Type Challenge
> (4) Post-Auth-Type sub-section not found. Ignoring.
> (4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (4) Sent Access-Challenge Id 41 from 192.168.1.33:1812 to 192.168.1.38:52437 length 0
> (4) EAP-Message = 0x010a004b19001703030040876f919e5b6f69b08d7d8082925085f96d9d4dc5d287be8a2220d788f3d81410117ac9b30cfe5bf1fdbd3fa127a1c59c9f43f811e9a1ed62184e6b52111b2cc9
> (4) Message-Authenticator = 0x00000000000000000000000000000000
> (4) State = 0x792e58447d244188d729d5f4b5ba04a4
> (4) Finished request
> Waking up in 4.8 seconds.
> (5) Received Access-Request Id 42 from 192.168.1.38:52437 to 192.168.1.33:1812 length 252
> (5) User-Name = "particle"
> (5) NAS-IP-Address = 192.168.1.38
> (5) NAS-Identifier = "b4fbe4c348ab"
> (5) NAS-Port = 0
> (5) Called-Station-Id = "B4-FB-E4-C4-48-AB:Armorwpa2"
> (5) Calling-Station-Id = "E0-4F-43-36-B1-F1"
> (5) Framed-MTU = 1400
> (5) NAS-Port-Type = Wireless-802.11
> (5) Connect-Info = "CONNECT 0Mbps 802.11b"
> (5) EAP-Message = 0x020a004b19001703030040fdcdeff9a7da7077eb3784b51917dbb3f4b705b340e03a3feaf97f3de31941cb2864a9b7a6363f305b5c239727284a9e38bf34deab83141d8393bbc165f2cee7
> (5) State = 0x792e58447d244188d729d5f4b5ba04a4
> (5) Message-Authenticator = 0x16e198c5d18d50d6db5da8dc8ea94e23
> (5) session-state: No cached attributes
> (5) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
> (5) authorize {
> (5) policy filter_username {
> (5) if (&User-Name) {
> (5) if (&User-Name) -> TRUE
> (5) if (&User-Name) {
> (5) if (&User-Name =~ / /) {
> (5) if (&User-Name =~ / /) -> FALSE
> (5) if (&User-Name =~ /@[^@]*@/ ) {
> (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (5) if (&User-Name =~ /\.\./ ) {
> (5) if (&User-Name =~ /\.\./ ) -> FALSE
> (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
> (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
> (5) if (&User-Name =~ /\.$/) {
> (5) if (&User-Name =~ /\.$/) -> FALSE
> (5) if (&User-Name =~ /@\./) {
> (5) if (&User-Name =~ /@\./) -> FALSE
> (5) } # if (&User-Name) = notfound
> (5) } # policy filter_username = notfound
> (5) [preprocess] = ok
> (5) [chap] = noop
> (5) [mschap] = noop
> (5) [digest] = noop
> (5) suffix: Checking for suffix after "@"
> (5) suffix: No '@' in User-Name = "particle", looking up realm NULL
> (5) suffix: No such realm "NULL"
> (5) [suffix] = noop
> (5) eap: Peer sent EAP Response (code 2) ID 10 length 75
> (5) eap: Continuing tunnel setup
> (5) [eap] = ok
> (5) } # authorize = ok
> (5) Found Auth-Type = eap
> (5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (5) authenticate {
> (5) eap: Expiring EAP session with state 0x792e58447d244188
> (5) eap: Finished EAP session with state 0x792e58447d244188
> (5) eap: Previous EAP request found for state 0x792e58447d244188, released from the list
> (5) eap: Peer sent packet with method EAP PEAP (25)
> (5) eap: Calling submodule eap_peap to process data
> (5) eap_peap: Continuing EAP-TLS
> (5) eap_peap: [eaptls verify] = ok
> (5) eap_peap: Done initial handshake
> (5) eap_peap: [eaptls process] = ok
> (5) eap_peap: Session established. Decoding tunneled attributes
> (5) eap_peap: PEAP state WAITING FOR INNER IDENTITY
> (5) eap_peap: Identity - particle
> (5) eap_peap: Got inner identity 'particle'
> (5) eap_peap: Setting default EAP type for tunneled EAP session
> (5) eap_peap: Got tunneled request
> (5) eap_peap: EAP-Message = 0x020a000d017061727469636c65
> (5) eap_peap: Setting User-Name to particle
> (5) eap_peap: Sending tunneled request to inner-tunnel
> (5) eap_peap: EAP-Message = 0x020a000d017061727469636c65
> (5) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
> (5) eap_peap: User-Name = "particle"
> (5) Virtual server inner-tunnel received request
> (5) EAP-Message = 0x020a000d017061727469636c65
> (5) FreeRADIUS-Proxied-To = 127.0.0.1
> (5) User-Name = "particle"
> (5) WARNING: Outer and inner identities are the same. User privacy is compromised.
> (5) server inner-tunnel {
> (5) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
> (5) authorize {
> (5) policy filter_username {
> (5) if (&User-Name) {
> (5) if (&User-Name) -> TRUE
> (5) if (&User-Name) {
> (5) if (&User-Name =~ / /) {
> (5) if (&User-Name =~ / /) -> FALSE
> (5) if (&User-Name =~ /@[^@]*@/ ) {
> (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (5) if (&User-Name =~ /\.\./ ) {
> (5) if (&User-Name =~ /\.\./ ) -> FALSE
> (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
> (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
> (5) if (&User-Name =~ /\.$/) {
> (5) if (&User-Name =~ /\.$/) -> FALSE
> (5) if (&User-Name =~ /@\./) {
> (5) if (&User-Name =~ /@\./) -> FALSE
> (5) } # if (&User-Name) = notfound
> (5) } # policy filter_username = notfound
> (5) [chap] = noop
> (5) [mschap] = noop
> (5) suffix: Checking for suffix after "@"
> (5) suffix: No '@' in User-Name = "particle", looking up realm NULL
> (5) suffix: No such realm "NULL"
> (5) [suffix] = noop
> (5) update control {
> (5) &Proxy-To-Realm := LOCAL
> (5) } # update control = noop
> (5) eap: Peer sent EAP Response (code 2) ID 10 length 13
> (5) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
> (5) [eap] = ok
> (5) } # authorize = ok
> (5) Found Auth-Type = eap
> (5) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
> (5) authenticate {
> (5) eap: Peer sent packet with method EAP Identity (1)
> (5) eap: Calling submodule eap_mschapv2 to process data
> (5) eap_mschapv2: Issuing Challenge
> (5) eap: Sending EAP Request (code 1) ID 11 length 43
> (5) eap: EAP session adding &reply:State = 0x9ed5137a9ede0992
> (5) [eap] = handled
> (5) } # authenticate = handled
> (5) } # server inner-tunnel
> (5) Virtual server sending reply
> (5) EAP-Message = 0x010b002b1a010b002610add748736b59d05b7cac342e03bc00fa667265657261646975732d332e302e3132
> (5) Message-Authenticator = 0x00000000000000000000000000000000
> (5) State = 0x9ed5137a9ede099241d17dbdaa28bbf3
> (5) eap_peap: Got tunneled reply code 11
> (5) eap_peap: EAP-Message = 0x010b002b1a010b002610add748736b59d05b7cac342e03bc00fa667265657261646975732d332e302e3132
> (5) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
> (5) eap_peap: State = 0x9ed5137a9ede099241d17dbdaa28bbf3
> (5) eap_peap: Got tunneled reply RADIUS code 11
> (5) eap_peap: EAP-Message = 0x010b002b1a010b002610add748736b59d05b7cac342e03bc00fa667265657261646975732d332e302e3132
> (5) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
> (5) eap_peap: State = 0x9ed5137a9ede099241d17dbdaa28bbf3
> (5) eap_peap: Got tunneled Access-Challenge
> (5) eap: Sending EAP Request (code 1) ID 11 length 107
> (5) eap: EAP session adding &reply:State = 0x792e58447c254188
> (5) [eap] = handled
> (5) } # authenticate = handled
> (5) Using Post-Auth-Type Challenge
> (5) Post-Auth-Type sub-section not found. Ignoring.
> (5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (5) Sent Access-Challenge Id 42 from 192.168.1.33:1812 to 192.168.1.38:52437 length 0
> (5) EAP-Message = 0x010b006b19001703030060427e72f2a75ff426efd53ee1f42bf29ba4aae389d83bc4b7e8f1257e772430ede3cb69944b24e4f7b6280ffa62e224b27be20c2c641b0fbf6a77cab9ef38ba1f47e79470ecca8368ca25beda56349c1e21e3d49b1db8bc2bd749aab8bf3aa3cb
> (5) Message-Authenticator = 0x00000000000000000000000000000000
> (5) State = 0x792e58447c254188d729d5f4b5ba04a4
> (5) Finished request
> Waking up in 4.7 seconds.
> (6) Received Access-Request Id 43 from 192.168.1.38:52437 to 192.168.1.33:1812 length 300
> (6) User-Name = "particle"
> (6) NAS-IP-Address = 192.168.1.38
> (6) NAS-Identifier = "b4fbe4c348ab"
> (6) NAS-Port = 0
> (6) Called-Station-Id = "B4-FB-E4-C4-48-AB:Armorwpa2"
> (6) Calling-Station-Id = "E0-4F-43-36-B1-F1"
> (6) Framed-MTU = 1400
> (6) NAS-Port-Type = Wireless-802.11
> (6) Connect-Info = "CONNECT 0Mbps 802.11b"
> (6) EAP-Message = 0x020b007b19001703030070fdcdeff9a7da7077eb3784b51917dbb344ede7b63a9b0f5b11eb7701e504139b09564427efbb43c2ec17f8b42b4124f8fbfc5b440c1c050ff8aa9b8badfaedf539c727f4dfa655815cc469a0812b494ea16db3c4e1ffb49720bdf58408642e7387e7d103393cc91e2db29818
> (6) State = 0x792e58447c254188d729d5f4b5ba04a4
> (6) Message-Authenticator = 0x9d932302c8a3d3979d08ad610dcc59e7
> (6) session-state: No cached attributes
> (6) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
> (6) authorize {
> (6) policy filter_username {
> (6) if (&User-Name) {
> (6) if (&User-Name) -> TRUE
> (6) if (&User-Name) {
> (6) if (&User-Name =~ / /) {
> (6) if (&User-Name =~ / /) -> FALSE
> (6) if (&User-Name =~ /@[^@]*@/ ) {
> (6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (6) if (&User-Name =~ /\.\./ ) {
> (6) if (&User-Name =~ /\.\./ ) -> FALSE
> (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
> (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
> (6) if (&User-Name =~ /\.$/) {
> (6) if (&User-Name =~ /\.$/) -> FALSE
> (6) if (&User-Name =~ /@\./) {
> (6) if (&User-Name =~ /@\./) -> FALSE
> (6) } # if (&User-Name) = notfound
> (6) } # policy filter_username = notfound
> (6) [preprocess] = ok
> (6) [chap] = noop
> (6) [mschap] = noop
> (6) [digest] = noop
> (6) suffix: Checking for suffix after "@"
> (6) suffix: No '@' in User-Name = "particle", looking up realm NULL
> (6) suffix: No such realm "NULL"
> (6) [suffix] = noop
> (6) eap: Peer sent EAP Response (code 2) ID 11 length 123
> (6) eap: Continuing tunnel setup
> (6) [eap] = ok
> (6) } # authorize = ok
> (6) Found Auth-Type = eap
> (6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (6) authenticate {
> (6) eap: Expiring EAP session with state 0x9ed5137a9ede0992
> (6) eap: Finished EAP session with state 0x792e58447c254188
> (6) eap: Previous EAP request found for state 0x792e58447c254188, released from the list
> (6) eap: Peer sent packet with method EAP PEAP (25)
> (6) eap: Calling submodule eap_peap to process data
> (6) eap_peap: Continuing EAP-TLS
> (6) eap_peap: [eaptls verify] = ok
> (6) eap_peap: Done initial handshake
> (6) eap_peap: [eaptls process] = ok
> (6) eap_peap: Session established. Decoding tunneled attributes
> (6) eap_peap: PEAP state phase2
> (6) eap_peap: EAP method MSCHAPv2 (26)
> (6) eap_peap: Got tunneled request
> (6) eap_peap: EAP-Message = 0x020b00431a020b003e313f35b2f66fb9de0bdb693df43f40afd200000000000000005984d1f879ab5fb509b4d544552cb8d100815e7b9445e381007061727469636c65
> (6) eap_peap: Setting User-Name to particle
> (6) eap_peap: Sending tunneled request to inner-tunnel
> (6) eap_peap: EAP-Message = 0x020b00431a020b003e313f35b2f66fb9de0bdb693df43f40afd200000000000000005984d1f879ab5fb509b4d544552cb8d100815e7b9445e381007061727469636c65
> (6) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
> (6) eap_peap: User-Name = "particle"
> (6) eap_peap: State = 0x9ed5137a9ede099241d17dbdaa28bbf3
> (6) Virtual server inner-tunnel received request
> (6) EAP-Message = 0x020b00431a020b003e313f35b2f66fb9de0bdb693df43f40afd200000000000000005984d1f879ab5fb509b4d544552cb8d100815e7b9445e381007061727469636c65
> (6) FreeRADIUS-Proxied-To = 127.0.0.1
> (6) User-Name = "particle"
> (6) State = 0x9ed5137a9ede099241d17dbdaa28bbf3
> (6) WARNING: Outer and inner identities are the same. User privacy is compromised.
> (6) server inner-tunnel {
> (6) session-state: No cached attributes
> (6) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
> (6) authorize {
> (6) policy filter_username {
> (6) if (&User-Name) {
> (6) if (&User-Name) -> TRUE
> (6) if (&User-Name) {
> (6) if (&User-Name =~ / /) {
> (6) if (&User-Name =~ / /) -> FALSE
> (6) if (&User-Name =~ /@[^@]*@/ ) {
> (6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (6) if (&User-Name =~ /\.\./ ) {
> (6) if (&User-Name =~ /\.\./ ) -> FALSE
> (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
> (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
> (6) if (&User-Name =~ /\.$/) {
> (6) if (&User-Name =~ /\.$/) -> FALSE
> (6) if (&User-Name =~ /@\./) {
> (6) if (&User-Name =~ /@\./) -> FALSE
> (6) } # if (&User-Name) = notfound
> (6) } # policy filter_username = notfound
> (6) [chap] = noop
> (6) [mschap] = noop
> (6) suffix: Checking for suffix after "@"
> (6) suffix: No '@' in User-Name = "particle", looking up realm NULL
> (6) suffix: No such realm "NULL"
> (6) [suffix] = noop
> (6) update control {
> (6) &Proxy-To-Realm := LOCAL
> (6) } # update control = noop
> (6) eap: Peer sent EAP Response (code 2) ID 11 length 67
> (6) eap: No EAP Start, assuming it's an on-going EAP conversation
> (6) [eap] = updated
> (6) files: users: Matched entry particle at line 1
> (6) [files] = ok
> (6) [expiration] = noop
> (6) [logintime] = noop
> (6) pap: WARNING: Auth-Type already set. Not setting to PAP
> (6) [pap] = noop
> (6) } # authorize = updated
> (6) Found Auth-Type = eap
> (6) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
> (6) authenticate {
> (6) eap: Expiring EAP session with state 0x9ed5137a9ede0992
> (6) eap: Finished EAP session with state 0x9ed5137a9ede0992
> (6) eap: Previous EAP request found for state 0x9ed5137a9ede0992, released from the list
> (6) eap: Peer sent packet with method EAP MSCHAPv2 (26)
> (6) eap: Calling submodule eap_mschapv2 to process data
> (6) eap_mschapv2: # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
> (6) eap_mschapv2: authenticate {
> (6) mschap: Found Cleartext-Password, hashing to create NT-Password
> (6) mschap: Found Cleartext-Password, hashing to create LM-Password
> (6) mschap: Creating challenge hash with username: particle
> (6) mschap: Client is using MS-CHAPv2
> (6) mschap: ERROR: MS-CHAP2-Response is incorrect
> (6) [mschap] = reject
> (6) } # authenticate = reject
> (6) eap: Sending EAP Failure (code 4) ID 11 length 4
> (6) eap: Freeing handler
> (6) [eap] = reject
> (6) } # authenticate = reject
> (6) Failed to authenticate the user
> (6) Using Post-Auth-Type Reject
> (6) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
> (6) Post-Auth-Type REJECT {
> (6) attr_filter.access_reject: EXPAND %{User-Name}
> (6) attr_filter.access_reject: --> particle
> (6) attr_filter.access_reject: Matched entry DEFAULT at line 11
> (6) [attr_filter.access_reject] = updated
> (6) update outer.session-state {
> (6) &Module-Failure-Message := &request:Module-Failure-Message -> 'mschap: MS-CHAP2-Response is incorrect'
> (6) } # update outer.session-state = noop
> (6) } # Post-Auth-Type REJECT = updated
> (6) } # server inner-tunnel
> (6) Virtual server sending reply
> (6) MS-CHAP-Error = "\013E=691 R=1 C=7e3c197e14ea1c252b48f6f0f1769c48 V=3 M=Authentication failed"
> (6) EAP-Message = 0x040b0004
> (6) Message-Authenticator = 0x00000000000000000000000000000000
> (6) eap_peap: Got tunneled reply code 3
> (6) eap_peap: MS-CHAP-Error = "\013E=691 R=1 C=7e3c197e14ea1c252b48f6f0f1769c48 V=3 M=Authentication failed"
> (6) eap_peap: EAP-Message = 0x040b0004
> (6) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
> (6) eap_peap: Got tunneled reply RADIUS code 3
> (6) eap_peap: MS-CHAP-Error = "\013E=691 R=1 C=7e3c197e14ea1c252b48f6f0f1769c48 V=3 M=Authentication failed"
> (6) eap_peap: EAP-Message = 0x040b0004
> (6) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
> (6) eap_peap: Tunneled authentication was rejected
> (6) eap_peap: FAILURE
> (6) eap: Sending EAP Request (code 1) ID 12 length 75
> (6) eap: EAP session adding &reply:State = 0x792e58447f224188
> (6) [eap] = handled
> (6) } # authenticate = handled
> (6) Using Post-Auth-Type Challenge
> (6) Post-Auth-Type sub-section not found. Ignoring.
> (6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (6) session-state: Saving cached attributes
> (6) Module-Failure-Message := "mschap: MS-CHAP2-Response is incorrect"
> (6) Sent Access-Challenge Id 43 from 192.168.1.33:1812 to 192.168.1.38:52437 length 0
> (6) EAP-Message = 0x010c004b190017030300400c78fe983c5dd192db59da8240896c96033a7305a8f101405d8d1c04a6b8b77542214f016ab70bfe1a2c9039ff65e7c215f722faedc84912623688cb283b2cbd
> (6) Message-Authenticator = 0x00000000000000000000000000000000
> (6) State = 0x792e58447f224188d729d5f4b5ba04a4
> (6) Finished request
> Waking up in 4.7 seconds.
> (7) Received Access-Request Id 44 from 192.168.1.38:52437 to 192.168.1.33:1812 length 252
> (7) User-Name = "particle"
> (7) NAS-IP-Address = 192.168.1.38
> (7) NAS-Identifier = "b4fbe4c348ab"
> (7) NAS-Port = 0
> (7) Called-Station-Id = "B4-FB-E4-C4-48-AB:Armorwpa2"
> (7) Calling-Station-Id = "E0-4F-43-36-B1-F1"
> (7) Framed-MTU = 1400
> (7) NAS-Port-Type = Wireless-802.11
> (7) Connect-Info = "CONNECT 0Mbps 802.11b"
> (7) EAP-Message = 0x020c004b19001703030040fdcdeff9a7da7077eb3784b51917dbb315f7e335a9c8a19767c1033ff9329c5f037450eba6f2eb7a9b9347ed8606cef0ce75ae3f03a9518a7ecf3c4b642716ea
> (7) State = 0x792e58447f224188d729d5f4b5ba04a4
> (7) Message-Authenticator = 0xc6525ab028d9d5e9459c8d3d25442ff7
> (7) Restoring &session-state
> (7) &session-state:Module-Failure-Message := "mschap: MS-CHAP2-Response is incorrect"
> (7) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
> (7) authorize {
> (7) policy filter_username {
> (7) if (&User-Name) {
> (7) if (&User-Name) -> TRUE
> (7) if (&User-Name) {
> (7) if (&User-Name =~ / /) {
> (7) if (&User-Name =~ / /) -> FALSE
> (7) if (&User-Name =~ /@[^@]*@/ ) {
> (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (7) if (&User-Name =~ /\.\./ ) {
> (7) if (&User-Name =~ /\.\./ ) -> FALSE
> (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
> (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
> (7) if (&User-Name =~ /\.$/) {
> (7) if (&User-Name =~ /\.$/) -> FALSE
> (7) if (&User-Name =~ /@\./) {
> (7) if (&User-Name =~ /@\./) -> FALSE
> (7) } # if (&User-Name) = notfound
> (7) } # policy filter_username = notfound
> (7) [preprocess] = ok
> (7) [chap] = noop
> (7) [mschap] = noop
> (7) [digest] = noop
> (7) suffix: Checking for suffix after "@"
> (7) suffix: No '@' in User-Name = "particle", looking up realm NULL
> (7) suffix: No such realm "NULL"
> (7) [suffix] = noop
> (7) eap: Peer sent EAP Response (code 2) ID 12 length 75
> (7) eap: Continuing tunnel setup
> (7) [eap] = ok
> (7) } # authorize = ok
> (7) Found Auth-Type = eap
> (7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (7) authenticate {
> (7) eap: Expiring EAP session with state 0x792e58447f224188
> (7) eap: Finished EAP session with state 0x792e58447f224188
> (7) eap: Previous EAP request found for state 0x792e58447f224188, released from the list
> (7) eap: Peer sent packet with method EAP PEAP (25)
> (7) eap: Calling submodule eap_peap to process data
> (7) eap_peap: Continuing EAP-TLS
> (7) eap_peap: [eaptls verify] = ok
> (7) eap_peap: Done initial handshake
> (7) eap_peap: [eaptls process] = ok
> (7) eap_peap: Session established. Decoding tunneled attributes
> (7) eap_peap: PEAP state send tlv failure
> (7) eap_peap: Received EAP-TLV response
> (7) eap_peap: The users session was previously rejected: returning reject (again.)
> (7) eap_peap: This means you need to read the PREVIOUS messages in the debug output
> (7) eap_peap: to find out the reason why the user was rejected
> (7) eap_peap: Look for "reject" or "fail". Those earlier messages will tell you
> (7) eap_peap: what went wrong, and how to fix the problem
> (7) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed
> (7) eap: Sending EAP Failure (code 4) ID 12 length 4
> (7) eap: Failed in EAP select
> (7) [eap] = invalid
> (7) } # authenticate = invalid
> (7) Failed to authenticate the user
> (7) Using Post-Auth-Type Reject
> (7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (7) Post-Auth-Type REJECT {
> (7) attr_filter.access_reject: EXPAND %{User-Name}
> (7) attr_filter.access_reject: --> particle
> (7) attr_filter.access_reject: Matched entry DEFAULT at line 11
> (7) [attr_filter.access_reject] = updated
> (7) [eap] = noop
> (7) policy remove_reply_message_if_eap {
> (7) if (&reply:EAP-Message && &reply:Reply-Message) {
> (7) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
> (7) else {
> (7) [noop] = noop
> (7) } # else = noop
> (7) } # policy remove_reply_message_if_eap = noop
> (7) } # Post-Auth-Type REJECT = updated
> (7) Delaying response for 1.000000 seconds
> Waking up in 0.3 seconds.
> Waking up in 0.6 seconds.
> (7) Sending delayed response
> (7) Sent Access-Reject Id 44 from 192.168.1.33:1812 to 192.168.1.38:52437 length 44
> (7) EAP-Message = 0x040c0004
> (7) Message-Authenticator = 0x00000000000000000000000000000000
> Waking up in 3.7 seconds.
> (0) Cleaning up request packet ID 37 with timestamp +37
> (1) Cleaning up request packet ID 38 with timestamp +37
> (2) Cleaning up request packet ID 39 with timestamp +37
> Waking up in 0.1 seconds.
> (3) Cleaning up request packet ID 40 with timestamp +37
> (4) Cleaning up request packet ID 41 with timestamp +37
> (5) Cleaning up request packet ID 42 with timestamp +37
> (6) Cleaning up request packet ID 43 with timestamp +37
> (7) Cleaning up request packet ID 44 with timestamp +37
>
> Thanks in advance for any help.
>
> Will
>
> wjsteen at talktalk.net
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list