EAP Submodule failed. PAM module issue.
HORMAZABAL PI�ONES BARBARA FRANCISCA
bhp001 at alumnos.ucn.cl
Tue Sep 1 18:02:07 CEST 2020
Thank you for answering, Alan. I changed the settings in the eap file and
inner-tunnel. In the eap it's now eap_type = ttls. I'm still having
problems with the PAM-IMAP module though.
Looking around the internet I found that there was a type in setting the
users with PAM. So I have them in my users file as
DEFAULT Virtual-Server == inner-tunnel, Pam-Auth = "pam-imap-radius",
Auth-Type = PAM
Reading the output, these lines are causing the problem.
(7) pam: Using pamauth string "pam-imap-radius2" for pam.conf lookup
(7) pam: ERROR: pam_authenticate failed: Module is unknown
For some reason it doesn't recognize that with the realm "ucn.cl" should be
using pam-imap-radius and not pam-imap-radius2.
The output:
(0) Received Access-Request Id 110 from 192.168.128.34:39957 to
146.83.124.26:1812 length 402
(0) User-Name = "wifi at ucn.cl"
(0) NAS-IP-Address = 192.168.128.34
(0) Called-Station-Id = "36-18-0A-7B-A4-6E:Red Radius"
(0) NAS-Port-Type = Wireless-802.11
(0) Service-Type = Framed-User
(0) NAS-Port = 1
(0) Calling-Station-Id = "E4-6F-13-2C-A4-C3"
(0) Connect-Info = "CONNECT 54.00 Mbps / 802.11n / RSSI: 61 / Channel: 11"
(0) Acct-Session-Id = "1265B3D4CA450401"
(0) Acct-Multi-Session-Id = "E27A7A7004BD7B9C"
(0) WLAN-Pairwise-Cipher = 1027076
(0) WLAN-Group-Cipher = 1027074
(0) WLAN-AKM-Suite = 1027073
(0) WLAN-Group-Mgmt-Cipher = 1027078
(0) Attr-26.29671.2 =
0x55434e20416e746f66616761737461202d2053574150202d20776972656c657373
(0) Attr-26.29671.3 = 0x41502d56312d536f706f727465
(0) Attr-26.29671.4 =
0x20414c554d4e4f5320454455524f414d2046554e43494f4e4152494f5320524144495553205445434e49434f53205649
(0) Meraki-Device-Name = "AP-V1-Soporte"
(0) Framed-MTU = 1400
(0) EAP-Message = 0x025a001001776966694075636e2e636c
(0) Message-Authenticator = 0x04cce3d3d9c3a62938bf82ea2abc2b9c
(0) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /@\./) {
(0) if (&User-Name =~ /@\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) auth_log: EXPAND
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(0) auth_log: --> /var/log/freeradius/radacct/
192.168.128.34/auth-detail-20200901
(0) auth_log:
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/192.168.128.34/auth-detail-20200901
(0) auth_log: EXPAND %t
(0) auth_log: --> Tue Sep 1 11:52:23 2020
(0) [auth_log] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: Looking up realm "ucn.cl" for User-Name = "wifi at ucn.cl"
(0) suffix: Found realm "ucn.cl"
(0) suffix: Adding Stripped-User-Name = "wifi"
(0) suffix: Adding Realm = "ucn.cl"
(0) suffix: Authentication realm is LOCAL
(0) [suffix] = ok
(0) eap: Peer sent EAP Response (code 2) ID 90 length 16
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0) authenticate {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_ttls to process data
(0) eap_ttls: Initiating new EAP-TLS session
(0) eap_ttls: [eaptls start] = request
(0) eap: Sending EAP Request (code 1) ID 91 length 6
(0) eap: EAP session adding &reply:State = 0xfc98dff8fcc3cadd
(0) [eap] = handled
(0) } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0) Challenge { ... } # empty sub-section is ignored
(0) Sent Access-Challenge Id 110 from 146.83.124.26:1812 to
192.168.128.34:39957 length 0
(0) EAP-Message = 0x015b00061520
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0xfc98dff8fcc3cadd585a7c0a5256b1cb
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 111 from 192.168.128.34:39957 to
146.83.124.26:1812 length 561
(1) User-Name = "wifi at ucn.cl"
(1) NAS-IP-Address = 192.168.128.34
(1) Called-Station-Id = "36-18-0A-7B-A4-6E:Red Radius"
(1) NAS-Port-Type = Wireless-802.11
(1) Service-Type = Framed-User
(1) NAS-Port = 1
(1) Calling-Station-Id = "E4-6F-13-2C-A4-C3"
(1) Connect-Info = "CONNECT 54.00 Mbps / 802.11n / RSSI: 57 / Channel: 11"
(1) Acct-Session-Id = "1265B3D4CA450401"
(1) Acct-Multi-Session-Id = "E27A7A7004BD7B9C"
(1) WLAN-Pairwise-Cipher = 1027076
(1) WLAN-Group-Cipher = 1027074
(1) WLAN-AKM-Suite = 1027073
(1) WLAN-Group-Mgmt-Cipher = 1027078
(1) Attr-26.29671.2 =
0x55434e20416e746f66616761737461202d2053574150202d20776972656c657373
(1) Attr-26.29671.3 = 0x41502d56312d536f706f727465
(1) Attr-26.29671.4 =
0x20414c554d4e4f5320454455524f414d2046554e43494f4e4152494f5320524144495553205445434e49434f53205649
(1) Meraki-Device-Name = "AP-V1-Soporte"
(1) Framed-MTU = 1400
(1) EAP-Message =
0x025b009d158000000093160303008e0100008a03035f4e6e39d543bdbe262325b01665d7fc0cecf99af68741b25deddf25a63780f100002ac02cc02bc030c02f009f009ec024c023c028c027c00ac009c014c013009d009c003d003c0035002f000a01000037000a00080006001d00170018000b000201
(1) State = 0xfc98dff8fcc3cadd585a7c0a5256b1cb
(1) Message-Authenticator = 0x068dc765eda5d55a72a56d19ed80cc5a
(1) session-state: No cached attributes
(1) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(1) authorize {
(1) policy filter_username {
(1) if (&User-Name) {
(1) if (&User-Name) -> TRUE
(1) if (&User-Name) {
(1) if (&User-Name =~ / /) {
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@[^@]*@/ ) {
(1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(1) if (&User-Name =~ /\.\./ ) {
(1) if (&User-Name =~ /\.\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(1) if (&User-Name =~ /\.$/) {
(1) if (&User-Name =~ /\.$/) -> FALSE
(1) if (&User-Name =~ /@\./) {
(1) if (&User-Name =~ /@\./) -> FALSE
(1) } # if (&User-Name) = notfound
(1) } # policy filter_username = notfound
(1) [preprocess] = ok
(1) auth_log: EXPAND
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(1) auth_log: --> /var/log/freeradius/radacct/
192.168.128.34/auth-detail-20200901
(1) auth_log:
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/192.168.128.34/auth-detail-20200901
(1) auth_log: EXPAND %t
(1) auth_log: --> Tue Sep 1 11:52:23 2020
(1) [auth_log] = ok
(1) [chap] = noop
(1) [mschap] = noop
(1) [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: Looking up realm "ucn.cl" for User-Name = "wifi at ucn.cl"
(1) suffix: Found realm "ucn.cl"
(1) suffix: Adding Stripped-User-Name = "wifi"
(1) suffix: Adding Realm = "ucn.cl"
(1) suffix: Authentication realm is LOCAL
(1) [suffix] = ok
(1) eap: Peer sent EAP Response (code 2) ID 91 length 157
(1) eap: Continuing tunnel setup
(1) [eap] = ok
(1) } # authorize = ok
(1) Found Auth-Type = eap
(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(1) authenticate {
(1) eap: Expiring EAP session with state 0xfc98dff8fcc3cadd
(1) eap: Finished EAP session with state 0xfc98dff8fcc3cadd
(1) eap: Previous EAP request found for state 0xfc98dff8fcc3cadd, released
from the list
(1) eap: Peer sent packet with method EAP TTLS (21)
(1) eap: Calling submodule eap_ttls to process data
(1) eap_ttls: Authenticate
(1) eap_ttls: Continuing EAP-TLS
(1) eap_ttls: Peer indicated complete TLS record size will be 147 bytes
(1) eap_ttls: Got complete TLS record (147 bytes)
(1) eap_ttls: [eaptls verify] = length included
(1) eap_ttls: (other): before SSL initialization
(1) eap_ttls: TLS_accept: before SSL initialization
(1) eap_ttls: TLS_accept: before SSL initialization
(1) eap_ttls: <<< recv UNKNOWN TLS VERSION ?0304? [length 008e]
(1) eap_ttls: TLS_accept: SSLv3/TLS read client hello
(1) eap_ttls: >>> send TLS 1.2 [length 003d]
(1) eap_ttls: TLS_accept: SSLv3/TLS write server hello
(1) eap_ttls: >>> send TLS 1.2 [length 0d45]
(1) eap_ttls: TLS_accept: SSLv3/TLS write certificate
(1) eap_ttls: >>> send TLS 1.2 [length 024d]
(1) eap_ttls: TLS_accept: SSLv3/TLS write key exchange
(1) eap_ttls: >>> send TLS 1.2 [length 0004]
(1) eap_ttls: TLS_accept: SSLv3/TLS write server done
(1) eap_ttls: TLS_accept: Need to read more data: SSLv3/TLS write server
done
(1) eap_ttls: In SSL Handshake Phase
(1) eap_ttls: In SSL Accept mode
(1) eap_ttls: [eaptls process] = handled
(1) eap: Sending EAP Request (code 1) ID 92 length 1004
(1) eap: EAP session adding &reply:State = 0xfc98dff8fdc4cadd
(1) [eap] = handled
(1) } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(1) Challenge { ... } # empty sub-section is ignored
(1) Sent Access-Challenge Id 111 from 146.83.124.26:1812 to
192.168.128.34:39957 length 0
(1) EAP-Message =
0x015c03ec15c000000fe7160303003d02000039030359d5354da526f46e73734ac9b4c806147b7bae612ec9e7fd6fe58961ef56e6ff00c030000011ff01000100000b000403000102001700001603030d450b000d41000d3e000601308205fd308203e5a003020102020101300d06092a864886f70d0101
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0xfc98dff8fdc4cadd585a7c0a5256b1cb
(1) Finished request
Waking up in 4.9 seconds.
(2) Received Access-Request Id 112 from 192.168.128.34:39957 to
146.83.124.26:1812 length 410
(2) User-Name = "wifi at ucn.cl"
(2) NAS-IP-Address = 192.168.128.34
(2) Called-Station-Id = "36-18-0A-7B-A4-6E:Red Radius"
(2) NAS-Port-Type = Wireless-802.11
(2) Service-Type = Framed-User
(2) NAS-Port = 1
(2) Calling-Station-Id = "E4-6F-13-2C-A4-C3"
(2) Connect-Info = "CONNECT 54.00 Mbps / 802.11n / RSSI: 62 / Channel: 11"
(2) Acct-Session-Id = "1265B3D4CA450401"
(2) Acct-Multi-Session-Id = "E27A7A7004BD7B9C"
(2) WLAN-Pairwise-Cipher = 1027076
(2) WLAN-Group-Cipher = 1027074
(2) WLAN-AKM-Suite = 1027073
(2) WLAN-Group-Mgmt-Cipher = 1027078
(2) Attr-26.29671.2 =
0x55434e20416e746f66616761737461202d2053574150202d20776972656c657373
(2) Attr-26.29671.3 = 0x41502d56312d536f706f727465
(2) Attr-26.29671.4 =
0x20414c554d4e4f5320454455524f414d2046554e43494f4e4152494f5320524144495553205445434e49434f53205649
(2) Meraki-Device-Name = "AP-V1-Soporte"
(2) Framed-MTU = 1400
(2) EAP-Message = 0x025c00061500
(2) State = 0xfc98dff8fdc4cadd585a7c0a5256b1cb
(2) Message-Authenticator = 0x83b5967ebe5b37e7447be803e0d0a7cc
(2) session-state: No cached attributes
(2) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(2) authorize {
(2) policy filter_username {
(2) if (&User-Name) {
(2) if (&User-Name) -> TRUE
(2) if (&User-Name) {
(2) if (&User-Name =~ / /) {
(2) if (&User-Name =~ / /) -> FALSE
(2) if (&User-Name =~ /@[^@]*@/ ) {
(2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(2) if (&User-Name =~ /\.\./ ) {
(2) if (&User-Name =~ /\.\./ ) -> FALSE
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(2) if (&User-Name =~ /\.$/) {
(2) if (&User-Name =~ /\.$/) -> FALSE
(2) if (&User-Name =~ /@\./) {
(2) if (&User-Name =~ /@\./) -> FALSE
(2) } # if (&User-Name) = notfound
(2) } # policy filter_username = notfound
(2) [preprocess] = ok
(2) auth_log: EXPAND
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(2) auth_log: --> /var/log/freeradius/radacct/
192.168.128.34/auth-detail-20200901
(2) auth_log:
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/192.168.128.34/auth-detail-20200901
(2) auth_log: EXPAND %t
(2) auth_log: --> Tue Sep 1 11:52:23 2020
(2) [auth_log] = ok
(2) [chap] = noop
(2) [mschap] = noop
(2) [digest] = noop
(2) suffix: Checking for suffix after "@"
(2) suffix: Looking up realm "ucn.cl" for User-Name = "wifi at ucn.cl"
(2) suffix: Found realm "ucn.cl"
(2) suffix: Adding Stripped-User-Name = "wifi"
(2) suffix: Adding Realm = "ucn.cl"
(2) suffix: Authentication realm is LOCAL
(2) [suffix] = ok
(2) eap: Peer sent EAP Response (code 2) ID 92 length 6
(2) eap: Continuing tunnel setup
(2) [eap] = ok
(2) } # authorize = ok
(2) Found Auth-Type = eap
(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(2) authenticate {
(2) eap: Expiring EAP session with state 0xfc98dff8fdc4cadd
(2) eap: Finished EAP session with state 0xfc98dff8fdc4cadd
(2) eap: Previous EAP request found for state 0xfc98dff8fdc4cadd, released
from the list
(2) eap: Peer sent packet with method EAP TTLS (21)
(2) eap: Calling submodule eap_ttls to process data
(2) eap_ttls: Authenticate
(2) eap_ttls: Continuing EAP-TLS
(2) eap_ttls: Peer ACKed our handshake fragment
(2) eap_ttls: [eaptls verify] = request
(2) eap_ttls: [eaptls process] = handled
(2) eap: Sending EAP Request (code 1) ID 93 length 1004
(2) eap: EAP session adding &reply:State = 0xfc98dff8fec5cadd
(2) [eap] = handled
(2) } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(2) Challenge { ... } # empty sub-section is ignored
(2) Sent Access-Challenge Id 112 from 146.83.124.26:1812 to
192.168.128.34:39957 length 0
(2) EAP-Message =
0x015d03ec15c000000fe7209dba66581b0203010001a34f304d30130603551d25040c300a06082b0601050507030130360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e636f6d2f6578616d706c655f63612e63726c300d06092a864886f70d01010b05000382
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0xfc98dff8fec5cadd585a7c0a5256b1cb
(2) Finished request
Waking up in 4.9 seconds.
(3) Received Access-Request Id 113 from 192.168.128.34:39957 to
146.83.124.26:1812 length 410
(3) User-Name = "wifi at ucn.cl"
(3) NAS-IP-Address = 192.168.128.34
(3) Called-Station-Id = "36-18-0A-7B-A4-6E:Red Radius"
(3) NAS-Port-Type = Wireless-802.11
(3) Service-Type = Framed-User
(3) NAS-Port = 1
(3) Calling-Station-Id = "E4-6F-13-2C-A4-C3"
(3) Connect-Info = "CONNECT 54.00 Mbps / 802.11n / RSSI: 64 / Channel: 11"
(3) Acct-Session-Id = "1265B3D4CA450401"
(3) Acct-Multi-Session-Id = "E27A7A7004BD7B9C"
(3) WLAN-Pairwise-Cipher = 1027076
(3) WLAN-Group-Cipher = 1027074
(3) WLAN-AKM-Suite = 1027073
(3) WLAN-Group-Mgmt-Cipher = 1027078
(3) Attr-26.29671.2 =
0x55434e20416e746f66616761737461202d2053574150202d20776972656c657373
(3) Attr-26.29671.3 = 0x41502d56312d536f706f727465
(3) Attr-26.29671.4 =
0x20414c554d4e4f5320454455524f414d2046554e43494f4e4152494f5320524144495553205445434e49434f53205649
(3) Meraki-Device-Name = "AP-V1-Soporte"
(3) Framed-MTU = 1400
(3) EAP-Message = 0x025d00061500
(3) State = 0xfc98dff8fec5cadd585a7c0a5256b1cb
(3) Message-Authenticator = 0x87ee959791b647ce6c381a68cb941141
(3) session-state: No cached attributes
(3) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(3) authorize {
(3) policy filter_username {
(3) if (&User-Name) {
(3) if (&User-Name) -> TRUE
(3) if (&User-Name) {
(3) if (&User-Name =~ / /) {
(3) if (&User-Name =~ / /) -> FALSE
(3) if (&User-Name =~ /@[^@]*@/ ) {
(3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(3) if (&User-Name =~ /\.\./ ) {
(3) if (&User-Name =~ /\.\./ ) -> FALSE
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(3) if (&User-Name =~ /\.$/) {
(3) if (&User-Name =~ /\.$/) -> FALSE
(3) if (&User-Name =~ /@\./) {
(3) if (&User-Name =~ /@\./) -> FALSE
(3) } # if (&User-Name) = notfound
(3) } # policy filter_username = notfound
(3) [preprocess] = ok
(3) auth_log: EXPAND
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(3) auth_log: --> /var/log/freeradius/radacct/
192.168.128.34/auth-detail-20200901
(3) auth_log:
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/192.168.128.34/auth-detail-20200901
(3) auth_log: EXPAND %t
(3) auth_log: --> Tue Sep 1 11:52:23 2020
(3) [auth_log] = ok
(3) [chap] = noop
(3) [mschap] = noop
(3) [digest] = noop
(3) suffix: Checking for suffix after "@"
(3) suffix: Looking up realm "ucn.cl" for User-Name = "wifi at ucn.cl"
(3) suffix: Found realm "ucn.cl"
(3) suffix: Adding Stripped-User-Name = "wifi"
(3) suffix: Adding Realm = "ucn.cl"
(3) suffix: Authentication realm is LOCAL
(3) [suffix] = ok
(3) eap: Peer sent EAP Response (code 2) ID 93 length 6
(3) eap: Continuing tunnel setup
(3) [eap] = ok
(3) } # authorize = ok
(3) Found Auth-Type = eap
(3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(3) authenticate {
(3) eap: Expiring EAP session with state 0xfc98dff8fec5cadd
(3) eap: Finished EAP session with state 0xfc98dff8fec5cadd
(3) eap: Previous EAP request found for state 0xfc98dff8fec5cadd, released
from the list
(3) eap: Peer sent packet with method EAP TTLS (21)
(3) eap: Calling submodule eap_ttls to process data
(3) eap_ttls: Authenticate
(3) eap_ttls: Continuing EAP-TLS
(3) eap_ttls: Peer ACKed our handshake fragment
(3) eap_ttls: [eaptls verify] = request
(3) eap_ttls: [eaptls process] = handled
(3) eap: Sending EAP Request (code 1) ID 94 length 1004
(3) eap: EAP session adding &reply:State = 0xfc98dff8ffc6cadd
(3) [eap] = handled
(3) } # authenticate = handled
(3) Using Post-Auth-Type Challenge
(3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(3) Challenge { ... } # empty sub-section is ignored
(3) Sent Access-Challenge Id 113 from 146.83.124.26:1812 to
192.168.128.34:39957 length 0
(3) EAP-Message =
0x015e03ec15c000000fe7303140616c756d6e6f732e75636e2e636c3122302006035504030c19456e746964616420636572746966696361646f72612055434e30820222300d06092a864886f70d01010105000382020f003082020a0282020100bac4e13cd8c7fa57371bce6d41f22a26bcad2ffba6e97d
(3) Message-Authenticator = 0x00000000000000000000000000000000
(3) State = 0xfc98dff8ffc6cadd585a7c0a5256b1cb
(3) Finished request
Waking up in 4.9 seconds.
(4) Received Access-Request Id 114 from 192.168.128.34:39957 to
146.83.124.26:1812 length 410
(4) User-Name = "wifi at ucn.cl"
(4) NAS-IP-Address = 192.168.128.34
(4) Called-Station-Id = "36-18-0A-7B-A4-6E:Red Radius"
(4) NAS-Port-Type = Wireless-802.11
(4) Service-Type = Framed-User
(4) NAS-Port = 1
(4) Calling-Station-Id = "E4-6F-13-2C-A4-C3"
(4) Connect-Info = "CONNECT 54.00 Mbps / 802.11n / RSSI: 62 / Channel: 11"
(4) Acct-Session-Id = "1265B3D4CA450401"
(4) Acct-Multi-Session-Id = "E27A7A7004BD7B9C"
(4) WLAN-Pairwise-Cipher = 1027076
(4) WLAN-Group-Cipher = 1027074
(4) WLAN-AKM-Suite = 1027073
(4) WLAN-Group-Mgmt-Cipher = 1027078
(4) Attr-26.29671.2 =
0x55434e20416e746f66616761737461202d2053574150202d20776972656c657373
(4) Attr-26.29671.3 = 0x41502d56312d536f706f727465
(4) Attr-26.29671.4 =
0x20414c554d4e4f5320454455524f414d2046554e43494f4e4152494f5320524144495553205445434e49434f53205649
(4) Meraki-Device-Name = "AP-V1-Soporte"
(4) Framed-MTU = 1400
(4) EAP-Message = 0x025e00061500
(4) State = 0xfc98dff8ffc6cadd585a7c0a5256b1cb
(4) Message-Authenticator = 0xe30e38a9050dd13905814ea8672728b8
(4) session-state: No cached attributes
(4) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(4) authorize {
(4) policy filter_username {
(4) if (&User-Name) {
(4) if (&User-Name) -> TRUE
(4) if (&User-Name) {
(4) if (&User-Name =~ / /) {
(4) if (&User-Name =~ / /) -> FALSE
(4) if (&User-Name =~ /@[^@]*@/ ) {
(4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(4) if (&User-Name =~ /\.\./ ) {
(4) if (&User-Name =~ /\.\./ ) -> FALSE
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(4) if (&User-Name =~ /\.$/) {
(4) if (&User-Name =~ /\.$/) -> FALSE
(4) if (&User-Name =~ /@\./) {
(4) if (&User-Name =~ /@\./) -> FALSE
(4) } # if (&User-Name) = notfound
(4) } # policy filter_username = notfound
(4) [preprocess] = ok
(4) auth_log: EXPAND
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(4) auth_log: --> /var/log/freeradius/radacct/
192.168.128.34/auth-detail-20200901
(4) auth_log:
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/192.168.128.34/auth-detail-20200901
(4) auth_log: EXPAND %t
(4) auth_log: --> Tue Sep 1 11:52:23 2020
(4) [auth_log] = ok
(4) [chap] = noop
(4) [mschap] = noop
(4) [digest] = noop
(4) suffix: Checking for suffix after "@"
(4) suffix: Looking up realm "ucn.cl" for User-Name = "wifi at ucn.cl"
(4) suffix: Found realm "ucn.cl"
(4) suffix: Adding Stripped-User-Name = "wifi"
(4) suffix: Adding Realm = "ucn.cl"
(4) suffix: Authentication realm is LOCAL
(4) [suffix] = ok
(4) eap: Peer sent EAP Response (code 2) ID 94 length 6
(4) eap: Continuing tunnel setup
(4) [eap] = ok
(4) } # authorize = ok
(4) Found Auth-Type = eap
(4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(4) authenticate {
(4) eap: Expiring EAP session with state 0xfc98dff8ffc6cadd
(4) eap: Finished EAP session with state 0xfc98dff8ffc6cadd
(4) eap: Previous EAP request found for state 0xfc98dff8ffc6cadd, released
from the list
(4) eap: Peer sent packet with method EAP TTLS (21)
(4) eap: Calling submodule eap_ttls to process data
(4) eap_ttls: Authenticate
(4) eap_ttls: Continuing EAP-TLS
(4) eap_ttls: Peer ACKed our handshake fragment
(4) eap_ttls: [eaptls verify] = request
(4) eap_ttls: [eaptls process] = handled
(4) eap: Sending EAP Request (code 1) ID 95 length 1004
(4) eap: EAP session adding &reply:State = 0xfc98dff8f8c7cadd
(4) [eap] = handled
(4) } # authenticate = handled
(4) Using Post-Auth-Type Challenge
(4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(4) Challenge { ... } # empty sub-section is ignored
(4) Sent Access-Challenge Id 114 from 146.83.124.26:1812 to
192.168.128.34:39957 length 0
(4) EAP-Message =
0x015f03ec15c000000fe7c77251950fa0fe126a12332e02a8771ae735a0577b0809945f2151bb00b8f395f3f54573f94c87a0ad1afb624ea621c50e5cd9581e9bd0b5cc20a6f0c9bdbbbe326850002220a5b201f4bee09362a04c3dea95c4263c7c8ae9852a2a4c882975dc2cf44699206592149806fb22
(4) Message-Authenticator = 0x00000000000000000000000000000000
(4) State = 0xfc98dff8f8c7cadd585a7c0a5256b1cb
(4) Finished request
Waking up in 4.9 seconds.
(5) Received Access-Request Id 115 from 192.168.128.34:39957 to
146.83.124.26:1812 length 410
(5) User-Name = "wifi at ucn.cl"
(5) NAS-IP-Address = 192.168.128.34
(5) Called-Station-Id = "36-18-0A-7B-A4-6E:Red Radius"
(5) NAS-Port-Type = Wireless-802.11
(5) Service-Type = Framed-User
(5) NAS-Port = 1
(5) Calling-Station-Id = "E4-6F-13-2C-A4-C3"
(5) Connect-Info = "CONNECT 54.00 Mbps / 802.11n / RSSI: 61 / Channel: 11"
(5) Acct-Session-Id = "1265B3D4CA450401"
(5) Acct-Multi-Session-Id = "E27A7A7004BD7B9C"
(5) WLAN-Pairwise-Cipher = 1027076
(5) WLAN-Group-Cipher = 1027074
(5) WLAN-AKM-Suite = 1027073
(5) WLAN-Group-Mgmt-Cipher = 1027078
(5) Attr-26.29671.2 =
0x55434e20416e746f66616761737461202d2053574150202d20776972656c657373
(5) Attr-26.29671.3 = 0x41502d56312d536f706f727465
(5) Attr-26.29671.4 =
0x20414c554d4e4f5320454455524f414d2046554e43494f4e4152494f5320524144495553205445434e49434f53205649
(5) Meraki-Device-Name = "AP-V1-Soporte"
(5) Framed-MTU = 1400
(5) EAP-Message = 0x025f00061500
(5) State = 0xfc98dff8f8c7cadd585a7c0a5256b1cb
(5) Message-Authenticator = 0xaff5d23d6d7f617ed2f417cf8fc6b64a
(5) session-state: No cached attributes
(5) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(5) authorize {
(5) policy filter_username {
(5) if (&User-Name) {
(5) if (&User-Name) -> TRUE
(5) if (&User-Name) {
(5) if (&User-Name =~ / /) {
(5) if (&User-Name =~ / /) -> FALSE
(5) if (&User-Name =~ /@[^@]*@/ ) {
(5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(5) if (&User-Name =~ /\.\./ ) {
(5) if (&User-Name =~ /\.\./ ) -> FALSE
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(5) if (&User-Name =~ /\.$/) {
(5) if (&User-Name =~ /\.$/) -> FALSE
(5) if (&User-Name =~ /@\./) {
(5) if (&User-Name =~ /@\./) -> FALSE
(5) } # if (&User-Name) = notfound
(5) } # policy filter_username = notfound
(5) [preprocess] = ok
(5) auth_log: EXPAND
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(5) auth_log: --> /var/log/freeradius/radacct/
192.168.128.34/auth-detail-20200901
(5) auth_log:
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/192.168.128.34/auth-detail-20200901
(5) auth_log: EXPAND %t
(5) auth_log: --> Tue Sep 1 11:52:23 2020
(5) [auth_log] = ok
(5) [chap] = noop
(5) [mschap] = noop
(5) [digest] = noop
(5) suffix: Checking for suffix after "@"
(5) suffix: Looking up realm "ucn.cl" for User-Name = "wifi at ucn.cl"
(5) suffix: Found realm "ucn.cl"
(5) suffix: Adding Stripped-User-Name = "wifi"
(5) suffix: Adding Realm = "ucn.cl"
(5) suffix: Authentication realm is LOCAL
(5) [suffix] = ok
(5) eap: Peer sent EAP Response (code 2) ID 95 length 6
(5) eap: Continuing tunnel setup
(5) [eap] = ok
(5) } # authorize = ok
(5) Found Auth-Type = eap
(5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(5) authenticate {
(5) eap: Expiring EAP session with state 0xfc98dff8f8c7cadd
(5) eap: Finished EAP session with state 0xfc98dff8f8c7cadd
(5) eap: Previous EAP request found for state 0xfc98dff8f8c7cadd, released
from the list
(5) eap: Peer sent packet with method EAP TTLS (21)
(5) eap: Calling submodule eap_ttls to process data
(5) eap_ttls: Authenticate
(5) eap_ttls: Continuing EAP-TLS
(5) eap_ttls: Peer ACKed our handshake fragment
(5) eap_ttls: [eaptls verify] = request
(5) eap_ttls: [eaptls process] = handled
(5) eap: Sending EAP Request (code 1) ID 96 length 105
(5) eap: EAP session adding &reply:State = 0xfc98dff8f9f8cadd
(5) [eap] = handled
(5) } # authenticate = handled
(5) Using Post-Auth-Type Challenge
(5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(5) Challenge { ... } # empty sub-section is ignored
(5) Sent Access-Challenge Id 115 from 146.83.124.26:1812 to
192.168.128.34:39957 length 0
(5) EAP-Message =
0x01600069158000000fe7dd02213dc082bf9030b18c868edd995a7861437222487c7d98135b10166d927771216da0a1f38f13952517a5b10fd057e10f81b1d606ac8ad24ac5f91c5598c268b6720be6ca68e3ccbd62d209eada0c2fbdbcd6bac416030300040e000000
(5) Message-Authenticator = 0x00000000000000000000000000000000
(5) State = 0xfc98dff8f9f8cadd585a7c0a5256b1cb
(5) Finished request
Waking up in 4.8 seconds.
(6) Received Access-Request Id 116 from 192.168.128.34:39957 to
146.83.124.26:1812 length 540
(6) User-Name = "wifi at ucn.cl"
(6) NAS-IP-Address = 192.168.128.34
(6) Called-Station-Id = "36-18-0A-7B-A4-6E:Red Radius"
(6) NAS-Port-Type = Wireless-802.11
(6) Service-Type = Framed-User
(6) NAS-Port = 1
(6) Calling-Station-Id = "E4-6F-13-2C-A4-C3"
(6) Connect-Info = "CONNECT 54.00 Mbps / 802.11n / RSSI: 54 / Channel: 11"
(6) Acct-Session-Id = "1265B3D4CA450401"
(6) Acct-Multi-Session-Id = "E27A7A7004BD7B9C"
(6) WLAN-Pairwise-Cipher = 1027076
(6) WLAN-Group-Cipher = 1027074
(6) WLAN-AKM-Suite = 1027073
(6) WLAN-Group-Mgmt-Cipher = 1027078
(6) Attr-26.29671.2 =
0x55434e20416e746f66616761737461202d2053574150202d20776972656c657373
(6) Attr-26.29671.3 = 0x41502d56312d536f706f727465
(6) Attr-26.29671.4 =
0x20414c554d4e4f5320454455524f414d2046554e43494f4e4152494f5320524144495553205445434e49434f53205649
(6) Meraki-Device-Name = "AP-V1-Soporte"
(6) Framed-MTU = 1400
(6) EAP-Message =
0x0260008815800000007e1603030046100000424104163f372687eb80d249bb061304fc52817ba0e4862fd5f6c419a118480627b974461bb79fb895d856f47fd3242fb08d24956729ee640f4880b162d4ab1d6c83f914030300010116030300280000000000000000fcf6e3d255b1273d62447e0e0cb40f
(6) State = 0xfc98dff8f9f8cadd585a7c0a5256b1cb
(6) Message-Authenticator = 0x419fc3b739475b963f44b66a473e4c5a
(6) session-state: No cached attributes
(6) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(6) authorize {
(6) policy filter_username {
(6) if (&User-Name) {
(6) if (&User-Name) -> TRUE
(6) if (&User-Name) {
(6) if (&User-Name =~ / /) {
(6) if (&User-Name =~ / /) -> FALSE
(6) if (&User-Name =~ /@[^@]*@/ ) {
(6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(6) if (&User-Name =~ /\.\./ ) {
(6) if (&User-Name =~ /\.\./ ) -> FALSE
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(6) if (&User-Name =~ /\.$/) {
(6) if (&User-Name =~ /\.$/) -> FALSE
(6) if (&User-Name =~ /@\./) {
(6) if (&User-Name =~ /@\./) -> FALSE
(6) } # if (&User-Name) = notfound
(6) } # policy filter_username = notfound
(6) [preprocess] = ok
(6) auth_log: EXPAND
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(6) auth_log: --> /var/log/freeradius/radacct/
192.168.128.34/auth-detail-20200901
(6) auth_log:
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/192.168.128.34/auth-detail-20200901
(6) auth_log: EXPAND %t
(6) auth_log: --> Tue Sep 1 11:52:23 2020
(6) [auth_log] = ok
(6) [chap] = noop
(6) [mschap] = noop
(6) [digest] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: Looking up realm "ucn.cl" for User-Name = "wifi at ucn.cl"
(6) suffix: Found realm "ucn.cl"
(6) suffix: Adding Stripped-User-Name = "wifi"
(6) suffix: Adding Realm = "ucn.cl"
(6) suffix: Authentication realm is LOCAL
(6) [suffix] = ok
(6) eap: Peer sent EAP Response (code 2) ID 96 length 136
(6) eap: Continuing tunnel setup
(6) [eap] = ok
(6) } # authorize = ok
(6) Found Auth-Type = eap
(6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(6) authenticate {
(6) eap: Expiring EAP session with state 0xfc98dff8f9f8cadd
(6) eap: Finished EAP session with state 0xfc98dff8f9f8cadd
(6) eap: Previous EAP request found for state 0xfc98dff8f9f8cadd, released
from the list
(6) eap: Peer sent packet with method EAP TTLS (21)
(6) eap: Calling submodule eap_ttls to process data
(6) eap_ttls: Authenticate
(6) eap_ttls: Continuing EAP-TLS
(6) eap_ttls: Peer indicated complete TLS record size will be 126 bytes
(6) eap_ttls: Got complete TLS record (126 bytes)
(6) eap_ttls: [eaptls verify] = length included
(6) eap_ttls: TLS_accept: SSLv3/TLS write server done
(6) eap_ttls: <<< recv TLS 1.2 [length 0046]
(6) eap_ttls: TLS_accept: SSLv3/TLS read client key exchange
(6) eap_ttls: TLS_accept: SSLv3/TLS read change cipher spec
(6) eap_ttls: <<< recv TLS 1.2 [length 0010]
(6) eap_ttls: TLS_accept: SSLv3/TLS read finished
(6) eap_ttls: >>> send TLS 1.2 [length 0001]
(6) eap_ttls: TLS_accept: SSLv3/TLS write change cipher spec
(6) eap_ttls: >>> send TLS 1.2 [length 0010]
(6) eap_ttls: TLS_accept: SSLv3/TLS write finished
(6) eap_ttls: (other): SSL negotiation finished successfully
(6) eap_ttls: SSL Connection Established
(6) eap_ttls: [eaptls process] = handled
(6) eap: Sending EAP Request (code 1) ID 97 length 61
(6) eap: EAP session adding &reply:State = 0xfc98dff8faf9cadd
(6) [eap] = handled
(6) } # authenticate = handled
(6) Using Post-Auth-Type Challenge
(6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(6) Challenge { ... } # empty sub-section is ignored
(6) Sent Access-Challenge Id 116 from 146.83.124.26:1812 to
192.168.128.34:39957 length 0
(6) EAP-Message =
0x0161003d158000000033140303000101160303002886804395e9752affc89dde1b411debdf4e3c00db259a47945801253f950c3be9826f2ce57374f1bb
(6) Message-Authenticator = 0x00000000000000000000000000000000
(6) State = 0xfc98dff8faf9cadd585a7c0a5256b1cb
(6) Finished request
Waking up in 4.8 seconds.
(7) Received Access-Request Id 117 from 192.168.128.34:39957 to
146.83.124.26:1812 length 483
(7) User-Name = "wifi at ucn.cl"
(7) NAS-IP-Address = 192.168.128.34
(7) Called-Station-Id = "36-18-0A-7B-A4-6E:Red Radius"
(7) NAS-Port-Type = Wireless-802.11
(7) Service-Type = Framed-User
(7) NAS-Port = 1
(7) Calling-Station-Id = "E4-6F-13-2C-A4-C3"
(7) Connect-Info = "CONNECT 54.00 Mbps / 802.11n / RSSI: 58 / Channel: 11"
(7) Acct-Session-Id = "1265B3D4CA450401"
(7) Acct-Multi-Session-Id = "E27A7A7004BD7B9C"
(7) WLAN-Pairwise-Cipher = 1027076
(7) WLAN-Group-Cipher = 1027074
(7) WLAN-AKM-Suite = 1027073
(7) WLAN-Group-Mgmt-Cipher = 1027078
(7) Attr-26.29671.2 =
0x55434e20416e746f66616761737461202d2053574150202d20776972656c657373
(7) Attr-26.29671.3 = 0x41502d56312d536f706f727465
(7) Attr-26.29671.4 =
0x20414c554d4e4f5320454455524f414d2046554e43494f4e4152494f5320524144495553205445434e49434f53205649
(7) Meraki-Device-Name = "AP-V1-Soporte"
(7) Framed-MTU = 1400
(7) EAP-Message =
0x0261004f15800000004517030300400000000000000001b98cb06ad5a33b6d61e62a62728f25a6b571d54f423fc79aae25f51af5e30b1fdafb12a2506c68349dcdb3bd12e99f5dacbbcc1e8760a817
(7) State = 0xfc98dff8faf9cadd585a7c0a5256b1cb
(7) Message-Authenticator = 0xe7d95b4aa7b635f28e7f7014ad5e69d5
(7) session-state: No cached attributes
(7) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(7) authorize {
(7) policy filter_username {
(7) if (&User-Name) {
(7) if (&User-Name) -> TRUE
(7) if (&User-Name) {
(7) if (&User-Name =~ / /) {
(7) if (&User-Name =~ / /) -> FALSE
(7) if (&User-Name =~ /@[^@]*@/ ) {
(7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(7) if (&User-Name =~ /\.\./ ) {
(7) if (&User-Name =~ /\.\./ ) -> FALSE
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(7) if (&User-Name =~ /\.$/) {
(7) if (&User-Name =~ /\.$/) -> FALSE
(7) if (&User-Name =~ /@\./) {
(7) if (&User-Name =~ /@\./) -> FALSE
(7) } # if (&User-Name) = notfound
(7) } # policy filter_username = notfound
(7) [preprocess] = ok
(7) auth_log: EXPAND
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(7) auth_log: --> /var/log/freeradius/radacct/
192.168.128.34/auth-detail-20200901
(7) auth_log:
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/192.168.128.34/auth-detail-20200901
(7) auth_log: EXPAND %t
(7) auth_log: --> Tue Sep 1 11:52:25 2020
(7) [auth_log] = ok
(7) [chap] = noop
(7) [mschap] = noop
(7) [digest] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: Looking up realm "ucn.cl" for User-Name = "wifi at ucn.cl"
(7) suffix: Found realm "ucn.cl"
(7) suffix: Adding Stripped-User-Name = "wifi"
(7) suffix: Adding Realm = "ucn.cl"
(7) suffix: Authentication realm is LOCAL
(7) [suffix] = ok
(7) eap: Peer sent EAP Response (code 2) ID 97 length 79
(7) eap: Continuing tunnel setup
(7) [eap] = ok
(7) } # authorize = ok
(7) Found Auth-Type = eap
(7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(7) authenticate {
(7) eap: Expiring EAP session with state 0xfc98dff8faf9cadd
(7) eap: Finished EAP session with state 0xfc98dff8faf9cadd
(7) eap: Previous EAP request found for state 0xfc98dff8faf9cadd, released
from the list
(7) eap: Peer sent packet with method EAP TTLS (21)
(7) eap: Calling submodule eap_ttls to process data
(7) eap_ttls: Authenticate
(7) eap_ttls: Continuing EAP-TLS
(7) eap_ttls: Peer indicated complete TLS record size will be 69 bytes
(7) eap_ttls: Got complete TLS record (69 bytes)
(7) eap_ttls: [eaptls verify] = length included
(7) eap_ttls: [eaptls process] = ok
(7) eap_ttls: Session established. Proceeding to decode tunneled attributes
(7) eap_ttls: Got tunneled request
(7) eap_ttls: User-Name = "wifi at ucn.cl"
(7) eap_ttls: User-Password = "SoporteUcn"
(7) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1
(7) eap_ttls: Sending tunneled request
(7) Virtual server inner-tunnel received request
(7) User-Name = "wifi at ucn.cl"
(7) User-Password = "SoporteUcn"
(7) FreeRADIUS-Proxied-To = 127.0.0.1
(7) NAS-IP-Address = 192.168.128.34
(7) Called-Station-Id = "36-18-0A-7B-A4-6E:Red Radius"
(7) NAS-Port-Type = Wireless-802.11
(7) Service-Type = Framed-User
(7) NAS-Port = 1
(7) Calling-Station-Id = "E4-6F-13-2C-A4-C3"
(7) Connect-Info = "CONNECT 54.00 Mbps / 802.11n / RSSI: 58 / Channel: 11"
(7) Acct-Session-Id = "1265B3D4CA450401"
(7) Acct-Multi-Session-Id = "E27A7A7004BD7B9C"
(7) WLAN-Pairwise-Cipher = 1027076
(7) WLAN-Group-Cipher = 1027074
(7) WLAN-AKM-Suite = 1027073
(7) WLAN-Group-Mgmt-Cipher = 1027078
(7) Attr-26.29671.2 =
0x55434e20416e746f66616761737461202d2053574150202d20776972656c657373
(7) Attr-26.29671.3 = 0x41502d56312d536f706f727465
(7) Attr-26.29671.4 =
0x20414c554d4e4f5320454455524f414d2046554e43494f4e4152494f5320524144495553205445434e49434f53205649
(7) Meraki-Device-Name = "AP-V1-Soporte"
(7) Framed-MTU = 1400
(7) Event-Timestamp = "Sep 1 2020 11:52:25 -04"
(7) WARNING: Outer and inner identities are the same. User privacy is
compromised.
(7) server inner-tunnel {
(7) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(7) authorize {
(7) policy filter_username {
(7) if (&User-Name) {
(7) if (&User-Name) -> TRUE
(7) if (&User-Name) {
(7) if (&User-Name =~ / /) {
(7) if (&User-Name =~ / /) -> FALSE
(7) if (&User-Name =~ /@[^@]*@/ ) {
(7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(7) if (&User-Name =~ /\.\./ ) {
(7) if (&User-Name =~ /\.\./ ) -> FALSE
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(7) if (&User-Name =~ /\.$/) {
(7) if (&User-Name =~ /\.$/) -> FALSE
(7) if (&User-Name =~ /@\./) {
(7) if (&User-Name =~ /@\./) -> FALSE
(7) } # if (&User-Name) = notfound
(7) } # policy filter_username = notfound
(7) [mschap] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: Looking up realm "ucn.cl" for User-Name = "wifi at ucn.cl"
(7) suffix: Found realm "ucn.cl"
(7) suffix: Adding Stripped-User-Name = "wifi"
(7) suffix: Adding Realm = "ucn.cl"
(7) suffix: Authentication realm is LOCAL
(7) [suffix] = ok
(7) update control {
(7) &Proxy-To-Realm := LOCAL
(7) } # update control = noop
(7) eap: No EAP-Message, not doing EAP
(7) [eap] = noop
(7) if (Realm == 'ucn.cl') {
(7) if (Realm == 'ucn.cl') -> TRUE
(7) if (Realm == 'ucn.cl') {
(7) first_files: EXPAND %{Virtual-Server}
(7) first_files: --> inner-tunnel
(7) first_files: users: Matched entry DEFAULT at line 93
(7) [first_files] = ok
(7) } # if (Realm == 'ucn.cl') = ok
(7) if (Realm == 'alumnos.ucn.cl') {
(7) if (Realm == 'alumnos.ucn.cl') -> FALSE
(7) files: EXPAND %{Virtual-Server}
(7) files: --> inner-tunnel
(7) [files] = noop
(7) first_files: EXPAND %{Virtual-Server}
(7) first_files: --> inner-tunnel
(7) first_files: users: Matched entry DEFAULT at line 93
(7) [first_files] = ok
(7) second_files: EXPAND %{Virtual-Server}
(7) second_files: --> inner-tunnel
(7) second_files: users: Matched entry DEFAULT at line 93
(7) [second_files] = ok
(7) [expiration] = noop
(7) [logintime] = noop
(7) [pap] = noop
(7) } # authorize = ok
(7) Found Auth-Type = pam
(7) # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(7) authenticate {
(7) pam: Using pamauth string "pam-imap-radius2" for pam.conf lookup
(7) pam: ERROR: pam_authenticate failed: Module is unknown
(7) [pam] = reject
(7) } # authenticate = reject
(7) Failed to authenticate the user
(7) Using Post-Auth-Type Reject
(7) # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(7) Post-Auth-Type REJECT {
(7) reply_log: EXPAND
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d
(7) reply_log: --> /var/log/freeradius/radacct/
192.168.128.34/reply-detail-20200901
(7) reply_log:
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d
expands to /var/log/freeradius/radacct/192.168.128.34/reply-detail-20200901
(7) reply_log: WARNING: Skipping empty packet
(7) [reply_log] = ok
(7) attr_filter.access_reject: EXPAND %{User-Name}
(7) attr_filter.access_reject: --> wifi at ucn.cl
(7) attr_filter.access_reject: Matched entry DEFAULT at line 11
(7) [attr_filter.access_reject] = updated
(7) update outer.session-state {
(7) &Module-Failure-Message := &request:Module-Failure-Message ->
'pam: pam_authenticate failed: Module is unknown'
(7) } # update outer.session-state = noop
(7) } # Post-Auth-Type REJECT = updated
(7) } # server inner-tunnel
(7) Virtual server sending reply
(7) eap_ttls: Got tunneled Access-Reject
(7) eap: ERROR: Failed continuing EAP TTLS (21) session. EAP sub-module
failed
(7) eap: Sending EAP Failure (code 4) ID 97 length 4
(7) eap: Failed in EAP select
(7) [eap] = invalid
(7) } # authenticate = invalid
(7) Failed to authenticate the user
(7) Using Post-Auth-Type Reject
(7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(7) Post-Auth-Type REJECT {
(7) attr_filter.access_reject: EXPAND %{User-Name}
(7) attr_filter.access_reject: --> wifi at ucn.cl
(7) attr_filter.access_reject: Matched entry DEFAULT at line 11
(7) [attr_filter.access_reject] = updated
(7) [eap] = noop
(7) reply_log: EXPAND
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d
(7) reply_log: --> /var/log/freeradius/radacct/
192.168.128.34/reply-detail-20200901
(7) reply_log:
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d
expands to /var/log/freeradius/radacct/192.168.128.34/reply-detail-20200901
(7) reply_log: EXPAND %t
(7) reply_log: --> Tue Sep 1 11:52:25 2020
(7) [reply_log] = ok
(7) policy remove_reply_message_if_eap {
(7) if (&reply:EAP-Message && &reply:Reply-Message) {
(7) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(7) else {
(7) [noop] = noop
(7) } # else = noop
(7) } # policy remove_reply_message_if_eap = noop
(7) } # Post-Auth-Type REJECT = updated
(7) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(7) Sending delayed response
(7) Sent Access-Reject Id 117 from 146.83.124.26:1812 to
192.168.128.34:39957 length 44
(7) EAP-Message = 0x04610004
(7) Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 2.0 seconds.
(0) Cleaning up request packet ID 110 with timestamp +23
(1) Cleaning up request packet ID 111 with timestamp +23
(2) Cleaning up request packet ID 112 with timestamp +23
(3) Cleaning up request packet ID 113 with timestamp +23
(4) Cleaning up request packet ID 114 with timestamp +23
(5) Cleaning up request packet ID 115 with timestamp +23
(6) Cleaning up request packet ID 116 with timestamp +23
Waking up in 1.8 seconds.
(7) Cleaning up request packet ID 117 with timestamp +25
I apologize if I failed in properly doing your instructions but I'm at loss
here. Thank in advance.
El sáb., 29 ago. 2020 a las 6:20, Alan DeKok (<aland at deployingradius.com>)
escribió:
> On Aug 28, 2020, at 7:18 PM, HORMAZABAL PI�ONES BARBARA FRANCISCA <
> bhp001 at alumnos.ucn.cl> wrote:
> >
> > Greetings, I'm a Freeradius newbie and I apologize if I make mistakes
> with
> > some concepts or get my point across (english is not my first language).
>
> It's fine.
>
> > Anyway, I'm setting up freeradius in Ubuntu server 18.04 to authenticate
> > users (teachers, students) through their google accounts (we have a
> couple
> > of domains for each one), so I was adviced to use the PAM-IMAP module.
> When
> > trying to authenticate however, it fails going through the eap-peap
> > authentication. I read the output and checked that authentication is
> > invalid in the pam module however I do not know how to fix it.
>
> PAM needs a clear-text password in the RADIUS request. PEAP does not
> supply one. You need to configure the clients to use TTLS with PAP inside
> of the tunnel.
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list