device simply doesn't connect, no errors

Vincent W. vincent.wrusch at gmail.com
Wed Feb 9 19:57:59 UTC 2022


Hey,

I hope you are having a nice day, I am currently trying to set up a
freeradius based wifi system for the small student dorm I am living in. We
are using private Wifis all over the place right now, but we want to change
this in the future. As a 'starting' experiment I am trying to set up a
freeradius server with an access-point in our server room.
Right now I am using freeRadius 3.0. installed on an Ubuntu 20.04 Lxd
container and an old TP-Link Router with Openwrt on it as an Access Point.

The goal is to use Eap_Peap with MschapV2 as authentication method and
everything should be set up by now. I am using an android 11 phone (with
the CA-certificate installed) to connect, but it simply won't. I type in
everything as it should be, but it simply says "connecting" forever. The
following is the debug log of freeradius for 10 requests and they are quite
different from each other. (8) seems to be the most successful one with
multiple "erfolgreich angemeldet"="successfully logged in" messages.

Notice that log (0) is the server output belonging to "radtest -t mschap
nutzer magazin 127.0.0.1:18120 0 testing123". Further notice: As a test
user I just created the user "nutzer" with the password "magazin".

I do have an Android 9 device available, but in contrast to my newer phone
it needs a "domain" extra, and I couldn't figure out anything that works
for that field.
SO what the hell doesn't work here?

Thanks for your help, with kind regards, Vincent



This is the output:

Ready to process requests
(0) Received Access-Request Id 214 from 127.0.0.1:37588 to 127.0.0.1:18120
length 132
(0)   User-Name = "nutzer"
(0)   NAS-IP-Address = [Radius-Server--IP]
(0)   NAS-Port = 0
(0)   Message-Authenticator = 0xe320828ad839fad8fe6880e88ad67ddd
(0)   MS-CHAP-Challenge = 0x5be637b29e8a6bde
(0)   MS-CHAP-Response =
0x0001000000000000000000000000000000000000000000000000a55295612da4a97a989fd47e8c77558c92f2cef93ccb7c63
(0) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(0)   authorize {
(0)     policy filter_username {
(0)       if (&User-Name) {
(0)       if (&User-Name)  -> TRUE
(0)       if (&User-Name)  {
(0)         if (&User-Name =~ / /) {
(0)         if (&User-Name =~ / /)  -> FALSE
(0)         if (&User-Name =~ /@[^@]*@/ ) {
(0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(0)         if (&User-Name =~ /\.\./ ) {
(0)         if (&User-Name =~ /\.\./ )  -> FALSE
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE
(0)         if (&User-Name =~ /\.$/)  {
(0)         if (&User-Name =~ /\.$/)   -> FALSE
(0)         if (&User-Name =~ /@\./)  {
(0)         if (&User-Name =~ /@\./)   -> FALSE
(0)       } # if (&User-Name)  = notfound
(0)     } # policy filter_username = notfound
(0)     [chap] = noop
(0) mschap: Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
(0)     [mschap] = ok
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "nutzer", looking up realm NULL
(0) suffix: No such realm "NULL"
(0)     [suffix] = noop
(0)     update control {
(0)       &Proxy-To-Realm := LOCAL
(0)     } # update control = noop
(0) eap: No EAP-Message, not doing EAP
(0)     [eap] = noop
(0) files: users: Matched entry nutzer at line 91
(0)     [files] = ok
(0)     [expiration] = noop
(0)     [logintime] = noop
(0) pap: WARNING: Auth-Type already set.  Not setting to PAP
(0)     [pap] = noop
(0)   } # authorize = ok
(0) Found Auth-Type = mschap
(0) # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(0)   authenticate {
(0) mschap: Found Cleartext-Password, hashing to create NT-Password
(0) mschap: Client is using MS-CHAPv1 with NT-Password
(0) mschap: adding MS-CHAPv1 MPPE keys
(0)     [mschap] = ok
(0)   } # authenticate = ok
(0) # Executing section post-auth from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(0)   post-auth {
(0)     if (0) {
(0)     if (0)  -> FALSE
(0)   } # post-auth = noop
(0) Sent Access-Accept Id 214 from 127.0.0.1:18120 to 127.0.0.1:37588
length 0
(0)   Reply-Message = "erfolgreich angemeldet"
(0)   MS-CHAP-MPPE-Keys = 0x0000000000000000b4dd71791376c2da9a9a0dd82b5678c7
(0)   MS-MPPE-Encryption-Policy = Encryption-Allowed
(0)   MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(0) Finished request
Waking up in 4.9 seconds.
(0) Cleaning up request packet ID 214 with timestamp +23
Ready to process requests
(1) Received Access-Request Id 223 from [AccessPoint-IP]:52784 to
[Radius-Server--IP]:1812 length 202
(1)   User-Name = "anonymous"
(1)   Called-Station-Id = "10-FE-ED-EB-5D-2C:OpenWrt-Radius"
(1)   NAS-Port-Type = Wireless-802.11
(1)   Service-Type = Framed-User
(1)   NAS-Port = 1
(1)   Calling-Station-Id = "52-A4-4F-C1-D8-2F"
(1)   Connect-Info = "CONNECT 54Mbps 802.11g"
(1)   Acct-Session-Id = "5F953B94262D8D47"
(1)   WLAN-Pairwise-Cipher = 1027076
(1)   WLAN-Group-Cipher = 1027076
(1)   WLAN-AKM-Suite = 1027073
(1)   Framed-MTU = 1400
(1)   EAP-Message = 0x0237000e01616e6f6e796d6f7573
(1)   Message-Authenticator = 0x5e7d4e06969cbbcc685aa4005c8524f0
(1) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(1)   authorize {
(1)     policy filter_username {
(1)       if (&User-Name) {
(1)       if (&User-Name)  -> TRUE
(1)       if (&User-Name)  {
(1)         if (&User-Name =~ / /) {
(1)         if (&User-Name =~ / /)  -> FALSE
(1)         if (&User-Name =~ /@[^@]*@/ ) {
(1)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(1)         if (&User-Name =~ /\.\./ ) {
(1)         if (&User-Name =~ /\.\./ )  -> FALSE
(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE
(1)         if (&User-Name =~ /\.$/)  {
(1)         if (&User-Name =~ /\.$/)   -> FALSE
(1)         if (&User-Name =~ /@\./)  {
(1)         if (&User-Name =~ /@\./)   -> FALSE
(1)       } # if (&User-Name)  = notfound
(1)     } # policy filter_username = notfound
(1)     [preprocess] = ok
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(1) suffix: No such realm "NULL"
(1)     [suffix] = noop
(1) eap: Peer sent EAP Response (code 2) ID 55 length 14
(1) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(1)     [eap] = ok
(1)   } # authorize = ok
(1) Found Auth-Type = eap
(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(1)   authenticate {
(1) eap: Peer sent packet with method EAP Identity (1)
(1) eap: Calling submodule eap_peap to process data
(1) eap_peap: Initiating new TLS session
(1) eap_peap: [eaptls start] = request
(1) eap: Sending EAP Request (code 1) ID 56 length 6
(1) eap: EAP session adding &reply:State = 0x8902b1c3893aa80a
(1)     [eap] = handled
(1)   } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(1)   Challenge { ... } # empty sub-section is ignored
(1) Sent Access-Challenge Id 223 from [Radius-Server--IP]:1812 to
[AccessPoint-IP]:52784 length 0
(1)   EAP-Message = 0x013800061920
(1)   Message-Authenticator = 0x00000000000000000000000000000000
(1)   State = 0x8902b1c3893aa80ae70679604528de30
(1) Finished request
Waking up in 4.9 seconds.
(2) Received Access-Request Id 224 from [AccessPoint-IP]:52784 to
[Radius-Server--IP]:1812 length 347
(2)   User-Name = "anonymous"
(2)   Called-Station-Id = "10-FE-ED-EB-5D-2C:OpenWrt-Radius"
(2)   NAS-Port-Type = Wireless-802.11
(2)   Service-Type = Framed-User
(2)   NAS-Port = 1
(2)   Calling-Station-Id = "52-A4-4F-C1-D8-2F"
(2)   Connect-Info = "CONNECT 54Mbps 802.11g"
(2)   Acct-Session-Id = "5F953B94262D8D47"
(2)   WLAN-Pairwise-Cipher = 1027076
(2)   WLAN-Group-Cipher = 1027076
(2)   WLAN-AKM-Suite = 1027073
(2)   Framed-MTU = 1400
(2)   EAP-Message =
0x0238008d198000000083160301007e0100007a0303bb634a06b73a4f3c0ee57c48c0faec41bc7e8b082209ef069e48a88482861db400001ec02bc02fc02cc030cca9cca8c009c013c00ac014009c009d002f0035000a0100003300170000ff01000100000a00080006001d00170018000b00020100000d00140012040308040401050308050501080606010201
(2)   State = 0x8902b1c3893aa80ae70679604528de30
(2)   Message-Authenticator = 0x4f4dd4359a47d105241238807d481433
(2) session-state: No cached attributes
(2) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(2)   authorize {
(2)     policy filter_username {
(2)       if (&User-Name) {
(2)       if (&User-Name)  -> TRUE
(2)       if (&User-Name)  {
(2)         if (&User-Name =~ / /) {
(2)         if (&User-Name =~ / /)  -> FALSE
(2)         if (&User-Name =~ /@[^@]*@/ ) {
(2)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(2)         if (&User-Name =~ /\.\./ ) {
(2)         if (&User-Name =~ /\.\./ )  -> FALSE
(2)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(2)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE
(2)         if (&User-Name =~ /\.$/)  {
(2)         if (&User-Name =~ /\.$/)   -> FALSE
(2)         if (&User-Name =~ /@\./)  {
(2)         if (&User-Name =~ /@\./)   -> FALSE
(2)       } # if (&User-Name)  = notfound
(2)     } # policy filter_username = notfound
(2)     [preprocess] = ok
(2) suffix: Checking for suffix after "@"
(2) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(2) suffix: No such realm "NULL"
(2)     [suffix] = noop
(2) eap: Peer sent EAP Response (code 2) ID 56 length 141
(2) eap: Continuing tunnel setup
(2)     [eap] = ok
(2)   } # authorize = ok
(2) Found Auth-Type = eap
(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(2)   authenticate {
(2) eap: Expiring EAP session with state 0x8902b1c3893aa80a
(2) eap: Finished EAP session with state 0x8902b1c3893aa80a
(2) eap: Previous EAP request found for state 0x8902b1c3893aa80a, released
from the list
(2) eap: Peer sent packet with method EAP PEAP (25)
(2) eap: Calling submodule eap_peap to process data
(2) eap_peap: Continuing EAP-TLS
(2) eap_peap: Peer indicated complete TLS record size will be 131 bytes
(2) eap_peap: Got complete TLS record (131 bytes)
(2) eap_peap: [eaptls verify] = length included
(2) eap_peap: (other): before SSL initialization
(2) eap_peap: TLS_accept: before SSL initialization
(2) eap_peap: TLS_accept: before SSL initialization
(2) eap_peap: <<< recv TLS 1.3  [length 007e]
(2) eap_peap: TLS_accept: SSLv3/TLS read client hello
(2) eap_peap: >>> send TLS 1.2  [length 003d]
(2) eap_peap: TLS_accept: SSLv3/TLS write server hello
(2) eap_peap: >>> send TLS 1.2  [length 08f4]
(2) eap_peap: TLS_accept: SSLv3/TLS write certificate
(2) eap_peap: >>> send TLS 1.2  [length 014d]
(2) eap_peap: TLS_accept: SSLv3/TLS write key exchange
(2) eap_peap: >>> send TLS 1.2  [length 0004]
(2) eap_peap: TLS_accept: SSLv3/TLS write server done
(2) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write server
done
(2) eap_peap: TLS - In Handshake Phase
(2) eap_peap: TLS - got 2710 bytes of data
(2) eap_peap: [eaptls process] = handled
(2) eap: Sending EAP Request (code 1) ID 57 length 1004
(2) eap: EAP session adding &reply:State = 0x8902b1c3883ba80a
(2)     [eap] = handled
(2)   } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(2)   Challenge { ... } # empty sub-section is ignored
(2) Sent Access-Challenge Id 224 from [Radius-Server--IP]:1812 to
[AccessPoint-IP]:52784 length 0
(2)   EAP-Message =
0x013903ec19c000000a96160303003d020000390303a21d032a6a0647f01a929f575c00cda352bceb051ad0a8b2c6e9de4abc4552d100c02f000011ff01000100000b0004030001020017000016030308f40b0008f00008ed0003e9308203e5308202cda003020102020101300d06092a864886f70d01010b0500308193310b3009060355040613024445310c300a06035504080c034e5257310f300d06035504070c0641616368656e31163014060355040a0c0d4641484f20576f686e6865696d3128302606092a864886f70d010901161961646d696e406661686f2e727774682d61616368656e2e64653123302106035504030c1a4641484f20436572746966696361746520417574686f72697479301e170d3232303133313231353035375a170d3237303133303231353035375a308186310b3009060355040613024445310c300a06035504080c034e525731163014060355040a0c0d4641484f20576f686e6865696d3127302506035504030c1e4641484f2052
(2)   Message-Authenticator = 0x00000000000000000000000000000000
(2)   State = 0x8902b1c3883ba80ae70679604528de30
(2) Finished request
Waking up in 4.8 seconds.
(3) Received Access-Request Id 225 from [AccessPoint-IP]:52784 to
[Radius-Server--IP]:1812 length 212
(3)   User-Name = "anonymous"
(3)   Called-Station-Id = "10-FE-ED-EB-5D-2C:OpenWrt-Radius"
(3)   NAS-Port-Type = Wireless-802.11
(3)   Service-Type = Framed-User
(3)   NAS-Port = 1
(3)   Calling-Station-Id = "52-A4-4F-C1-D8-2F"
(3)   Connect-Info = "CONNECT 54Mbps 802.11g"
(3)   Acct-Session-Id = "5F953B94262D8D47"
(3)   WLAN-Pairwise-Cipher = 1027076
(3)   WLAN-Group-Cipher = 1027076
(3)   WLAN-AKM-Suite = 1027073
(3)   Framed-MTU = 1400
(3)   EAP-Message = 0x023900061900
(3)   State = 0x8902b1c3883ba80ae70679604528de30
(3)   Message-Authenticator = 0x5c93c55535a85416280e053f8fd8594b
(3) session-state: No cached attributes
(3) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(3)   authorize {
(3)     policy filter_username {
(3)       if (&User-Name) {
(3)       if (&User-Name)  -> TRUE
(3)       if (&User-Name)  {
(3)         if (&User-Name =~ / /) {
(3)         if (&User-Name =~ / /)  -> FALSE
(3)         if (&User-Name =~ /@[^@]*@/ ) {
(3)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(3)         if (&User-Name =~ /\.\./ ) {
(3)         if (&User-Name =~ /\.\./ )  -> FALSE
(3)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(3)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE
(3)         if (&User-Name =~ /\.$/)  {
(3)         if (&User-Name =~ /\.$/)   -> FALSE
(3)         if (&User-Name =~ /@\./)  {
(3)         if (&User-Name =~ /@\./)   -> FALSE
(3)       } # if (&User-Name)  = notfound
(3)     } # policy filter_username = notfound
(3)     [preprocess] = ok
(3) suffix: Checking for suffix after "@"
(3) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(3) suffix: No such realm "NULL"
(3)     [suffix] = noop
(3) eap: Peer sent EAP Response (code 2) ID 57 length 6
(3) eap: Continuing tunnel setup
(3)     [eap] = ok
(3)   } # authorize = ok
(3) Found Auth-Type = eap
(3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(3)   authenticate {
(3) eap: Expiring EAP session with state 0x8902b1c3883ba80a
(3) eap: Finished EAP session with state 0x8902b1c3883ba80a
(3) eap: Previous EAP request found for state 0x8902b1c3883ba80a, released
from the list
(3) eap: Peer sent packet with method EAP PEAP (25)
(3) eap: Calling submodule eap_peap to process data
(3) eap_peap: Continuing EAP-TLS
(3) eap_peap: Peer ACKed our handshake fragment
(3) eap_peap: [eaptls verify] = request
(3) eap_peap: [eaptls process] = handled
(3) eap: Sending EAP Request (code 1) ID 58 length 1000
(3) eap: EAP session adding &reply:State = 0x8902b1c38b38a80a
(3)     [eap] = handled
(3)   } # authenticate = handled
(3) Using Post-Auth-Type Challenge
(3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(3)   Challenge { ... } # empty sub-section is ignored
(3) Sent Access-Challenge Id 225 from [Radius-Server--IP]:1812 to
[AccessPoint-IP]:52784 length 0
(3)   EAP-Message =
0x013a03e819404d8bdc32e71f2a0fb604a0d1998c75b2caf7e82fa7fb43bc395e27fe0bb7bf3039b7d8d1f9b9d3b456faabdd9fd4f90574e6096e06d47a43410533be34a673f5af993d913a0782420c5402db098b1fc7a37e7a97f72c7dc50004fe308204fa308203e2a00302010202144d68d90956806f70226752a6417b4f33698fbce8300d06092a864886f70d01010b0500308193310b3009060355040613024445310c300a06035504080c034e5257310f300d06035504070c0641616368656e31163014060355040a0c0d4641484f20576f686e6865696d3128302606092a864886f70d010901161961646d696e406661686f2e727774682d61616368656e2e64653123302106035504030c1a4641484f20436572746966696361746520417574686f72697479301e170d3232303133313231353033375a170d3237303133303231353033375a308193310b3009060355040613024445310c300a06035504080c034e5257310f300d06035504070c064161636865
(3)   Message-Authenticator = 0x00000000000000000000000000000000
(3)   State = 0x8902b1c38b38a80ae70679604528de30
(3) Finished request
Waking up in 4.8 seconds.
(4) Received Access-Request Id 226 from [AccessPoint-IP]:52784 to
[Radius-Server--IP]:1812 length 212
(4)   User-Name = "anonymous"
(4)   Called-Station-Id = "10-FE-ED-EB-5D-2C:OpenWrt-Radius"
(4)   NAS-Port-Type = Wireless-802.11
(4)   Service-Type = Framed-User
(4)   NAS-Port = 1
(4)   Calling-Station-Id = "52-A4-4F-C1-D8-2F"
(4)   Connect-Info = "CONNECT 54Mbps 802.11g"
(4)   Acct-Session-Id = "5F953B94262D8D47"
(4)   WLAN-Pairwise-Cipher = 1027076
(4)   WLAN-Group-Cipher = 1027076
(4)   WLAN-AKM-Suite = 1027073
(4)   Framed-MTU = 1400
(4)   EAP-Message = 0x023a00061900
(4)   State = 0x8902b1c38b38a80ae70679604528de30
(4)   Message-Authenticator = 0x0eb3e33b6e473f367baf22b9cd51f6d0
(4) session-state: No cached attributes
(4) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(4)   authorize {
(4)     policy filter_username {
(4)       if (&User-Name) {
(4)       if (&User-Name)  -> TRUE
(4)       if (&User-Name)  {
(4)         if (&User-Name =~ / /) {
(4)         if (&User-Name =~ / /)  -> FALSE
(4)         if (&User-Name =~ /@[^@]*@/ ) {
(4)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(4)         if (&User-Name =~ /\.\./ ) {
(4)         if (&User-Name =~ /\.\./ )  -> FALSE
(4)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(4)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE
(4)         if (&User-Name =~ /\.$/)  {
(4)         if (&User-Name =~ /\.$/)   -> FALSE
(4)         if (&User-Name =~ /@\./)  {
(4)         if (&User-Name =~ /@\./)   -> FALSE
(4)       } # if (&User-Name)  = notfound
(4)     } # policy filter_username = notfound
(4)     [preprocess] = ok
(4) suffix: Checking for suffix after "@"
(4) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(4) suffix: No such realm "NULL"
(4)     [suffix] = noop
(4) eap: Peer sent EAP Response (code 2) ID 58 length 6
(4) eap: Continuing tunnel setup
(4)     [eap] = ok
(4)   } # authorize = ok
(4) Found Auth-Type = eap
(4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(4)   authenticate {
(4) eap: Expiring EAP session with state 0x8902b1c38b38a80a
(4) eap: Finished EAP session with state 0x8902b1c38b38a80a
(4) eap: Previous EAP request found for state 0x8902b1c38b38a80a, released
from the list
(4) eap: Peer sent packet with method EAP PEAP (25)
(4) eap: Calling submodule eap_peap to process data
(4) eap_peap: Continuing EAP-TLS
(4) eap_peap: Peer ACKed our handshake fragment
(4) eap_peap: [eaptls verify] = request
(4) eap_peap: [eaptls process] = handled
(4) eap: Sending EAP Request (code 1) ID 59 length 728
(4) eap: EAP session adding &reply:State = 0x8902b1c38a39a80a
(4)     [eap] = handled
(4)   } # authenticate = handled
(4) Using Post-Auth-Type Challenge
(4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(4)   Challenge { ... } # empty sub-section is ignored
(4) Sent Access-Challenge Id 226 from [Radius-Server--IP]:1812 to
[AccessPoint-IP]:52784 length 0
(4)   EAP-Message =
0x013b02d819007269747982144d68d90956806f70226752a6417b4f33698fbce8300f0603551d130101ff040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e6f72672f6578616d706c655f63612e63726c300d06092a864886f70d01010b050003820101003fcd0619d03f35a2a1975b7a83397d83125454ac4be33d7992ebc339146a8369420e1b68a260adddee126eaf52325a0869b93d6e76f6ee97ebfcbb098da84c0a41cfc87c46dc46ecbb9dbb1e0b22134d183e82c5cdea55de69665359b69c0a7de4c02a6d911bdc34d9e98ff1e63a145c58ccc7f11a2ab490d7aadb46a4ed36ee6bbd8b6935dbcd8fe5e88f845cdb249fe69ea9d38ab79db2bddff87e5bcf028ee0c32ad28d7235208a5f9da431dc765a7dfc4edb24dc6fe8080b10a2edadcffc302adbae773dcac458d45ae170d87e069a41a9fb13a56bbd8f899f537f27877543a6f49a304a0c326f1fea1fb2645ef045edd0f36b5c4ecd0961
(4)   Message-Authenticator = 0x00000000000000000000000000000000
(4)   State = 0x8902b1c38a39a80ae70679604528de30
(4) Finished request
Waking up in 4.8 seconds.
(5) Received Access-Request Id 227 from [AccessPoint-IP]:52784 to
[Radius-Server--IP]:1812 length 342
(5)   User-Name = "anonymous"
(5)   Called-Station-Id = "10-FE-ED-EB-5D-2C:OpenWrt-Radius"
(5)   NAS-Port-Type = Wireless-802.11
(5)   Service-Type = Framed-User
(5)   NAS-Port = 1
(5)   Calling-Station-Id = "52-A4-4F-C1-D8-2F"
(5)   Connect-Info = "CONNECT 54Mbps 802.11g"
(5)   Acct-Session-Id = "5F953B94262D8D47"
(5)   WLAN-Pairwise-Cipher = 1027076
(5)   WLAN-Group-Cipher = 1027076
(5)   WLAN-AKM-Suite = 1027073
(5)   Framed-MTU = 1400
(5)   EAP-Message =
0x023b008819800000007e160303004610000042410479a4c01b9202d00d2e35790d5c7e46ad9e775fbd60389ad87925250dc6df9d74d3d4ca805ba7ed6695213d4eb5681d164587f2ebd03f63f51c040dae2be3209e14030300010116030300280000000000000000528b59941c85eda9e878d2e917c5f133c86feab766ecb029efa86d376696f62b
(5)   State = 0x8902b1c38a39a80ae70679604528de30
(5)   Message-Authenticator = 0xca548784504d435e572cb7441362f403
(5) session-state: No cached attributes
(5) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(5)   authorize {
(5)     policy filter_username {
(5)       if (&User-Name) {
(5)       if (&User-Name)  -> TRUE
(5)       if (&User-Name)  {
(5)         if (&User-Name =~ / /) {
(5)         if (&User-Name =~ / /)  -> FALSE
(5)         if (&User-Name =~ /@[^@]*@/ ) {
(5)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(5)         if (&User-Name =~ /\.\./ ) {
(5)         if (&User-Name =~ /\.\./ )  -> FALSE
(5)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(5)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE
(5)         if (&User-Name =~ /\.$/)  {
(5)         if (&User-Name =~ /\.$/)   -> FALSE
(5)         if (&User-Name =~ /@\./)  {
(5)         if (&User-Name =~ /@\./)   -> FALSE
(5)       } # if (&User-Name)  = notfound
(5)     } # policy filter_username = notfound
(5)     [preprocess] = ok
(5) suffix: Checking for suffix after "@"
(5) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(5) suffix: No such realm "NULL"
(5)     [suffix] = noop
(5) eap: Peer sent EAP Response (code 2) ID 59 length 136
(5) eap: Continuing tunnel setup
(5)     [eap] = ok
(5)   } # authorize = ok
(5) Found Auth-Type = eap
(5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(5)   authenticate {
(5) eap: Expiring EAP session with state 0x8902b1c38a39a80a
(5) eap: Finished EAP session with state 0x8902b1c38a39a80a
(5) eap: Previous EAP request found for state 0x8902b1c38a39a80a, released
from the list
(5) eap: Peer sent packet with method EAP PEAP (25)
(5) eap: Calling submodule eap_peap to process data
(5) eap_peap: Continuing EAP-TLS
(5) eap_peap: Peer indicated complete TLS record size will be 126 bytes
(5) eap_peap: Got complete TLS record (126 bytes)
(5) eap_peap: [eaptls verify] = length included
(5) eap_peap: TLS_accept: SSLv3/TLS write server done
(5) eap_peap: <<< recv TLS 1.2  [length 0046]
(5) eap_peap: TLS_accept: SSLv3/TLS read client key exchange
(5) eap_peap: TLS_accept: SSLv3/TLS read change cipher spec
(5) eap_peap: <<< recv TLS 1.2  [length 0010]
(5) eap_peap: TLS_accept: SSLv3/TLS read finished
(5) eap_peap: >>> send TLS 1.2  [length 0001]
(5) eap_peap: TLS_accept: SSLv3/TLS write change cipher spec
(5) eap_peap: >>> send TLS 1.2  [length 0010]
(5) eap_peap: TLS_accept: SSLv3/TLS write finished
(5) eap_peap: (other): SSL negotiation finished successfully
(5) eap_peap: TLS - Connection Established
(5) eap_peap: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256"
(5) eap_peap: TLS-Session-Version = "TLS 1.2"
(5) eap_peap: TLS - got 51 bytes of data
(5) eap_peap: [eaptls process] = handled
(5) eap: Sending EAP Request (code 1) ID 60 length 57
(5) eap: EAP session adding &reply:State = 0x8902b1c38d3ea80a
(5)     [eap] = handled
(5)   } # authenticate = handled
(5) Using Post-Auth-Type Challenge
(5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(5)   Challenge { ... } # empty sub-section is ignored
(5) session-state: Saving cached attributes
(5)   TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256"
(5)   TLS-Session-Version = "TLS 1.2"
(5) Sent Access-Challenge Id 227 from [Radius-Server--IP]:1812 to
[AccessPoint-IP]:52784 length 0
(5)   EAP-Message =
0x013c003919001403030001011603030028ecfac5b9f026fdb244b35870a4c617e4e14d779c1dcbbc78b54c29fc4212a86753e34380e177dcd2
(5)   Message-Authenticator = 0x00000000000000000000000000000000
(5)   State = 0x8902b1c38d3ea80ae70679604528de30
(5) Finished request
Waking up in 4.8 seconds.
(6) Received Access-Request Id 228 from [AccessPoint-IP]:52784 to
[Radius-Server--IP]:1812 length 212
(6)   User-Name = "anonymous"
(6)   Called-Station-Id = "10-FE-ED-EB-5D-2C:OpenWrt-Radius"
(6)   NAS-Port-Type = Wireless-802.11
(6)   Service-Type = Framed-User
(6)   NAS-Port = 1
(6)   Calling-Station-Id = "52-A4-4F-C1-D8-2F"
(6)   Connect-Info = "CONNECT 54Mbps 802.11g"
(6)   Acct-Session-Id = "5F953B94262D8D47"
(6)   WLAN-Pairwise-Cipher = 1027076
(6)   WLAN-Group-Cipher = 1027076
(6)   WLAN-AKM-Suite = 1027073
(6)   Framed-MTU = 1400
(6)   EAP-Message = 0x023c00061900
(6)   State = 0x8902b1c38d3ea80ae70679604528de30
(6)   Message-Authenticator = 0x21af232ac16758d39dd8fda69171344e
(6) Restoring &session-state
(6)   &session-state:TLS-Session-Cipher-Suite =
"ECDHE-RSA-AES128-GCM-SHA256"
(6)   &session-state:TLS-Session-Version = "TLS 1.2"
(6) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(6)   authorize {
(6)     policy filter_username {
(6)       if (&User-Name) {
(6)       if (&User-Name)  -> TRUE
(6)       if (&User-Name)  {
(6)         if (&User-Name =~ / /) {
(6)         if (&User-Name =~ / /)  -> FALSE
(6)         if (&User-Name =~ /@[^@]*@/ ) {
(6)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(6)         if (&User-Name =~ /\.\./ ) {
(6)         if (&User-Name =~ /\.\./ )  -> FALSE
(6)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(6)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE
(6)         if (&User-Name =~ /\.$/)  {
(6)         if (&User-Name =~ /\.$/)   -> FALSE
(6)         if (&User-Name =~ /@\./)  {
(6)         if (&User-Name =~ /@\./)   -> FALSE
(6)       } # if (&User-Name)  = notfound
(6)     } # policy filter_username = notfound
(6)     [preprocess] = ok
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(6) suffix: No such realm "NULL"
(6)     [suffix] = noop
(6) eap: Peer sent EAP Response (code 2) ID 60 length 6
(6) eap: Continuing tunnel setup
(6)     [eap] = ok
(6)   } # authorize = ok
(6) Found Auth-Type = eap
(6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(6)   authenticate {
(6) eap: Expiring EAP session with state 0x8902b1c38d3ea80a
(6) eap: Finished EAP session with state 0x8902b1c38d3ea80a
(6) eap: Previous EAP request found for state 0x8902b1c38d3ea80a, released
from the list
(6) eap: Peer sent packet with method EAP PEAP (25)
(6) eap: Calling submodule eap_peap to process data
(6) eap_peap: Continuing EAP-TLS
(6) eap_peap: Peer ACKed our handshake fragment.  handshake is finished
(6) eap_peap: [eaptls verify] = success
(6) eap_peap: [eaptls process] = success
(6) eap_peap: Session established.  Decoding tunneled attributes
(6) eap_peap: PEAP state TUNNEL ESTABLISHED
(6) eap: Sending EAP Request (code 1) ID 61 length 40
(6) eap: EAP session adding &reply:State = 0x8902b1c38c3fa80a
(6)     [eap] = handled
(6)   } # authenticate = handled
(6) Using Post-Auth-Type Challenge
(6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(6)   Challenge { ... } # empty sub-section is ignored
(6) session-state: Saving cached attributes
(6)   TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256"
(6)   TLS-Session-Version = "TLS 1.2"
(6) Sent Access-Challenge Id 228 from [Radius-Server--IP]:1812 to
[AccessPoint-IP]:52784 length 0
(6)   EAP-Message =
0x013d00281900170303001decfac5b9f026fdb34366380e8360b9b9f0f022a669e15645870ce83d3e
(6)   Message-Authenticator = 0x00000000000000000000000000000000
(6)   State = 0x8902b1c38c3fa80ae70679604528de30
(6) Finished request
Waking up in 4.8 seconds.
(7) Received Access-Request Id 229 from [AccessPoint-IP]:52784 to
[Radius-Server--IP]:1812 length 248
(7)   User-Name = "anonymous"
(7)   Called-Station-Id = "10-FE-ED-EB-5D-2C:OpenWrt-Radius"
(7)   NAS-Port-Type = Wireless-802.11
(7)   Service-Type = Framed-User
(7)   NAS-Port = 1
(7)   Calling-Station-Id = "52-A4-4F-C1-D8-2F"
(7)   Connect-Info = "CONNECT 54Mbps 802.11g"
(7)   Acct-Session-Id = "5F953B94262D8D47"
(7)   WLAN-Pairwise-Cipher = 1027076
(7)   WLAN-Group-Cipher = 1027076
(7)   WLAN-AKM-Suite = 1027073
(7)   Framed-MTU = 1400
(7)   EAP-Message =
0x023d002a1900170303001f0000000000000001e0aac078c1ee5f9847885927ed6dc37553d3c9a7de3384
(7)   State = 0x8902b1c38c3fa80ae70679604528de30
(7)   Message-Authenticator = 0x93924852011006c8c9aef0de7aa8985d
(7) Restoring &session-state
(7)   &session-state:TLS-Session-Cipher-Suite =
"ECDHE-RSA-AES128-GCM-SHA256"
(7)   &session-state:TLS-Session-Version = "TLS 1.2"
(7) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(7)   authorize {
(7)     policy filter_username {
(7)       if (&User-Name) {
(7)       if (&User-Name)  -> TRUE
(7)       if (&User-Name)  {
(7)         if (&User-Name =~ / /) {
(7)         if (&User-Name =~ / /)  -> FALSE
(7)         if (&User-Name =~ /@[^@]*@/ ) {
(7)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(7)         if (&User-Name =~ /\.\./ ) {
(7)         if (&User-Name =~ /\.\./ )  -> FALSE
(7)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(7)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE
(7)         if (&User-Name =~ /\.$/)  {
(7)         if (&User-Name =~ /\.$/)   -> FALSE
(7)         if (&User-Name =~ /@\./)  {
(7)         if (&User-Name =~ /@\./)   -> FALSE
(7)       } # if (&User-Name)  = notfound
(7)     } # policy filter_username = notfound
(7)     [preprocess] = ok
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(7) suffix: No such realm "NULL"
(7)     [suffix] = noop
(7) eap: Peer sent EAP Response (code 2) ID 61 length 42
(7) eap: Continuing tunnel setup
(7)     [eap] = ok
(7)   } # authorize = ok
(7) Found Auth-Type = eap
(7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(7)   authenticate {
(7) eap: Expiring EAP session with state 0x8902b1c38c3fa80a
(7) eap: Finished EAP session with state 0x8902b1c38c3fa80a
(7) eap: Previous EAP request found for state 0x8902b1c38c3fa80a, released
from the list
(7) eap: Peer sent packet with method EAP PEAP (25)
(7) eap: Calling submodule eap_peap to process data
(7) eap_peap: Continuing EAP-TLS
(7) eap_peap: [eaptls verify] = ok
(7) eap_peap: Done initial handshake
(7) eap_peap: [eaptls process] = ok
(7) eap_peap: Session established.  Decoding tunneled attributes
(7) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(7) eap_peap: Identity - nutzer
(7) eap_peap: Got inner identity 'nutzer'
(7) eap_peap: Setting default EAP type for tunneled EAP session
(7) eap_peap: Got tunneled request
(7) eap_peap:   EAP-Message = 0x023d000b016e75747a6572
(7) eap_peap: Setting User-Name to nutzer
(7) eap_peap: Sending tunneled request to inner-tunnel
(7) eap_peap:   EAP-Message = 0x023d000b016e75747a6572
(7) eap_peap:   FreeRADIUS-Proxied-To = 127.0.0.1
(7) eap_peap:   User-Name = "nutzer"
(7) Virtual server inner-tunnel received request
(7)   EAP-Message = 0x023d000b016e75747a6572
(7)   FreeRADIUS-Proxied-To = 127.0.0.1
(7)   User-Name = "nutzer"
(7) server inner-tunnel {
(7)   # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(7)     authorize {
(7)       policy filter_username {
(7)         if (&User-Name) {
(7)         if (&User-Name)  -> TRUE
(7)         if (&User-Name)  {
(7)           if (&User-Name =~ / /) {
(7)           if (&User-Name =~ / /)  -> FALSE
(7)           if (&User-Name =~ /@[^@]*@/ ) {
(7)           if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(7)           if (&User-Name =~ /\.\./ ) {
(7)           if (&User-Name =~ /\.\./ )  -> FALSE
(7)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(7)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(7)           if (&User-Name =~ /\.$/)  {
(7)           if (&User-Name =~ /\.$/)   -> FALSE
(7)           if (&User-Name =~ /@\./)  {
(7)           if (&User-Name =~ /@\./)   -> FALSE
(7)         } # if (&User-Name)  = notfound
(7)       } # policy filter_username = notfound
(7)       [chap] = noop
(7)       [mschap] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "nutzer", looking up realm NULL
(7) suffix: No such realm "NULL"
(7)       [suffix] = noop
(7)       update control {
(7)         &Proxy-To-Realm := LOCAL
(7)       } # update control = noop
(7) eap: Peer sent EAP Response (code 2) ID 61 length 11
(7) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(7)       [eap] = ok
(7)     } # authorize = ok
(7)   Found Auth-Type = eap
(7)   # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(7)     authenticate {
(7) eap: Peer sent packet with method EAP Identity (1)
(7) eap: Calling submodule eap_mschapv2 to process data
(7) eap_mschapv2: Issuing Challenge
(7) eap: Sending EAP Request (code 1) ID 62 length 36
(7) eap: EAP session adding &reply:State = 0x2ed1a7b42eefbd97
(7)       [eap] = handled
(7)     } # authenticate = handled
(7) } # server inner-tunnel
(7) Virtual server sending reply
(7)   EAP-Message =
0x013e00241a013e001f102720785658ad93d089bc838849f76f3446726565524144495553
(7)   Message-Authenticator = 0x00000000000000000000000000000000
(7)   State = 0x2ed1a7b42eefbd97965fbd6ad11fccdb
(7) eap_peap: Got tunneled reply code 11
(7) eap_peap:   EAP-Message =
0x013e00241a013e001f102720785658ad93d089bc838849f76f3446726565524144495553
(7) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_peap:   State = 0x2ed1a7b42eefbd97965fbd6ad11fccdb
(7) eap_peap: Got tunneled reply RADIUS code 11
(7) eap_peap:   EAP-Message =
0x013e00241a013e001f102720785658ad93d089bc838849f76f3446726565524144495553
(7) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_peap:   State = 0x2ed1a7b42eefbd97965fbd6ad11fccdb
(7) eap_peap: Got tunneled Access-Challenge
(7) eap: Sending EAP Request (code 1) ID 62 length 67
(7) eap: EAP session adding &reply:State = 0x8902b1c38f3ca80a
(7)     [eap] = handled
(7)   } # authenticate = handled
(7) Using Post-Auth-Type Challenge
(7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(7)   Challenge { ... } # empty sub-section is ignored
(7) session-state: Saving cached attributes
(7)   TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256"
(7)   TLS-Session-Version = "TLS 1.2"
(7) Sent Access-Challenge Id 229 from [Radius-Server--IP]:1812 to
[AccessPoint-IP]:52784 length 0
(7)   EAP-Message =
0x013e004319001703030038ecfac5b9f026fdb466ffd36bf1be038dedc69f8942b55893579d49bb08dc4e4864a720ac39e33de467b54833f9941fc7d3cfcbb8c5139a3b
(7)   Message-Authenticator = 0x00000000000000000000000000000000
(7)   State = 0x8902b1c38f3ca80ae70679604528de30
(7) Finished request
Waking up in 4.8 seconds.
(8) Received Access-Request Id 230 from [AccessPoint-IP]:52784 to
[Radius-Server--IP]:1812 length 302
(8)   User-Name = "anonymous"
(8)   Called-Station-Id = "10-FE-ED-EB-5D-2C:OpenWrt-Radius"
(8)   NAS-Port-Type = Wireless-802.11
(8)   Service-Type = Framed-User
(8)   NAS-Port = 1
(8)   Calling-Station-Id = "52-A4-4F-C1-D8-2F"
(8)   Connect-Info = "CONNECT 54Mbps 802.11g"
(8)   Acct-Session-Id = "5F953B94262D8D47"
(8)   WLAN-Pairwise-Cipher = 1027076
(8)   WLAN-Group-Cipher = 1027076
(8)   WLAN-AKM-Suite = 1027073
(8)   Framed-MTU = 1400
(8)   EAP-Message =
0x023e0060190017030300550000000000000002b7c376efa69b12353ab277f64af212836e42a2827a7976e1e6703751f299408a85f5feedbf95035f4a4222634e22bb79efd94ccb3b6b24885b7b76a7956933e9d94765ed93cba67ec3e570ee10
(8)   State = 0x8902b1c38f3ca80ae70679604528de30
(8)   Message-Authenticator = 0xba1f6f196915b7907e1545c2846b50d3
(8) Restoring &session-state
(8)   &session-state:TLS-Session-Cipher-Suite =
"ECDHE-RSA-AES128-GCM-SHA256"
(8)   &session-state:TLS-Session-Version = "TLS 1.2"
(8) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(8)   authorize {
(8)     policy filter_username {
(8)       if (&User-Name) {
(8)       if (&User-Name)  -> TRUE
(8)       if (&User-Name)  {
(8)         if (&User-Name =~ / /) {
(8)         if (&User-Name =~ / /)  -> FALSE
(8)         if (&User-Name =~ /@[^@]*@/ ) {
(8)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(8)         if (&User-Name =~ /\.\./ ) {
(8)         if (&User-Name =~ /\.\./ )  -> FALSE
(8)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(8)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE
(8)         if (&User-Name =~ /\.$/)  {
(8)         if (&User-Name =~ /\.$/)   -> FALSE
(8)         if (&User-Name =~ /@\./)  {
(8)         if (&User-Name =~ /@\./)   -> FALSE
(8)       } # if (&User-Name)  = notfound
(8)     } # policy filter_username = notfound
(8)     [preprocess] = ok
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(8) suffix: No such realm "NULL"
(8)     [suffix] = noop
(8) eap: Peer sent EAP Response (code 2) ID 62 length 96
(8) eap: Continuing tunnel setup
(8)     [eap] = ok
(8)   } # authorize = ok
(8) Found Auth-Type = eap
(8) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(8)   authenticate {
(8) eap: Expiring EAP session with state 0x2ed1a7b42eefbd97
(8) eap: Finished EAP session with state 0x8902b1c38f3ca80a
(8) eap: Previous EAP request found for state 0x8902b1c38f3ca80a, released
from the list
(8) eap: Peer sent packet with method EAP PEAP (25)
(8) eap: Calling submodule eap_peap to process data
(8) eap_peap: Continuing EAP-TLS
(8) eap_peap: [eaptls verify] = ok
(8) eap_peap: Done initial handshake
(8) eap_peap: [eaptls process] = ok
(8) eap_peap: Session established.  Decoding tunneled attributes
(8) eap_peap: PEAP state phase2
(8) eap_peap: EAP method MSCHAPv2 (26)
(8) eap_peap: Got tunneled request
(8) eap_peap:   EAP-Message =
0x023e00411a023e003c31b606bd0731a6c6ea57e809ea2e3bc10f0000000000000000cadd7153e8a763c5fc880b5e2b4d21f7f635d7221bfb15f0006e75747a6572
(8) eap_peap: Setting User-Name to nutzer
(8) eap_peap: Sending tunneled request to inner-tunnel
(8) eap_peap:   EAP-Message =
0x023e00411a023e003c31b606bd0731a6c6ea57e809ea2e3bc10f0000000000000000cadd7153e8a763c5fc880b5e2b4d21f7f635d7221bfb15f0006e75747a6572
(8) eap_peap:   FreeRADIUS-Proxied-To = 127.0.0.1
(8) eap_peap:   User-Name = "nutzer"
(8) eap_peap:   State = 0x2ed1a7b42eefbd97965fbd6ad11fccdb
(8) Virtual server inner-tunnel received request
(8)   EAP-Message =
0x023e00411a023e003c31b606bd0731a6c6ea57e809ea2e3bc10f0000000000000000cadd7153e8a763c5fc880b5e2b4d21f7f635d7221bfb15f0006e75747a6572
(8)   FreeRADIUS-Proxied-To = 127.0.0.1
(8)   User-Name = "nutzer"
(8)   State = 0x2ed1a7b42eefbd97965fbd6ad11fccdb
(8) server inner-tunnel {
(8)   session-state: No cached attributes
(8)   # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(8)     authorize {
(8)       policy filter_username {
(8)         if (&User-Name) {
(8)         if (&User-Name)  -> TRUE
(8)         if (&User-Name)  {
(8)           if (&User-Name =~ / /) {
(8)           if (&User-Name =~ / /)  -> FALSE
(8)           if (&User-Name =~ /@[^@]*@/ ) {
(8)           if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(8)           if (&User-Name =~ /\.\./ ) {
(8)           if (&User-Name =~ /\.\./ )  -> FALSE
(8)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(8)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(8)           if (&User-Name =~ /\.$/)  {
(8)           if (&User-Name =~ /\.$/)   -> FALSE
(8)           if (&User-Name =~ /@\./)  {
(8)           if (&User-Name =~ /@\./)   -> FALSE
(8)         } # if (&User-Name)  = notfound
(8)       } # policy filter_username = notfound
(8)       [chap] = noop
(8)       [mschap] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "nutzer", looking up realm NULL
(8) suffix: No such realm "NULL"
(8)       [suffix] = noop
(8)       update control {
(8)         &Proxy-To-Realm := LOCAL
(8)       } # update control = noop
(8) eap: Peer sent EAP Response (code 2) ID 62 length 65
(8) eap: No EAP Start, assuming it's an on-going EAP conversation
(8)       [eap] = updated
(8) files: users: Matched entry nutzer at line 91
(8)       [files] = ok
(8)       [expiration] = noop
(8)       [logintime] = noop
(8) pap: WARNING: Auth-Type already set.  Not setting to PAP
(8)       [pap] = noop
(8)     } # authorize = updated
(8)   Found Auth-Type = eap
(8)   # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(8)     authenticate {
(8) eap: Expiring EAP session with state 0x2ed1a7b42eefbd97
(8) eap: Finished EAP session with state 0x2ed1a7b42eefbd97
(8) eap: Previous EAP request found for state 0x2ed1a7b42eefbd97, released
from the list
(8) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(8) eap: Calling submodule eap_mschapv2 to process data
(8) eap_mschapv2: # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(8) eap_mschapv2:   authenticate {
(8) mschap: Found Cleartext-Password, hashing to create NT-Password
(8) mschap: Creating challenge hash with username: nutzer
(8) mschap: Client is using MS-CHAPv2
(8) mschap: Adding MS-CHAPv2 MPPE keys
(8) eap_mschapv2:     [mschap] = ok
(8) eap_mschapv2:   } # authenticate = ok
(8) eap_mschapv2: MSCHAP Success
(8) eap: Sending EAP Request (code 1) ID 63 length 51
(8) eap: EAP session adding &reply:State = 0x2ed1a7b42feebd97
(8)       [eap] = handled
(8)     } # authenticate = handled
(8) } # server inner-tunnel
(8) Virtual server sending reply
(8)   Reply-Message = "erfolgreich angemeldet"
(8)   EAP-Message =
0x013f00331a033e002e533d35423445364534324644304332413134383033353232374230464341393333314432374234373742
(8)   Message-Authenticator = 0x00000000000000000000000000000000
(8)   State = 0x2ed1a7b42feebd97965fbd6ad11fccdb
(8) eap_peap: Got tunneled reply code 11
(8) eap_peap:   Reply-Message = "erfolgreich angemeldet"
(8) eap_peap:   EAP-Message =
0x013f00331a033e002e533d35423445364534324644304332413134383033353232374230464341393333314432374234373742
(8) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap:   State = 0x2ed1a7b42feebd97965fbd6ad11fccdb
(8) eap_peap: Got tunneled reply RADIUS code 11
(8) eap_peap:   Reply-Message = "erfolgreich angemeldet"
(8) eap_peap:   EAP-Message =
0x013f00331a033e002e533d35423445364534324644304332413134383033353232374230464341393333314432374234373742
(8) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap:   State = 0x2ed1a7b42feebd97965fbd6ad11fccdb
(8) eap_peap: Got tunneled Access-Challenge
(8) eap: Sending EAP Request (code 1) ID 63 length 82
(8) eap: EAP session adding &reply:State = 0x8902b1c38e3da80a
(8)     [eap] = handled
(8)   } # authenticate = handled
(8) Using Post-Auth-Type Challenge
(8) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(8)   Challenge { ... } # empty sub-section is ignored
(8) session-state: Saving cached attributes
(8)   TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256"
(8)   TLS-Session-Version = "TLS 1.2"
(8) Sent Access-Challenge Id 230 from [Radius-Server--IP]:1812 to
[AccessPoint-IP]:52784 length 0
(8)   EAP-Message =
0x013f005219001703030047ecfac5b9f026fdb5c3949b4fa25b0f03ff2444a0346e2d2bfbf4c7d85ed0631c51ba88fd1d3d834630413cf4a81496b1e60b9fb3f44bc2b1c9f8e17541dd9d3790c97e2a5480ea
(8)   Message-Authenticator = 0x00000000000000000000000000000000
(8)   State = 0x8902b1c38e3da80ae70679604528de30
(8) Finished request
Waking up in 4.7 seconds.
(9) Received Access-Request Id 231 from [AccessPoint-IP]:52784 to
[Radius-Server--IP]:1812 length 243
(9)   User-Name = "anonymous"
(9)   Called-Station-Id = "10-FE-ED-EB-5D-2C:OpenWrt-Radius"
(9)   NAS-Port-Type = Wireless-802.11
(9)   Service-Type = Framed-User
(9)   NAS-Port = 1
(9)   Calling-Station-Id = "52-A4-4F-C1-D8-2F"
(9)   Connect-Info = "CONNECT 54Mbps 802.11g"
(9)   Acct-Session-Id = "5F953B94262D8D47"
(9)   WLAN-Pairwise-Cipher = 1027076
(9)   WLAN-Group-Cipher = 1027076
(9)   WLAN-AKM-Suite = 1027073
(9)   Framed-MTU = 1400
(9)   EAP-Message =
0x023f00251900170303001a0000000000000003cbe55c8fa673ed763ec11b9886929012cfb6
(9)   State = 0x8902b1c38e3da80ae70679604528de30
(9)   Message-Authenticator = 0xb176355d068fcaa4270ee4357402dffa
(9) Restoring &session-state
(9)   &session-state:TLS-Session-Cipher-Suite =
"ECDHE-RSA-AES128-GCM-SHA256"
(9)   &session-state:TLS-Session-Version = "TLS 1.2"
(9) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(9)   authorize {
(9)     policy filter_username {
(9)       if (&User-Name) {
(9)       if (&User-Name)  -> TRUE
(9)       if (&User-Name)  {
(9)         if (&User-Name =~ / /) {
(9)         if (&User-Name =~ / /)  -> FALSE
(9)         if (&User-Name =~ /@[^@]*@/ ) {
(9)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(9)         if (&User-Name =~ /\.\./ ) {
(9)         if (&User-Name =~ /\.\./ )  -> FALSE
(9)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(9)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE
(9)         if (&User-Name =~ /\.$/)  {
(9)         if (&User-Name =~ /\.$/)   -> FALSE
(9)         if (&User-Name =~ /@\./)  {
(9)         if (&User-Name =~ /@\./)   -> FALSE
(9)       } # if (&User-Name)  = notfound
(9)     } # policy filter_username = notfound
(9)     [preprocess] = ok
(9) suffix: Checking for suffix after "@"
(9) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(9) suffix: No such realm "NULL"
(9)     [suffix] = noop
(9) eap: Peer sent EAP Response (code 2) ID 63 length 37
(9) eap: Continuing tunnel setup
(9)     [eap] = ok
(9)   } # authorize = ok
(9) Found Auth-Type = eap
(9) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(9)   authenticate {
(9) eap: Expiring EAP session with state 0x2ed1a7b42feebd97
(9) eap: Finished EAP session with state 0x8902b1c38e3da80a
(9) eap: Previous EAP request found for state 0x8902b1c38e3da80a, released
from the list
(9) eap: Peer sent packet with method EAP PEAP (25)
(9) eap: Calling submodule eap_peap to process data
(9) eap_peap: Continuing EAP-TLS
(9) eap_peap: [eaptls verify] = ok
(9) eap_peap: Done initial handshake
(9) eap_peap: [eaptls process] = ok
(9) eap_peap: Session established.  Decoding tunneled attributes
(9) eap_peap: PEAP state phase2
(9) eap_peap: EAP method MSCHAPv2 (26)
(9) eap_peap: Got tunneled request
(9) eap_peap:   EAP-Message = 0x023f00061a03
(9) eap_peap: Setting User-Name to nutzer
(9) eap_peap: Sending tunneled request to inner-tunnel
(9) eap_peap:   EAP-Message = 0x023f00061a03
(9) eap_peap:   FreeRADIUS-Proxied-To = 127.0.0.1
(9) eap_peap:   User-Name = "nutzer"
(9) eap_peap:   State = 0x2ed1a7b42feebd97965fbd6ad11fccdb
(9) Virtual server inner-tunnel received request
(9)   EAP-Message = 0x023f00061a03
(9)   FreeRADIUS-Proxied-To = 127.0.0.1
(9)   User-Name = "nutzer"
(9)   State = 0x2ed1a7b42feebd97965fbd6ad11fccdb
(9) server inner-tunnel {
(9)   session-state: No cached attributes
(9)   # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(9)     authorize {
(9)       policy filter_username {
(9)         if (&User-Name) {
(9)         if (&User-Name)  -> TRUE
(9)         if (&User-Name)  {
(9)           if (&User-Name =~ / /) {
(9)           if (&User-Name =~ / /)  -> FALSE
(9)           if (&User-Name =~ /@[^@]*@/ ) {
(9)           if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(9)           if (&User-Name =~ /\.\./ ) {
(9)           if (&User-Name =~ /\.\./ )  -> FALSE
(9)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(9)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(9)           if (&User-Name =~ /\.$/)  {
(9)           if (&User-Name =~ /\.$/)   -> FALSE
(9)           if (&User-Name =~ /@\./)  {
(9)           if (&User-Name =~ /@\./)   -> FALSE
(9)         } # if (&User-Name)  = notfound
(9)       } # policy filter_username = notfound
(9)       [chap] = noop
(9)       [mschap] = noop
(9) suffix: Checking for suffix after "@"
(9) suffix: No '@' in User-Name = "nutzer", looking up realm NULL
(9) suffix: No such realm "NULL"
(9)       [suffix] = noop
(9)       update control {
(9)         &Proxy-To-Realm := LOCAL
(9)       } # update control = noop
(9) eap: Peer sent EAP Response (code 2) ID 63 length 6
(9) eap: No EAP Start, assuming it's an on-going EAP conversation
(9)       [eap] = updated
(9) files: users: Matched entry nutzer at line 91
(9)       [files] = ok
(9)       [expiration] = noop
(9)       [logintime] = noop
(9) pap: WARNING: Auth-Type already set.  Not setting to PAP
(9)       [pap] = noop
(9)     } # authorize = updated
(9)   Found Auth-Type = eap
(9)   # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(9)     authenticate {
(9) eap: Expiring EAP session with state 0x2ed1a7b42feebd97
(9) eap: Finished EAP session with state 0x2ed1a7b42feebd97
(9) eap: Previous EAP request found for state 0x2ed1a7b42feebd97, released
from the list
(9) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(9) eap: Calling submodule eap_mschapv2 to process data
(9) eap: Sending EAP Success (code 3) ID 63 length 4
(9) eap: Freeing handler
(9)       [eap] = ok
(9)     } # authenticate = ok
(9)   # Executing section post-auth from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(9)     post-auth {
(9)       if (0) {
(9)       if (0)  -> FALSE
(9)     } # post-auth = noop
(9) } # server inner-tunnel
(9) Virtual server sending reply
(9)   Reply-Message = "erfolgreich angemeldet"
(9)   MS-MPPE-Encryption-Policy = Encryption-Allowed
(9)   MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(9)   MS-MPPE-Send-Key = 0x50d5bd156a50d58e85d2a076d798831e
(9)   MS-MPPE-Recv-Key = 0x7c8f5601917212d1327bbdea5c8da66f
(9)   EAP-Message = 0x033f0004
(9)   Message-Authenticator = 0x00000000000000000000000000000000
(9)   User-Name = "nutzer"
(9) eap_peap: Got tunneled reply code 2
(9) eap_peap:   Reply-Message = "erfolgreich angemeldet"
(9) eap_peap:   MS-MPPE-Encryption-Policy = Encryption-Allowed
(9) eap_peap:   MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(9) eap_peap:   MS-MPPE-Send-Key = 0x50d5bd156a50d58e85d2a076d798831e
(9) eap_peap:   MS-MPPE-Recv-Key = 0x7c8f5601917212d1327bbdea5c8da66f
(9) eap_peap:   EAP-Message = 0x033f0004
(9) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(9) eap_peap:   User-Name = "nutzer"
(9) eap_peap: Got tunneled reply RADIUS code 2
(9) eap_peap:   Reply-Message = "erfolgreich angemeldet"
(9) eap_peap:   MS-MPPE-Encryption-Policy = Encryption-Allowed
(9) eap_peap:   MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(9) eap_peap:   MS-MPPE-Send-Key = 0x50d5bd156a50d58e85d2a076d798831e
(9) eap_peap:   MS-MPPE-Recv-Key = 0x7c8f5601917212d1327bbdea5c8da66f
(9) eap_peap:   EAP-Message = 0x033f0004
(9) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(9) eap_peap:   User-Name = "nutzer"
(9) eap_peap: Tunneled authentication was successful
(9) eap_peap: SUCCESS
(9) eap: Sending EAP Request (code 1) ID 64 length 46
(9) eap: EAP session adding &reply:State = 0x8902b1c38142a80a
(9)     [eap] = handled
(9)   } # authenticate = handled
(9) Using Post-Auth-Type Challenge
(9) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(9)   Challenge { ... } # empty sub-section is ignored
(9) session-state: Saving cached attributes
(9)   TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256"
(9)   TLS-Session-Version = "TLS 1.2"
(9) Sent Access-Challenge Id 231 from [Radius-Server--IP]:1812 to
[AccessPoint-IP]:52784 length 0
(9)   EAP-Message =
0x0140002e19001703030023ecfac5b9f026fdb6def9d75642a91809a7691d8810651f43efe154f80e86ae57b96fad
(9)   Message-Authenticator = 0x00000000000000000000000000000000
(9)   State = 0x8902b1c38142a80ae70679604528de30
(9) Finished request
Waking up in 4.7 seconds.
(10) Received Access-Request Id 232 from [AccessPoint-IP]:52784 to
[Radius-Server--IP]:1812 length 252
(10)   User-Name = "anonymous"
(10)   Called-Station-Id = "10-FE-ED-EB-5D-2C:OpenWrt-Radius"
(10)   NAS-Port-Type = Wireless-802.11
(10)   Service-Type = Framed-User
(10)   NAS-Port = 1
(10)   Calling-Station-Id = "52-A4-4F-C1-D8-2F"
(10)   Connect-Info = "CONNECT 54Mbps 802.11g"
(10)   Acct-Session-Id = "5F953B94262D8D47"
(10)   WLAN-Pairwise-Cipher = 1027076
(10)   WLAN-Group-Cipher = 1027076
(10)   WLAN-AKM-Suite = 1027073
(10)   Framed-MTU = 1400
(10)   EAP-Message =
0x0240002e190017030300230000000000000004598be5cd17bc1cc280dbafa093e71b66a27b56747cca541ccc74d7
(10)   State = 0x8902b1c38142a80ae70679604528de30
(10)   Message-Authenticator = 0x77415c7c2ccfdce32bf004396980be98
(10) Restoring &session-state
(10)   &session-state:TLS-Session-Cipher-Suite =
"ECDHE-RSA-AES128-GCM-SHA256"
(10)   &session-state:TLS-Session-Version = "TLS 1.2"
(10) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(10)   authorize {
(10)     policy filter_username {
(10)       if (&User-Name) {
(10)       if (&User-Name)  -> TRUE
(10)       if (&User-Name)  {
(10)         if (&User-Name =~ / /) {
(10)         if (&User-Name =~ / /)  -> FALSE
(10)         if (&User-Name =~ /@[^@]*@/ ) {
(10)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(10)         if (&User-Name =~ /\.\./ ) {
(10)         if (&User-Name =~ /\.\./ )  -> FALSE
(10)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(10)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(10)         if (&User-Name =~ /\.$/)  {
(10)         if (&User-Name =~ /\.$/)   -> FALSE
(10)         if (&User-Name =~ /@\./)  {
(10)         if (&User-Name =~ /@\./)   -> FALSE
(10)       } # if (&User-Name)  = notfound
(10)     } # policy filter_username = notfound
(10)     [preprocess] = ok
(10) suffix: Checking for suffix after "@"
(10) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(10) suffix: No such realm "NULL"
(10)     [suffix] = noop
(10) eap: Peer sent EAP Response (code 2) ID 64 length 46
(10) eap: Continuing tunnel setup
(10)     [eap] = ok
(10)   } # authorize = ok
(10) Found Auth-Type = eap
(10) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(10)   authenticate {
(10) eap: Expiring EAP session with state 0x8902b1c38142a80a
(10) eap: Finished EAP session with state 0x8902b1c38142a80a
(10) eap: Previous EAP request found for state 0x8902b1c38142a80a, released
from the list
(10) eap: Peer sent packet with method EAP PEAP (25)
(10) eap: Calling submodule eap_peap to process data
(10) eap_peap: Continuing EAP-TLS
(10) eap_peap: [eaptls verify] = ok
(10) eap_peap: Done initial handshake
(10) eap_peap: [eaptls process] = ok
(10) eap_peap: Session established.  Decoding tunneled attributes
(10) eap_peap: PEAP state send tlv success
(10) eap_peap: Received EAP-TLV response
(10) eap_peap: Success
(10) eap: Sending EAP Success (code 3) ID 64 length 4
(10) eap: Freeing handler
(10)     [eap] = ok
(10)   } # authenticate = ok
(10) # Executing section post-auth from file
/etc/freeradius/3.0/sites-enabled/default
(10)   post-auth {
(10)     if (session-state:User-Name && reply:User-Name &&
request:User-Name && (reply:User-Name == request:User-Name)) {
(10)     if (session-state:User-Name && reply:User-Name &&
request:User-Name && (reply:User-Name == request:User-Name))  -> FALSE
(10)     update {
(10)       &reply::TLS-Session-Cipher-Suite +=
&session-state:TLS-Session-Cipher-Suite[*] -> 'ECDHE-RSA-AES128-GCM-SHA256'
(10)       &reply::TLS-Session-Version +=
&session-state:TLS-Session-Version[*] -> 'TLS 1.2'
(10)     } # update = noop
(10)     [exec] = noop
(10)     policy remove_reply_message_if_eap {
(10)       if (&reply:EAP-Message && &reply:Reply-Message) {
(10)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(10)       else {
(10)         [noop] = noop
(10)       } # else = noop
(10)     } # policy remove_reply_message_if_eap = noop
(10)   } # post-auth = noop
(10) Sent Access-Accept Id 232 from [Radius-Server--IP]:1812 to
[AccessPoint-IP]:52784 length 0
(10)   MS-MPPE-Recv-Key =
0xc00afb4a5bcb38d545ce954afbe9bd270d9d2d9eff388c9e26334c496739119d
(10)   MS-MPPE-Send-Key =
0x0d596e21fc68bc9283e2f40c94a5a23b2ebc525f199b38613ef307594d68d4cc
(10)   EAP-Message = 0x03400004
(10)   Message-Authenticator = 0x00000000000000000000000000000000
(10)   User-Name = "anonymous"
(10) Finished request
Waking up in 4.7 seconds.


More information about the Freeradius-Users mailing list