How "bind as user" mode works?
Rodrigo Abrantes Antunes
rodrigoantunes at pelotas.ifsul.edu.br
Thu Aug 17 14:17:20 UTC 2023
Can you point me where in the debug output it shows that i'ts doing
PEAP+MSCHAP?
(0) Received Access-Request Id 110 from 10.1.0.14:56440 to
10.1.0.22:1812 length 315
(0) User-Name = "user"
(0) Chargeable-User-Identity = 0x08
(0) Location-Capable = Civic-Location
(0) Calling-Station-Id = "94-65-2d-20-e7-8a"
(0) Called-Station-Id = "64-e9-50-67-4d-b0:testes"
(0) NAS-Port = 1
(0) Cisco-AVPair = "audit-session-id=08f910ac001cf280f828de64"
(0) Acct-Session-Id = "64de28f8/94:65:2d:20:e7:8a/1967089"
(0) Cisco-AVPair = "mDNS=true"
(0) NAS-IP-Address = 172.16.249.8
(0) NAS-Identifier = "IFSUL_PEL_WLAN_CONTROLLER"
(0) Airespace-Wlan-Id = 6
(0) Service-Type = Framed-User
(0) Framed-MTU = 1300
(0) NAS-Port-Type = Wireless-802.11
(0) Tunnel-Type:0 = VLAN
(0) Tunnel-Medium-Type:0 = IEEE-802
(0) Tunnel-Private-Group-Id:0 = "1"
(0) EAP-Message = 0x0201001301726f647269676f616e74756e6573
(0) Message-Authenticator = 0x073ed17a2e43240477e9c3f2a01a855f
(0) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~
/@(.+)\.(.+)$/)) -> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /@\./) {
(0) if (&User-Name =~ /@\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "user", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: Peer sent EAP Response (code 2) ID 1 length 19
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit
the rest of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0) authenticate {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_md5 to process data
(0) eap_md5: Issuing MD5 Challenge
(0) eap: Sending EAP Request (code 1) ID 2 length 22
(0) eap: EAP session adding &reply:State = 0xd0b13007d0b3346e
(0) [eap] = handled
(0) } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0) Challenge { ... } # empty sub-section is ignored
(0) Sent Access-Challenge Id 110 from 10.1.0.22:1812 to
10.1.0.14:56440 length 80
(0) EAP-Message = 0x010200160410de1b40c91886dc69131359dd1a2d5c60
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0xd0b13007d0b3346e8aa23b1bb1646026
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 111 from 10.1.0.14:56440 to
10.1.0.22:1812 length 320
(1) User-Name = "user"
(1) Chargeable-User-Identity = 0x08
(1) Location-Capable = Civic-Location
(1) Calling-Station-Id = "94-65-2d-20-e7-8a"
(1) Called-Station-Id = "64-e9-50-67-4d-b0:testes"
(1) NAS-Port = 1
(1) Cisco-AVPair = "audit-session-id=08f910ac001cf280f828de64"
(1) Acct-Session-Id = "64de28f8/94:65:2d:20:e7:8a/1967089"
(1) Cisco-AVPair = "mDNS=true"
(1) NAS-IP-Address = 172.16.249.8
(1) NAS-Identifier = "IFSUL_PEL_WLAN_CONTROLLER"
(1) Airespace-Wlan-Id = 6
(1) Service-Type = Framed-User
(1) Framed-MTU = 1300
(1) NAS-Port-Type = Wireless-802.11
(1) Tunnel-Type:0 = VLAN
(1) Tunnel-Medium-Type:0 = IEEE-802
(1) Tunnel-Private-Group-Id:0 = "1"
(1) EAP-Message = 0x020200060315
(1) State = 0xd0b13007d0b3346e8aa23b1bb1646026
(1) Message-Authenticator = 0x6acb1f100d12e7635d6ca4258cab3cfc
(1) session-state: No cached attributes
(1) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(1) authorize {
(1) policy filter_username {
(1) if (&User-Name) {
(1) if (&User-Name) -> TRUE
(1) if (&User-Name) {
(1) if (&User-Name =~ / /) {
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@[^@]*@/ ) {
(1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(1) if (&User-Name =~ /\.\./ ) {
(1) if (&User-Name =~ /\.\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(1) if ((&User-Name =~ /@/) && (&User-Name !~
/@(.+)\.(.+)$/)) -> FALSE
(1) if (&User-Name =~ /\.$/) {
(1) if (&User-Name =~ /\.$/) -> FALSE
(1) if (&User-Name =~ /@\./) {
(1) if (&User-Name =~ /@\./) -> FALSE
(1) } # if (&User-Name) = notfound
(1) } # policy filter_username = notfound
(1) [preprocess] = ok
(1) [chap] = noop
(1) [mschap] = noop
(1) [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "user", looking up realm NULL
(1) suffix: No such realm "NULL"
(1) [suffix] = noop
(1) eap: Peer sent EAP Response (code 2) ID 2 length 6
(1) eap: No EAP Start, assuming it's an on-going EAP conversation
(1) [eap] = updated
(1) [files] = noop
rlm_ldap (ldap): Reserved connection (0)
(1) ldap: EXPAND (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})
(1) ldap: --> (sAMAccountName=user)
(1) ldap: Performing search in "DC=adm,DC=ifsul,DC=edu,DC=br" with
filter "(sAMAccountName=user)", scope "sub"
(1) ldap: Waiting for search result...
rlm_ldap (ldap): Rebinding to URL
ldap://ForestDnsZones.adm.ifsul.edu.br/DC=ForestDnsZones,DC=adm,DC=ifsul,DC=edu,DC=br
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Rebinding to URL
ldap://DomainDnsZones.adm.ifsul.edu.br/DC=DomainDnsZones,DC=adm,DC=ifsul,DC=edu,DC=br
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Rebinding to URL
ldap://adm.ifsul.edu.br/CN=Configuration,DC=adm,DC=ifsul,DC=edu,DC=br
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Bind successful
(1) ldap: User object found at DN "CN=Rodrigo Abrantes
Antunes,OU=Users,OU=CampusPelotas,DC=adm,DC=ifsul,DC=edu,DC=br"
(1) ldap: Processing user attributes
(1) ldap: WARNING: No "known good" password added. Ensure the admin
user has permission to read the password attribute
(1) ldap: WARNING: PAP authentication will *NOT* work with Active
Directory (if that is what you were trying to configure)
rlm_ldap (ldap): Released connection (0)
Need more connections to reach 10 spares
rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots used
rlm_ldap (ldap): Connecting to ldap://10.1.0.3:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(1) [ldap] = ok
(1) if ((ok || updated) && User-Password && !control:Auth-Type) {
(1) if ((ok || updated) && User-Password && !control:Auth-Type) -> FALSE
(1) [expiration] = noop
(1) [logintime] = noop
Not doing PAP as Auth-Type is already set.
(1) [pap] = noop
(1) } # authorize = updated
(1) Found Auth-Type = eap
(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(1) authenticate {
(1) eap: Expiring EAP session with state 0xd0b13007d0b3346e
(1) eap: Finished EAP session with state 0xd0b13007d0b3346e
(1) eap: Previous EAP request found for state 0xd0b13007d0b3346e,
released from the list
(1) eap: Peer sent packet with method EAP NAK (3)
(1) eap: Found mutually acceptable type TTLS (21)
(1) eap: Calling submodule eap_ttls to process data
(1) eap_ttls: (TLS) Initiating new session
(1) eap: Sending EAP Request (code 1) ID 3 length 6
(1) eap: EAP session adding &reply:State = 0xd0b13007d1b2256e
(1) [eap] = handled
(1) } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(1) Challenge { ... } # empty sub-section is ignored
(1) session-state: Saving cached attributes
(1) Framed-MTU = 994
(1) Sent Access-Challenge Id 111 from 10.1.0.22:1812 to
10.1.0.14:56440 length 64
(1) EAP-Message = 0x010300061520
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0xd0b13007d1b2256e8aa23b1bb1646026
(1) Finished request
Waking up in 4.9 seconds.
(2) Received Access-Request Id 112 from 10.1.0.14:56440 to
10.1.0.22:1812 length 463
(2) User-Name = "user"
(2) Chargeable-User-Identity = 0x08
(2) Location-Capable = Civic-Location
(2) Calling-Station-Id = "94-65-2d-20-e7-8a"
(2) Called-Station-Id = "64-e9-50-67-4d-b0:testes"
(2) NAS-Port = 1
(2) Cisco-AVPair = "audit-session-id=08f910ac001cf280f828de64"
(2) Acct-Session-Id = "64de28f8/94:65:2d:20:e7:8a/1967089"
(2) Cisco-AVPair = "mDNS=true"
(2) NAS-IP-Address = 172.16.249.8
(2) NAS-Identifier = "IFSUL_PEL_WLAN_CONTROLLER"
(2) Airespace-Wlan-Id = 6
(2) Service-Type = Framed-User
(2) Framed-MTU = 1300
(2) NAS-Port-Type = Wireless-802.11
(2) Tunnel-Type:0 = VLAN
(2) Tunnel-Medium-Type:0 = IEEE-802
(2) Tunnel-Private-Group-Id:0 = "1"
(2) EAP-Message =
0x020300951500160301008a010000860303de78176f56f7aefe27c3d351422f2c1755b6cb9fa3da6ea586a05b0b848ac2b500002ac02bc02fc02cc030cca9cca8c009c023c013c027c00ac024c014c028009c009d002f003c0035003d000a01000033ff0100010000170000000d00140012040308040401050308050501080606010201000b00020100000a00080006001d00170018
(2) State = 0xd0b13007d1b2256e8aa23b1bb1646026
(2) Message-Authenticator = 0xefb44e4d8a2901c6432ed6957043e5ba
(2) Restoring &session-state
(2) &session-state:Framed-MTU = 994
(2) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(2) authorize {
(2) policy filter_username {
(2) if (&User-Name) {
(2) if (&User-Name) -> TRUE
(2) if (&User-Name) {
(2) if (&User-Name =~ / /) {
(2) if (&User-Name =~ / /) -> FALSE
(2) if (&User-Name =~ /@[^@]*@/ ) {
(2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(2) if (&User-Name =~ /\.\./ ) {
(2) if (&User-Name =~ /\.\./ ) -> FALSE
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(2) if ((&User-Name =~ /@/) && (&User-Name !~
/@(.+)\.(.+)$/)) -> FALSE
(2) if (&User-Name =~ /\.$/) {
(2) if (&User-Name =~ /\.$/) -> FALSE
(2) if (&User-Name =~ /@\./) {
(2) if (&User-Name =~ /@\./) -> FALSE
(2) } # if (&User-Name) = notfound
(2) } # policy filter_username = notfound
(2) [preprocess] = ok
(2) [chap] = noop
(2) [mschap] = noop
(2) [digest] = noop
(2) suffix: Checking for suffix after "@"
(2) suffix: No '@' in User-Name = "user", looking up realm NULL
(2) suffix: No such realm "NULL"
(2) [suffix] = noop
(2) eap: Peer sent EAP Response (code 2) ID 3 length 149
(2) eap: Continuing tunnel setup
(2) [eap] = ok
(2) } # authorize = ok
(2) Found Auth-Type = eap
(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(2) authenticate {
(2) eap: Expiring EAP session with state 0xd0b13007d1b2256e
(2) eap: Finished EAP session with state 0xd0b13007d1b2256e
(2) eap: Previous EAP request found for state 0xd0b13007d1b2256e,
released from the list
(2) eap: Peer sent packet with method EAP TTLS (21)
(2) eap: Calling submodule eap_ttls to process data
(2) eap_ttls: Authenticate
(2) eap_ttls: (TLS) EAP Done initial handshake
(2) eap_ttls: (TLS) Handshake state - before SSL initialization
(2) eap_ttls: (TLS) Handshake state - Server before SSL initialization
(2) eap_ttls: (TLS) Handshake state - Server before SSL initialization
(2) eap_ttls: (TLS) recv TLS 1.3 Handshake, ClientHello
(2) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS read client hello
(2) eap_ttls: (TLS) send TLS 1.2 Handshake, ServerHello
(2) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write server hello
(2) eap_ttls: (TLS) send TLS 1.2 Handshake, Certificate
(2) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write certificate
(2) eap_ttls: (TLS) send TLS 1.2 Handshake, ServerKeyExchange
(2) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write key exchange
(2) eap_ttls: (TLS) send TLS 1.2 Handshake, ServerHelloDone
(2) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write server done
(2) eap_ttls: (TLS) Server : Need to read more data: SSLv3/TLS write
server done
(2) eap_ttls: (TLS) In Handshake Phase
(2) eap: Sending EAP Request (code 1) ID 4 length 1004
(2) eap: EAP session adding &reply:State = 0xd0b13007d2b5256e
(2) [eap] = handled
(2) } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(2) Challenge { ... } # empty sub-section is ignored
(2) session-state: Saving cached attributes
(2) Framed-MTU = 994
(2) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(2) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(2) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(2) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake,
ServerKeyExchange"
(2) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake,
ServerHelloDone"
(2) Sent Access-Challenge Id 112 from 10.1.0.22:1812 to
10.1.0.14:56440 length 1068
(2) EAP-Message =
0x010403ec15c0000004bd160303003d02000039030399ac899f84a241f42e5249e6e6f55e4a42befff2b7eb0dcb422ec23b5b2b5f8400c02f000011ff01000100000b00040300010200170000160303033c0b0003380003350003323082032e30820216a00302010202140bdc8930fa93c935a1fe2e101c9b969c1b39bf7a300d06092a864886f70d01010b050030263124302206035504030c1b696673303173763030342e61646d2e696673756c2e6564752e6272301e170d3233303831303135343833385a170d3333303830373135343833385a30263124302206035504030c1b696673303173763030342e61646d2e696673756c2e6564752e627230820122300d06092a864886f70d01010105000382010f003082010a02820101008f47503a2f56ac3b1dcd9a368bd44ad374ee8b376cce40386bcc8a4d06347b1d84017a75ae425f9f663c0dc0583a1f45e106eb7f82deb3fdbac0f5798aa47245dc13a126b07ed574ffe995d7f75b0735405a738c641766f3c4
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0xd0b13007d2b5256e8aa23b1bb1646026
(2) Finished request
Waking up in 4.9 seconds.
(3) Received Access-Request Id 113 from 10.1.0.14:56440 to
10.1.0.22:1812 length 320
(3) User-Name = "user"
(3) Chargeable-User-Identity = 0x08
(3) Location-Capable = Civic-Location
(3) Calling-Station-Id = "94-65-2d-20-e7-8a"
(3) Called-Station-Id = "64-e9-50-67-4d-b0:testes"
(3) NAS-Port = 1
(3) Cisco-AVPair = "audit-session-id=08f910ac001cf280f828de64"
(3) Acct-Session-Id = "64de28f8/94:65:2d:20:e7:8a/1967089"
(3) Cisco-AVPair = "mDNS=true"
(3) NAS-IP-Address = 172.16.249.8
(3) NAS-Identifier = "IFSUL_PEL_WLAN_CONTROLLER"
(3) Airespace-Wlan-Id = 6
(3) Service-Type = Framed-User
(3) Framed-MTU = 1300
(3) NAS-Port-Type = Wireless-802.11
(3) Tunnel-Type:0 = VLAN
(3) Tunnel-Medium-Type:0 = IEEE-802
(3) Tunnel-Private-Group-Id:0 = "1"
(3) EAP-Message = 0x020400061500
(3) State = 0xd0b13007d2b5256e8aa23b1bb1646026
(3) Message-Authenticator = 0x8fb9cb6f3722e24d80cd22ce061c508a
(3) Restoring &session-state
(3) &session-state:Framed-MTU = 994
(3) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3
Handshake, ClientHello"
(3) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, ServerHello"
(3) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, Certificate"
(3) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, ServerKeyExchange"
(3) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, ServerHelloDone"
(3) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(3) authorize {
(3) policy filter_username {
(3) if (&User-Name) {
(3) if (&User-Name) -> TRUE
(3) if (&User-Name) {
(3) if (&User-Name =~ / /) {
(3) if (&User-Name =~ / /) -> FALSE
(3) if (&User-Name =~ /@[^@]*@/ ) {
(3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(3) if (&User-Name =~ /\.\./ ) {
(3) if (&User-Name =~ /\.\./ ) -> FALSE
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(3) if ((&User-Name =~ /@/) && (&User-Name !~
/@(.+)\.(.+)$/)) -> FALSE
(3) if (&User-Name =~ /\.$/) {
(3) if (&User-Name =~ /\.$/) -> FALSE
(3) if (&User-Name =~ /@\./) {
(3) if (&User-Name =~ /@\./) -> FALSE
(3) } # if (&User-Name) = notfound
(3) } # policy filter_username = notfound
(3) [preprocess] = ok
(3) [chap] = noop
(3) [mschap] = noop
(3) [digest] = noop
(3) suffix: Checking for suffix after "@"
(3) suffix: No '@' in User-Name = "user", looking up realm NULL
(3) suffix: No such realm "NULL"
(3) [suffix] = noop
(3) eap: Peer sent EAP Response (code 2) ID 4 length 6
(3) eap: Continuing tunnel setup
(3) [eap] = ok
(3) } # authorize = ok
(3) Found Auth-Type = eap
(3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(3) authenticate {
(3) eap: Expiring EAP session with state 0xd0b13007d2b5256e
(3) eap: Finished EAP session with state 0xd0b13007d2b5256e
(3) eap: Previous EAP request found for state 0xd0b13007d2b5256e,
released from the list
(3) eap: Peer sent packet with method EAP TTLS (21)
(3) eap: Calling submodule eap_ttls to process data
(3) eap_ttls: Authenticate
(3) eap_ttls: (TLS) Peer ACKed our handshake fragment
(3) eap: Sending EAP Request (code 1) ID 5 length 229
(3) eap: EAP session adding &reply:State = 0xd0b13007d3b4256e
(3) [eap] = handled
(3) } # authenticate = handled
(3) Using Post-Auth-Type Challenge
(3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(3) Challenge { ... } # empty sub-section is ignored
(3) session-state: Saving cached attributes
(3) Framed-MTU = 994
(3) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(3) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(3) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(3) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake,
ServerKeyExchange"
(3) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake,
ServerHelloDone"
(3) Sent Access-Challenge Id 113 from 10.1.0.22:1812 to
10.1.0.14:56440 length 287
(3) EAP-Message =
0x010500e51580000004bd935694d2a672946f8dd8f4dcbd146de3bdda1682df98aa8aff4ef5884e181a0c6bc06be842ffc9b0a3adb396b5fe1cac83b593b3926af66f69ea0da3e2cd5439350b160dc3e384f0800c5c3fdb41bc58c7cb5a4e8869acd39becc5c031a3c893b90566387801e56f9c6abac4489cfe0332f1645ed73820b1f6c82fdcc8801ba4056e7727ae4de0f9a9915f59a69ee0cd17040669b71f8ab72f313d8f1e11bb9e6aadf0f389e6217b5d824c761e2790b1b67f25a5765e095c1518ed949f5844a95ce99fb123f3a69cc99483057f8dc0fe8a2d16030300040e000000
(3) Message-Authenticator = 0x00000000000000000000000000000000
(3) State = 0xd0b13007d3b4256e8aa23b1bb1646026
(3) Finished request
Waking up in 4.9 seconds.
(4) Received Access-Request Id 114 from 10.1.0.14:56440 to
10.1.0.22:1812 length 413
(4) User-Name = "user"
(4) Chargeable-User-Identity = 0x08
(4) Location-Capable = Civic-Location
(4) Calling-Station-Id = "94-65-2d-20-e7-8a"
(4) Called-Station-Id = "64-e9-50-67-4d-b0:testes"
(4) NAS-Port = 1
(4) Cisco-AVPair = "audit-session-id=08f910ac001cf280f828de64"
(4) Acct-Session-Id = "64de28f8/94:65:2d:20:e7:8a/1967089"
(4) Cisco-AVPair = "mDNS=true"
(4) NAS-IP-Address = 172.16.249.8
(4) NAS-Identifier = "IFSUL_PEL_WLAN_CONTROLLER"
(4) Airespace-Wlan-Id = 6
(4) Service-Type = Framed-User
(4) Framed-MTU = 1300
(4) NAS-Port-Type = Wireless-802.11
(4) Tunnel-Type:0 = VLAN
(4) Tunnel-Medium-Type:0 = IEEE-802
(4) Tunnel-Private-Group-Id:0 = "1"
(4) EAP-Message =
0x0205006315001603030025100000212024fa4ea6b7900fd6094f19358a0512903336af60c9ed5d4d1b48b5ab929dce0d1403030001011603030028000000000000000098188b912188f7c3fdf5f376a6c5f23b4ae38c452e34f0651e5709d4d0ff868f
(4) State = 0xd0b13007d3b4256e8aa23b1bb1646026
(4) Message-Authenticator = 0xe1c8de260318301176a326809d472675
(4) Restoring &session-state
(4) &session-state:Framed-MTU = 994
(4) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3
Handshake, ClientHello"
(4) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, ServerHello"
(4) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, Certificate"
(4) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, ServerKeyExchange"
(4) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, ServerHelloDone"
(4) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(4) authorize {
(4) policy filter_username {
(4) if (&User-Name) {
(4) if (&User-Name) -> TRUE
(4) if (&User-Name) {
(4) if (&User-Name =~ / /) {
(4) if (&User-Name =~ / /) -> FALSE
(4) if (&User-Name =~ /@[^@]*@/ ) {
(4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(4) if (&User-Name =~ /\.\./ ) {
(4) if (&User-Name =~ /\.\./ ) -> FALSE
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(4) if ((&User-Name =~ /@/) && (&User-Name !~
/@(.+)\.(.+)$/)) -> FALSE
(4) if (&User-Name =~ /\.$/) {
(4) if (&User-Name =~ /\.$/) -> FALSE
(4) if (&User-Name =~ /@\./) {
(4) if (&User-Name =~ /@\./) -> FALSE
(4) } # if (&User-Name) = notfound
(4) } # policy filter_username = notfound
(4) [preprocess] = ok
(4) [chap] = noop
(4) [mschap] = noop
(4) [digest] = noop
(4) suffix: Checking for suffix after "@"
(4) suffix: No '@' in User-Name = "user", looking up realm NULL
(4) suffix: No such realm "NULL"
(4) [suffix] = noop
(4) eap: Peer sent EAP Response (code 2) ID 5 length 99
(4) eap: Continuing tunnel setup
(4) [eap] = ok
(4) } # authorize = ok
(4) Found Auth-Type = eap
(4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(4) authenticate {
(4) eap: Expiring EAP session with state 0xd0b13007d3b4256e
(4) eap: Finished EAP session with state 0xd0b13007d3b4256e
(4) eap: Previous EAP request found for state 0xd0b13007d3b4256e,
released from the list
(4) eap: Peer sent packet with method EAP TTLS (21)
(4) eap: Calling submodule eap_ttls to process data
(4) eap_ttls: Authenticate
(4) eap_ttls: (TLS) EAP Done initial handshake
(4) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write server done
(4) eap_ttls: (TLS) recv TLS 1.2 Handshake, ClientKeyExchange
(4) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS read client key
exchange
(4) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS read change cipher spec
(4) eap_ttls: (TLS) recv TLS 1.2 Handshake, Finished
(4) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS read finished
(4) eap_ttls: (TLS) send TLS 1.2 ChangeCipherSpec
(4) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write change
cipher spec
(4) eap_ttls: (TLS) send TLS 1.2 Handshake, Finished
(4) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write finished
(4) eap_ttls: (TLS) Handshake state - SSL negotiation finished successfully
(4) eap_ttls: (TLS) Connection Established
(4) eap_ttls: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256"
(4) eap_ttls: TLS-Session-Version = "TLS 1.2"
(4) eap: Sending EAP Request (code 1) ID 6 length 61
(4) eap: EAP session adding &reply:State = 0xd0b13007d4b7256e
(4) [eap] = handled
(4) } # authenticate = handled
(4) Using Post-Auth-Type Challenge
(4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(4) Challenge { ... } # empty sub-section is ignored
(4) session-state: Saving cached attributes
(4) Framed-MTU = 994
(4) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(4) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(4) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(4) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake,
ServerKeyExchange"
(4) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake,
ServerHelloDone"
(4) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake,
ClientKeyExchange"
(4) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished"
(4) TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec"
(4) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished"
(4) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256"
(4) TLS-Session-Version = "TLS 1.2"
(4) Sent Access-Challenge Id 114 from 10.1.0.22:1812 to
10.1.0.14:56440 length 119
(4) EAP-Message =
0x0106003d158000000033140303000101160303002808490d9cfbda337bb9a1be8b062437f40d2269b6168811ae4cc82f2f5d69346a47cfb6c9f5e59460
(4) Message-Authenticator = 0x00000000000000000000000000000000
(4) State = 0xd0b13007d4b7256e8aa23b1bb1646026
(4) Finished request
Waking up in 4.9 seconds.
(5) Received Access-Request Id 115 from 10.1.0.14:56440 to
10.1.0.22:1812 length 397
(5) User-Name = "user"
(5) Chargeable-User-Identity = 0x08
(5) Location-Capable = Civic-Location
(5) Calling-Station-Id = "94-65-2d-20-e7-8a"
(5) Called-Station-Id = "64-e9-50-67-4d-b0:testes"
(5) NAS-Port = 1
(5) Cisco-AVPair = "audit-session-id=08f910ac001cf280f828de64"
(5) Acct-Session-Id = "64de28f8/94:65:2d:20:e7:8a/1967089"
(5) Cisco-AVPair = "mDNS=true"
(5) NAS-IP-Address = 172.16.249.8
(5) NAS-Identifier = "IFSUL_PEL_WLAN_CONTROLLER"
(5) Airespace-Wlan-Id = 6
(5) Service-Type = Framed-User
(5) Framed-MTU = 1300
(5) NAS-Port-Type = Wireless-802.11
(5) Tunnel-Type:0 = VLAN
(5) Tunnel-Medium-Type:0 = IEEE-802
(5) Tunnel-Private-Group-Id:0 = "1"
(5) EAP-Message =
0x020600531500170303004800000000000000014c4ea959e5e96d267c449c740509fc718b7e42f0b65c6c70ea0046b7b893126bdd3aa20602103807c7ff81b8238d10f30223d9fc6adb6ef3decaf01491b82651
(5) State = 0xd0b13007d4b7256e8aa23b1bb1646026
(5) Message-Authenticator = 0xf9e894523322b64d979dc6efbceb955f
(5) Restoring &session-state
(5) &session-state:Framed-MTU = 994
(5) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3
Handshake, ClientHello"
(5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, ServerHello"
(5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, Certificate"
(5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, ServerKeyExchange"
(5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, ServerHelloDone"
(5) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2
Handshake, ClientKeyExchange"
(5) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2
Handshake, Finished"
(5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
ChangeCipherSpec"
(5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, Finished"
(5) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256"
(5) &session-state:TLS-Session-Version = "TLS 1.2"
(5) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(5) authorize {
(5) policy filter_username {
(5) if (&User-Name) {
(5) if (&User-Name) -> TRUE
(5) if (&User-Name) {
(5) if (&User-Name =~ / /) {
(5) if (&User-Name =~ / /) -> FALSE
(5) if (&User-Name =~ /@[^@]*@/ ) {
(5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(5) if (&User-Name =~ /\.\./ ) {
(5) if (&User-Name =~ /\.\./ ) -> FALSE
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(5) if ((&User-Name =~ /@/) && (&User-Name !~
/@(.+)\.(.+)$/)) -> FALSE
(5) if (&User-Name =~ /\.$/) {
(5) if (&User-Name =~ /\.$/) -> FALSE
(5) if (&User-Name =~ /@\./) {
(5) if (&User-Name =~ /@\./) -> FALSE
(5) } # if (&User-Name) = notfound
(5) } # policy filter_username = notfound
(5) [preprocess] = ok
(5) [chap] = noop
(5) [mschap] = noop
(5) [digest] = noop
(5) suffix: Checking for suffix after "@"
(5) suffix: No '@' in User-Name = "user", looking up realm NULL
(5) suffix: No such realm "NULL"
(5) [suffix] = noop
(5) eap: Peer sent EAP Response (code 2) ID 6 length 83
(5) eap: Continuing tunnel setup
(5) [eap] = ok
(5) } # authorize = ok
(5) Found Auth-Type = eap
(5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(5) authenticate {
(5) eap: Expiring EAP session with state 0xd0b13007d4b7256e
(5) eap: Finished EAP session with state 0xd0b13007d4b7256e
(5) eap: Previous EAP request found for state 0xd0b13007d4b7256e,
released from the list
(5) eap: Peer sent packet with method EAP TTLS (21)
(5) eap: Calling submodule eap_ttls to process data
(5) eap_ttls: Authenticate
(5) eap_ttls: (TLS) EAP Done initial handshake
(5) eap_ttls: Session established. Proceeding to decode tunneled attributes
(5) eap_ttls: Got tunneled request
(5) eap_ttls: User-Name = "user"
(5) eap_ttls: User-Password = "password"
(5) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1
(5) eap_ttls: Sending tunneled request
(5) Virtual server inner-tunnel received request
(5) User-Name = "user"
(5) User-Password = "password"
(5) FreeRADIUS-Proxied-To = 127.0.0.1
(5) WARNING: Outer and inner identities are the same. User privacy is
compromised.
(5) server inner-tunnel {
(5) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(5) authorize {
(5) policy filter_username {
(5) if (&User-Name) {
(5) if (&User-Name) -> TRUE
(5) if (&User-Name) {
(5) if (&User-Name =~ / /) {
(5) if (&User-Name =~ / /) -> FALSE
(5) if (&User-Name =~ /@[^@]*@/ ) {
(5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(5) if (&User-Name =~ /\.\./ ) {
(5) if (&User-Name =~ /\.\./ ) -> FALSE
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(5) if ((&User-Name =~ /@/) && (&User-Name !~
/@(.+)\.(.+)$/)) -> FALSE
(5) if (&User-Name =~ /\.$/) {
(5) if (&User-Name =~ /\.$/) -> FALSE
(5) if (&User-Name =~ /@\./) {
(5) if (&User-Name =~ /@\./) -> FALSE
(5) } # if (&User-Name) = notfound
(5) } # policy filter_username = notfound
(5) [chap] = noop
(5) [mschap] = noop
(5) suffix: Checking for suffix after "@"
(5) suffix: No '@' in User-Name = "user", looking up realm NULL
(5) suffix: No such realm "NULL"
(5) [suffix] = noop
(5) update control {
(5) &Proxy-To-Realm := LOCAL
(5) } # update control = noop
(5) eap: No EAP-Message, not doing EAP
(5) [eap] = noop
(5) [files] = noop
rlm_ldap (ldap): Reserved connection (1)
(5) ldap: EXPAND (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})
(5) ldap: --> (sAMAccountName=user)
(5) ldap: Performing search in "DC=adm,DC=ifsul,DC=edu,DC=br" with
filter "(sAMAccountName=user)", scope "sub"
(5) ldap: Waiting for search result...
rlm_ldap (ldap): Rebinding to URL
ldap://ForestDnsZones.adm.ifsul.edu.br/DC=ForestDnsZones,DC=adm,DC=ifsul,DC=edu,DC=br
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Rebinding to URL
ldap://DomainDnsZones.adm.ifsul.edu.br/DC=DomainDnsZones,DC=adm,DC=ifsul,DC=edu,DC=br
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Rebinding to URL
ldap://adm.ifsul.edu.br/CN=Configuration,DC=adm,DC=ifsul,DC=edu,DC=br
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Bind successful
(5) ldap: User object found at DN "CN=Rodrigo Abrantes
Antunes,OU=Users,OU=CampusPelotas,DC=adm,DC=ifsul,DC=edu,DC=br"
(5) ldap: Processing user attributes
(5) ldap: WARNING: No "known good" password added. Ensure the admin
user has permission to read the password attribute
(5) ldap: WARNING: PAP authentication will *NOT* work with Active
Directory (if that is what you were trying to configure)
rlm_ldap (ldap): Released connection (1)
(5) [ldap] = ok
(5) [expiration] = noop
(5) [logintime] = noop
(5) [pap] = noop
(5) } # authorize = ok
(5) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type
= Reject
(5) Failed to authenticate the user
(5) Using Post-Auth-Type Reject
(5) # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(5) Post-Auth-Type REJECT {
(5) attr_filter.access_reject: EXPAND %{User-Name}
(5) attr_filter.access_reject: --> user
(5) attr_filter.access_reject: Matched entry DEFAULT at line 11
(5) [attr_filter.access_reject] = updated
(5) update outer.session-state {
(5) &Module-Failure-Message := &request:Module-Failure-Message
-> 'No Auth-Type found: rejecting the user via Post-Auth-Type = Reject'
(5) } # update outer.session-state = noop
(5) } # Post-Auth-Type REJECT = updated
(5) } # server inner-tunnel
(5) Virtual server sending reply
(5) eap_ttls: Got tunneled Access-Reject
(5) eap: ERROR: Failed continuing EAP TTLS (21) session. EAP
sub-module failed
(5) eap: Sending EAP Failure (code 4) ID 6 length 4
(5) eap: Failed in EAP select
(5) [eap] = invalid
(5) } # authenticate = invalid
(5) Failed to authenticate the user
(5) Using Post-Auth-Type Reject
(5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(5) Post-Auth-Type REJECT {
(5) attr_filter.access_reject: EXPAND %{User-Name}
(5) attr_filter.access_reject: --> user
(5) attr_filter.access_reject: Matched entry DEFAULT at line 11
(5) [attr_filter.access_reject] = updated
(5) [eap] = noop
(5) policy remove_reply_message_if_eap {
(5) if (&reply:EAP-Message && &reply:Reply-Message) {
(5) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(5) else {
(5) [noop] = noop
(5) } # else = noop
(5) } # policy remove_reply_message_if_eap = noop
(5) } # Post-Auth-Type REJECT = updated
(5) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(5) Sending delayed response
(5) Sent Access-Reject Id 115 from 10.1.0.22:1812 to 10.1.0.14:56440 length 44
(5) EAP-Message = 0x04060004
(5) Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 110 with timestamp +5 due to
cleanup_delay was reached
(1) Cleaning up request packet ID 111 with timestamp +5 due to
cleanup_delay was reached
(2) Cleaning up request packet ID 112 with timestamp +5 due to
cleanup_delay was reached
(3) Cleaning up request packet ID 113 with timestamp +5 due to
cleanup_delay was reached
(4) Cleaning up request packet ID 114 with timestamp +5 due to
cleanup_delay was reached
(5) Cleaning up request packet ID 115 with timestamp +5 due to
cleanup_delay was reached
Ready to process requests
Citando Alan DeKok <aland at deployingradius.com>:
> On Aug 17, 2023, at 10:02 AM, Rodrigo Abrantes Antunes
> <rodrigoantunes at pelotas.ifsul.edu.br> wrote:
>> It didn't! That's what I said earlier and thats the reason why I
>> posted in the list.
>>
>> Like I said, I followed that guide and it didn't work.
>>
>> This is what the debug output says:
>>
>> (25) ldap: WARNING: No "known good" password added. Ensure the
>> admin user has permission to read the password attribute
>> (25) ldap: WARNING: PAP authentication will *NOT* work with Active
>> Directory (if that is what you were trying to configure)
>
> It says a lot more than that.
>
> Post ALL OF THE DEBUG OUTPUT.
>
> All of the documentation says to do this.
>
> It is extremely unhelpful to ignore all of the available
> documentation, and to post a message saying "I did stuff, and it
> didn't work".
>
> Again, if you use TTLS+PAP it will work.
>
> I will bet that the full debug output shows that it's doing
> PEAP+MSCHAP. Which won't work. And all of the documentation
> explains why it won't work.
>
> Alan DeKok.
>
> -List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list