EAP-TLS default config

clement.legoffic at kelio.com clement.legoffic at kelio.com
Tue Feb 28 10:44:38 UTC 2023


Hello,

I started to learn network authentication and I want to setup a litle poc with Freeradius and EAP-TLS.
I have previously tested my working configuration with the bob user as in the freeradius docker example.

I use freeradius docker image https://hub.docker.com/r/freeradius/freeradius-server/ in a container.
The configs files have been extracted to be configured in my host system and mounted at container's start.

I have follow this tutorial for the radiusd.conf file : https://www.dslreports.com/forum/r9286052-FreeRADIUS-WinXP-Authentication-Setup~mode=flat

As I use the container's default keys, the user file is just a line :

user at example.org Auth-Type := EAP, EAP-Type := EAP-TLS

On my android phone, I connect to a dlink wifi access point (DWL-2100AP) configured for 802.1X.
The ca.pem has been installed on my phone in order to use it for EAP-TLS when I select it.
The username I use on the phone side is "user at example.org", the domain is "example.org".

When I click on connect on my phone, I get an access reject as shown in the debug output below.
I wanted to know if I am doing wrong somewhere and possibly where ?

(Freeradius Version 3.2.0)

(0) Received Access-Request Id 0 from 10.17.30.60:1061 to 172.17.0.2:1812 length 212
(0)   Message-Authenticator = 0x46c9071611e746712984ef9165b516eb
(0)   Service-Type = Framed-User
(0)   User-Name = "user at example.org"
(0)   Framed-MTU = 1488
(0)   Called-Station-Id = "00-26-5A-84-0D-89:dlink"
(0)   Calling-Station-Id = "22-85-59-7C-27-7A"
(0)   NAS-Identifier = "D-Link Access Point"
(0)   NAS-Port-Type = Wireless-802.11
(0)   Connect-Info = "CONNECT 54Mbps 802.11g"
(0)   EAP-Message = 0x020000150175736572406578616d706c652e6f7267
(0)   NAS-IP-Address = 10.17.30.60
(0)   NAS-Port = 1
(0)   NAS-Port-Id = "STA port # 1"
(0) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(0)   authorize {
(0)     policy filter_username {
(0)       if (&User-Name) {
(0)       if (&User-Name)  -> TRUE
(0)       if (&User-Name)  {
(0)         if (&User-Name =~ / /) {
(0)         if (&User-Name =~ / /)  -> FALSE
(0)         if (&User-Name =~ /@[^@]*@/ ) {
(0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(0)         if (&User-Name =~ /\.\./ ) {
(0)         if (&User-Name =~ /\.\./ )  -> FALSE
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(0)         if (&User-Name =~ /\.$/)  {
(0)         if (&User-Name =~ /\.$/)   -> FALSE
(0)         if (&User-Name =~ /@\./)  {
(0)         if (&User-Name =~ /@\./)   -> FALSE
(0)       } # if (&User-Name)  = notfound
(0)     } # policy filter_username = notfound
(0)     [preprocess] = ok
(0)     [chap] = noop
(0)     [mschap] = noop
(0)     [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: Looking up realm "example.org" for User-Name = "user at example.org"
(0) suffix: No such realm "example.org"
(0)     [suffix] = noop
(0) eap: Peer sent EAP Response (code 2) ID 0 length 21
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(0)     [eap] = ok
(0)   } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file /etc/freeradius/sites-enabled/default
(0)   authenticate {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_tls to process data
(0) eap_tls: (TLS) Initiating new session
(0) eap_tls: (TLS) Setting verify mode to require certificate from client
(0) eap: Sending EAP Request (code 1) ID 1 length 6
(0) eap: EAP session adding &reply:State = 0xbced3a8cbcec3700
(0)     [eap] = handled
(0)   } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) # Executing group from file /etc/freeradius/sites-enabled/default
(0)   Challenge { ... } # empty sub-section is ignored
(0) session-state: Saving cached attributes
(0)   Framed-MTU = 994
(0) Sent Access-Challenge Id 0 from 172.17.0.2:1812 to 10.17.30.60:1061 length 64
(0)   EAP-Message = 0x010100060d20
(0)   Message-Authenticator = 0x00000000000000000000000000000000
(0)   State = 0xbced3a8cbcec37005a032dcfba50bf3a
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 1 from 10.17.30.60:1061 to 172.17.0.2:1812 length 215
(1)   Message-Authenticator = 0x2660937420c3367bd057db626b743cc5
(1)   Service-Type = Framed-User
(1)   User-Name = "user at example.org"
(1)   Framed-MTU = 1488
(1)   State = 0xbced3a8cbcec37005a032dcfba50bf3a
(1)   Called-Station-Id = "00-26-5A-84-0D-89:dlink"
(1)   Calling-Station-Id = "22-85-59-7C-27-7A"
(1)   NAS-Identifier = "D-Link Access Point"
(1)   NAS-Port-Type = Wireless-802.11
(1)   Connect-Info = "CONNECT 54Mbps 802.11g"
(1)   EAP-Message = 0x020100060300
(1)   NAS-IP-Address = 10.17.30.60
(1)   NAS-Port = 1
(1)   NAS-Port-Id = "STA port # 1"
(1) Restoring &session-state
(1)   &session-state:Framed-MTU = 994
(1) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(1)   authorize {
(1)     policy filter_username {
(1)       if (&User-Name) {
(1)       if (&User-Name)  -> TRUE
(1)       if (&User-Name)  {
(1)         if (&User-Name =~ / /) {
(1)         if (&User-Name =~ / /)  -> FALSE
(1)         if (&User-Name =~ /@[^@]*@/ ) {
(1)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(1)         if (&User-Name =~ /\.\./ ) {
(1)         if (&User-Name =~ /\.\./ )  -> FALSE
(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(1)         if (&User-Name =~ /\.$/)  {
(1)         if (&User-Name =~ /\.$/)   -> FALSE
(1)         if (&User-Name =~ /@\./)  {
(1)         if (&User-Name =~ /@\./)   -> FALSE
(1)       } # if (&User-Name)  = notfound
(1)     } # policy filter_username = notfound
(1)     [preprocess] = ok
(1)     [chap] = noop
(1)     [mschap] = noop
(1)     [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: Looking up realm "example.org" for User-Name = "user at example.org"
(1) suffix: No such realm "example.org"
(1)     [suffix] = noop
(1) eap: Peer sent EAP Response (code 2) ID 1 length 6
(1) eap: No EAP Start, assuming it's an on-going EAP conversation
(1)     [eap] = updated
(1) files: users: Matched entry user at example.org at line 2
(1)     [files] = ok
(1)     [expiration] = noop
(1)     [logintime] = noop
Not doing PAP as Auth-Type is already set.
(1)     [pap] = noop
(1)   } # authorize = updated
(1) Found Auth-Type = eap
(1) # Executing group from file /etc/freeradius/sites-enabled/default
(1)   authenticate {
(1) eap: Expiring EAP session with state 0xbced3a8cbcec3700
(1) eap: Finished EAP session with state 0xbced3a8cbcec3700
(1) eap: Previous EAP request found for state 0xbced3a8cbcec3700, released from the list
(1) eap: Peer sent packet with method EAP NAK (3)
(1) eap: Peer NAK'd indicating it is not willing to continue
(1) eap: Sending EAP Failure (code 4) ID 1 length 4
(1) eap: Failed in EAP select
(1)     [eap] = invalid
(1)   } # authenticate = invalid
(1) Failed to authenticate the user
(1) Using Post-Auth-Type Reject
(1) # Executing group from file /etc/freeradius/sites-enabled/default
(1)   Post-Auth-Type REJECT {
(1) attr_filter.access_reject: EXPAND %{User-Name}
(1) attr_filter.access_reject:    --> user at example.org
(1) attr_filter.access_reject: Matched entry DEFAULT at line 11
(1)     [attr_filter.access_reject] = updated
(1)     [eap] = noop
(1)     policy remove_reply_message_if_eap {
(1)       if (&reply:EAP-Message && &reply:Reply-Message) {
(1)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(1)       else {
(1)         [noop] = noop
(1)       } # else = noop
(1)     } # policy remove_reply_message_if_eap = noop
(1)   } # Post-Auth-Type REJECT = updated
(1) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(1) Sending delayed response
(1) Sent Access-Reject Id 1 from 172.17.0.2:1812 to 10.17.30.60:1061 length 44
(1)   EAP-Message = 0x04010004
(1)   Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
(2) Received Access-Request Id 0 from 10.17.30.60:1063 to 172.17.0.2:1812 length 212
(2)   Message-Authenticator = 0x10dad86d8ca96900ee9e41a3f3215e04
(2)   Service-Type = Framed-User
(2)   User-Name = "user at example.org"
(2)   Framed-MTU = 1488
(2)   Called-Station-Id = "00-26-5A-84-0D-89:dlink"
(2)   Calling-Station-Id = "22-85-59-7C-27-7A"
(2)   NAS-Identifier = "D-Link Access Point"
(2)   NAS-Port-Type = Wireless-802.11
(2)   Connect-Info = "CONNECT 54Mbps 802.11g"
(2)   EAP-Message = 0x020000150175736572406578616d706c652e6f7267
(2)   NAS-IP-Address = 10.17.30.60
(2)   NAS-Port = 1
(2)   NAS-Port-Id = "STA port # 1"
(2) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(2)   authorize {
(2)     policy filter_username {
(2)       if (&User-Name) {
(2)       if (&User-Name)  -> TRUE
(2)       if (&User-Name)  {
(2)         if (&User-Name =~ / /) {
(2)         if (&User-Name =~ / /)  -> FALSE
(2)         if (&User-Name =~ /@[^@]*@/ ) {
(2)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(2)         if (&User-Name =~ /\.\./ ) {
(2)         if (&User-Name =~ /\.\./ )  -> FALSE
(2)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(2)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(2)         if (&User-Name =~ /\.$/)  {
(2)         if (&User-Name =~ /\.$/)   -> FALSE
(2)         if (&User-Name =~ /@\./)  {
(2)         if (&User-Name =~ /@\./)   -> FALSE
(2)       } # if (&User-Name)  = notfound
(2)     } # policy filter_username = notfound
(2)     [preprocess] = ok
(2)     [chap] = noop
(2)     [mschap] = noop
(2)     [digest] = noop
(2) suffix: Checking for suffix after "@"
(2) suffix: Looking up realm "example.org" for User-Name = "user at example.org"
(2) suffix: No such realm "example.org"
(2)     [suffix] = noop
(2) eap: Peer sent EAP Response (code 2) ID 0 length 21
(2) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(2)     [eap] = ok
(2)   } # authorize = ok
(2) Found Auth-Type = eap
(2) # Executing group from file /etc/freeradius/sites-enabled/default
(2)   authenticate {
(2) eap: Peer sent packet with method EAP Identity (1)
(2) eap: Calling submodule eap_tls to process data
(2) eap_tls: (TLS) Initiating new session
(2) eap_tls: (TLS) Setting verify mode to require certificate from client
(2) eap: Sending EAP Request (code 1) ID 1 length 6
(2) eap: EAP session adding &reply:State = 0x61a7200961a62df0
(2)     [eap] = handled
(2)   } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) # Executing group from file /etc/freeradius/sites-enabled/default
(2)   Challenge { ... } # empty sub-section is ignored
(2) session-state: Saving cached attributes
(2)   Framed-MTU = 994
(2) Sent Access-Challenge Id 0 from 172.17.0.2:1812 to 10.17.30.60:1063 length 64
(2)   EAP-Message = 0x010100060d20
(2)   Message-Authenticator = 0x00000000000000000000000000000000
(2)   State = 0x61a7200961a62df0743c98b3a07aed8f
(2) Finished request
Waking up in 1.9 seconds.
(3) Received Access-Request Id 1 from 10.17.30.60:1063 to 172.17.0.2:1812 length 215
(3)   Message-Authenticator = 0x2946bae5a640bdd89ef938aa738b4b94
(3)   Service-Type = Framed-User
(3)   User-Name = "user at example.org"
(3)   Framed-MTU = 1488
(3)   State = 0x61a7200961a62df0743c98b3a07aed8f
(3)   Called-Station-Id = "00-26-5A-84-0D-89:dlink"
(3)   Calling-Station-Id = "22-85-59-7C-27-7A"
(3)   NAS-Identifier = "D-Link Access Point"
(3)   NAS-Port-Type = Wireless-802.11
(3)   Connect-Info = "CONNECT 54Mbps 802.11g"
(3)   EAP-Message = 0x020100060300
(3)   NAS-IP-Address = 10.17.30.60
(3)   NAS-Port = 1
(3)   NAS-Port-Id = "STA port # 1"
(3) Restoring &session-state
(3)   &session-state:Framed-MTU = 994
(3) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(3)   authorize {
(3)     policy filter_username {
(3)       if (&User-Name) {
(3)       if (&User-Name)  -> TRUE
(3)       if (&User-Name)  {
(3)         if (&User-Name =~ / /) {
(3)         if (&User-Name =~ / /)  -> FALSE
(3)         if (&User-Name =~ /@[^@]*@/ ) {
(3)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(3)         if (&User-Name =~ /\.\./ ) {
(3)         if (&User-Name =~ /\.\./ )  -> FALSE
(3)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(3)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(3)         if (&User-Name =~ /\.$/)  {
(3)         if (&User-Name =~ /\.$/)   -> FALSE
(3)         if (&User-Name =~ /@\./)  {
(3)         if (&User-Name =~ /@\./)   -> FALSE
(3)       } # if (&User-Name)  = notfound
(3)     } # policy filter_username = notfound
(3)     [preprocess] = ok
(3)     [chap] = noop
(3)     [mschap] = noop
(3)     [digest] = noop
(3) suffix: Checking for suffix after "@"
(3) suffix: Looking up realm "example.org" for User-Name = "user at example.org"
(3) suffix: No such realm "example.org"
(3)     [suffix] = noop
(3) eap: Peer sent EAP Response (code 2) ID 1 length 6
(3) eap: No EAP Start, assuming it's an on-going EAP conversation
(3)     [eap] = updated
(3) files: users: Matched entry user at example.org at line 2
(3)     [files] = ok
(3)     [expiration] = noop
(3)     [logintime] = noop
Not doing PAP as Auth-Type is already set.
(3)     [pap] = noop
(3)   } # authorize = updated
(3) Found Auth-Type = eap
(3) # Executing group from file /etc/freeradius/sites-enabled/default
(3)   authenticate {
(3) eap: Expiring EAP session with state 0x61a7200961a62df0
(3) eap: Finished EAP session with state 0x61a7200961a62df0
(3) eap: Previous EAP request found for state 0x61a7200961a62df0, released from the list
(3) eap: Peer sent packet with method EAP NAK (3)
(3) eap: Peer NAK'd indicating it is not willing to continue
(3) eap: Sending EAP Failure (code 4) ID 1 length 4
(3) eap: Failed in EAP select
(3)     [eap] = invalid
(3)   } # authenticate = invalid
(3) Failed to authenticate the user
(3) Using Post-Auth-Type Reject
(3) # Executing group from file /etc/freeradius/sites-enabled/default
(3)   Post-Auth-Type REJECT {
(3) attr_filter.access_reject: EXPAND %{User-Name}
(3) attr_filter.access_reject:    --> user at example.org
(3) attr_filter.access_reject: Matched entry DEFAULT at line 11
(3)     [attr_filter.access_reject] = updated
(3)     [eap] = noop
(3)     policy remove_reply_message_if_eap {
(3)       if (&reply:EAP-Message && &reply:Reply-Message) {
(3)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(3)       else {
(3)         [noop] = noop
(3)       } # else = noop
(3)     } # policy remove_reply_message_if_eap = noop
(3)   } # Post-Auth-Type REJECT = updated
(3) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(3) Sending delayed response
(3) Sent Access-Reject Id 1 from 172.17.0.2:1812 to 10.17.30.60:1063 length 44
(3)   EAP-Message = 0x04010004
(3)   Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 0.8 seconds.
(0) Cleaning up request packet ID 0 with timestamp +74 due to cleanup_delay was reached
(1) Cleaning up request packet ID 1 with timestamp +74 due to cleanup_delay was reached
Waking up in 3.0 seconds.
(4) Received Access-Request Id 0 from 10.17.30.60:1065 to 172.17.0.2:1812 length 212
(4)   Message-Authenticator = 0x7e90cef35650d96b0188a6bcc9040100
(4)   Service-Type = Framed-User
(4)   User-Name = "user at example.org"
(4)   Framed-MTU = 1488
(4)   Called-Station-Id = "00-26-5A-84-0D-89:dlink"
(4)   Calling-Station-Id = "22-85-59-7C-27-7A"
(4)   NAS-Identifier = "D-Link Access Point"
(4)   NAS-Port-Type = Wireless-802.11
(4)   Connect-Info = "CONNECT 54Mbps 802.11g"
(4)   EAP-Message = 0x020000150175736572406578616d706c652e6f7267
(4)   NAS-IP-Address = 10.17.30.60
(4)   NAS-Port = 1
(4)   NAS-Port-Id = "STA port # 1"
(4) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(4)   authorize {
(4)     policy filter_username {
(4)       if (&User-Name) {
(4)       if (&User-Name)  -> TRUE
(4)       if (&User-Name)  {
(4)         if (&User-Name =~ / /) {
(4)         if (&User-Name =~ / /)  -> FALSE
(4)         if (&User-Name =~ /@[^@]*@/ ) {
(4)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(4)         if (&User-Name =~ /\.\./ ) {
(4)         if (&User-Name =~ /\.\./ )  -> FALSE
(4)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(4)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(4)         if (&User-Name =~ /\.$/)  {
(4)         if (&User-Name =~ /\.$/)   -> FALSE
(4)         if (&User-Name =~ /@\./)  {
(4)         if (&User-Name =~ /@\./)   -> FALSE
(4)       } # if (&User-Name)  = notfound
(4)     } # policy filter_username = notfound
(4)     [preprocess] = ok
(4)     [chap] = noop
(4)     [mschap] = noop
(4)     [digest] = noop
(4) suffix: Checking for suffix after "@"
(4) suffix: Looking up realm "example.org" for User-Name = "user at example.org"
(4) suffix: No such realm "example.org"
(4)     [suffix] = noop
(4) eap: Peer sent EAP Response (code 2) ID 0 length 21
(4) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(4)     [eap] = ok
(4)   } # authorize = ok
(4) Found Auth-Type = eap
(4) # Executing group from file /etc/freeradius/sites-enabled/default
(4)   authenticate {
(4) eap: Peer sent packet with method EAP Identity (1)
(4) eap: Calling submodule eap_tls to process data
(4) eap_tls: (TLS) Initiating new session
(4) eap_tls: (TLS) Setting verify mode to require certificate from client
(4) eap: Sending EAP Request (code 1) ID 1 length 6
(4) eap: EAP session adding &reply:State = 0x10b8d47310b9d97a
(4)     [eap] = handled
(4)   } # authenticate = handled
(4) Using Post-Auth-Type Challenge
(4) # Executing group from file /etc/freeradius/sites-enabled/default
(4)   Challenge { ... } # empty sub-section is ignored
(4) session-state: Saving cached attributes
(4)   Framed-MTU = 994
(4) Sent Access-Challenge Id 0 from 172.17.0.2:1812 to 10.17.30.60:1065 length 64
(4)   EAP-Message = 0x010100060d20
(4)   Message-Authenticator = 0x00000000000000000000000000000000
(4)   State = 0x10b8d47310b9d97a65ed29a95486330e
(4) Finished request
Waking up in 1.8 seconds.
(5) Received Access-Request Id 1 from 10.17.30.60:1065 to 172.17.0.2:1812 length 215
(5)   Message-Authenticator = 0x4024c8a365e14657a651ceb71b9f5f61
(5)   Service-Type = Framed-User
(5)   User-Name = "user at example.org"
(5)   Framed-MTU = 1488
(5)   State = 0x10b8d47310b9d97a65ed29a95486330e
(5)   Called-Station-Id = "00-26-5A-84-0D-89:dlink"
(5)   Calling-Station-Id = "22-85-59-7C-27-7A"
(5)   NAS-Identifier = "D-Link Access Point"
(5)   NAS-Port-Type = Wireless-802.11
(5)   Connect-Info = "CONNECT 54Mbps 802.11g"
(5)   EAP-Message = 0x020100060300
(5)   NAS-IP-Address = 10.17.30.60
(5)   NAS-Port = 1
(5)   NAS-Port-Id = "STA port # 1"
(5) Restoring &session-state
(5)   &session-state:Framed-MTU = 994
(5) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(5)   authorize {
(5)     policy filter_username {
(5)       if (&User-Name) {
(5)       if (&User-Name)  -> TRUE
(5)       if (&User-Name)  {
(5)         if (&User-Name =~ / /) {
(5)         if (&User-Name =~ / /)  -> FALSE
(5)         if (&User-Name =~ /@[^@]*@/ ) {
(5)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(5)         if (&User-Name =~ /\.\./ ) {
(5)         if (&User-Name =~ /\.\./ )  -> FALSE
(5)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(5)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(5)         if (&User-Name =~ /\.$/)  {
(5)         if (&User-Name =~ /\.$/)   -> FALSE
(5)         if (&User-Name =~ /@\./)  {
(5)         if (&User-Name =~ /@\./)   -> FALSE
(5)       } # if (&User-Name)  = notfound
(5)     } # policy filter_username = notfound
(5)     [preprocess] = ok
(5)     [chap] = noop
(5)     [mschap] = noop
(5)     [digest] = noop
(5) suffix: Checking for suffix after "@"
(5) suffix: Looking up realm "example.org" for User-Name = "user at example.org"
(5) suffix: No such realm "example.org"
(5)     [suffix] = noop
(5) eap: Peer sent EAP Response (code 2) ID 1 length 6
(5) eap: No EAP Start, assuming it's an on-going EAP conversation
(5)     [eap] = updated
(5) files: users: Matched entry user at example.org at line 2
(5)     [files] = ok
(5)     [expiration] = noop
(5)     [logintime] = noop
Not doing PAP as Auth-Type is already set.
(5)     [pap] = noop
(5)   } # authorize = updated
(5) Found Auth-Type = eap
(5) # Executing group from file /etc/freeradius/sites-enabled/default
(5)   authenticate {
(5) eap: Expiring EAP session with state 0x10b8d47310b9d97a
(5) eap: Finished EAP session with state 0x10b8d47310b9d97a
(5) eap: Previous EAP request found for state 0x10b8d47310b9d97a, released from the list
(5) eap: Peer sent packet with method EAP NAK (3)
(5) eap: Peer NAK'd indicating it is not willing to continue
(5) eap: Sending EAP Failure (code 4) ID 1 length 4
(5) eap: Failed in EAP select
(5)     [eap] = invalid
(5)   } # authenticate = invalid
(5) Failed to authenticate the user
(5) Using Post-Auth-Type Reject
(5) # Executing group from file /etc/freeradius/sites-enabled/default
(5)   Post-Auth-Type REJECT {
(5) attr_filter.access_reject: EXPAND %{User-Name}
(5) attr_filter.access_reject:    --> user at example.org
(5) attr_filter.access_reject: Matched entry DEFAULT at line 11
(5)     [attr_filter.access_reject] = updated
(5)     [eap] = noop
(5)     policy remove_reply_message_if_eap {
(5)       if (&reply:EAP-Message && &reply:Reply-Message) {
(5)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(5)       else {
(5)         [noop] = noop
(5)       } # else = noop
(5)     } # policy remove_reply_message_if_eap = noop
(5)   } # Post-Auth-Type REJECT = updated
(5) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(5) Sending delayed response
(5) Sent Access-Reject Id 1 from 172.17.0.2:1812 to 10.17.30.60:1065 length 44
(5)   EAP-Message = 0x04010004
(5)   Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 0.8 seconds.
(2) Cleaning up request packet ID 0 with timestamp +77 due to cleanup_delay was reached
(3) Cleaning up request packet ID 1 with timestamp +77 due to cleanup_delay was reached
Waking up in 3.1 seconds.
(4) Cleaning up request packet ID 0 with timestamp +80 due to cleanup_delay was reached
(5) Cleaning up request packet ID 1 with timestamp +80 due to cleanup_delay was reached
Ready to process requests

Thanks,

Clément






Ce message et toutes les pieces jointes (ci-apres le "message") sont etablis a l'intention exclusive de ses destinataires.
Si vous recevez ce message par erreur, merci de le detruire et d'en avertir immediatement l'expediteur par e-mail.
Toute utilisation de ce message non conforme a sa destination, toute diffusion ou toute publication, totale ou partielle, est interdite, sauf autorisation expresse. Les communications sur Internet n'etant pas securisees, l'expediteur informe qu'il ne peut accepter aucune responsabilite quant au contenu de ce message.
This mail message and attachments (the "message") are solely intended for the addresses. It is confidential in nature.
If you receive this message in error, please delete it and immediately notify the sender by e-mail.
Any use other than its intended purpose, dissemination or disclosure, either whole or partial, is prohibited except if formal approval is granted. As communication on the Internet is not secure, the sender does not accept responsibility for the content of this message.


More information about the Freeradius-Users mailing list