EAP-TLS doesn't work - EAP Failure
Lucas Guimaraes
lucas.guimaraes at kavak.com
Thu Feb 29 02:56:52 UTC 2024
Hi Alan,
Thank you so much!!! thank you :D It took about 5 min after I followed
everything you said and now works like a charm.
Also I'll read the documentation you suggest about how to read debug
output, again. Because it was not the first time I saw that documentation.
The last time I read once it was about one year ago when I was looking
around https://freeradius.org/documentation/
Just to let you know about the EAP authentication, I did a compare with the
file installed in the server with another file from the GitHub from here:
https://github.com/redBorder/freeradius/blob/master/raddb/sites-available/default
and I found out the section:
...
# Allow EAP authentication.
eap <- (Here was a comment out. Pls, don't ask me why it was commented but
it was. Most likely 99,9% could be my fault, sorry about that)
....
After I just removed only the "#" before "eap" and FreeRadius started to
work as expected and I also managed to install the client.p12 on Windows
and Android too while I was adding a new wifi network or setting the SSID
on the phone.
Here is the logs from the Server and also the eapol test:
FreeRADIUS Version 3.0.26
Copyright (C) 1999-2021 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /etc/freeradius/3.0/dictionary
including configuration file /etc/freeradius/3.0/radiusd.conf
including configuration file /etc/freeradius/3.0/proxy.conf
including configuration file /etc/freeradius/3.0/clients.conf
including files in directory /etc/freeradius/3.0/mods-enabled/
including configuration file /etc/freeradius/3.0/mods-enabled/soh
including configuration file /etc/freeradius/3.0/mods-enabled/files
including configuration file /etc/freeradius/3.0/mods-enabled/digest
including configuration file /etc/freeradius/3.0/mods-enabled/exec
including configuration file /etc/freeradius/3.0/mods-enabled/radutmp
including configuration file /etc/freeradius/3.0/mods-enabled/expiration
including configuration file /etc/freeradius/3.0/mods-enabled/logintime
including configuration file /etc/freeradius/3.0/mods-enabled/utf8
including configuration file /etc/freeradius/3.0/mods-enabled/linelog
including configuration file /etc/freeradius/3.0/mods-enabled/realm
including configuration file /etc/freeradius/3.0/mods-enabled/detail.log
including configuration file /etc/freeradius/3.0/mods-enabled/attr_filter
including configuration file /etc/freeradius/3.0/mods-enabled/replicate
including configuration file /etc/freeradius/3.0/mods-enabled/preprocess
including configuration file /etc/freeradius/3.0/mods-enabled/mschap
including configuration file /etc/freeradius/3.0/mods-enabled/detail
including configuration file /etc/freeradius/3.0/mods-enabled/echo
including configuration file /etc/freeradius/3.0/mods-enabled/unix
including configuration file /etc/freeradius/3.0/mods-enabled/always
including configuration file /etc/freeradius/3.0/mods-enabled/expr
including configuration file /etc/freeradius/3.0/mods-enabled/sradutmp
including configuration file /etc/freeradius/3.0/mods-enabled/unpack
including configuration file /etc/freeradius/3.0/mods-enabled/ntlm_auth
including configuration file /etc/freeradius/3.0/mods-enabled/chap
including configuration file /etc/freeradius/3.0/mods-enabled/passwd
including configuration file
/etc/freeradius/3.0/mods-enabled/dynamic_clients
including configuration file /etc/freeradius/3.0/mods-enabled/eap
including configuration file /etc/freeradius/3.0/mods-enabled/cache_eap
including configuration file /etc/freeradius/3.0/mods-enabled/pap
including files in directory /etc/freeradius/3.0/policy.d/
including configuration file /etc/freeradius/3.0/policy.d/abfab-tr
including configuration file /etc/freeradius/3.0/policy.d/control
including configuration file /etc/freeradius/3.0/policy.d/operator-name
including configuration file
/etc/freeradius/3.0/policy.d/moonshot-targeted-ids
including configuration file /etc/freeradius/3.0/policy.d/rfc7542
including configuration file /etc/freeradius/3.0/policy.d/cui
including configuration file /etc/freeradius/3.0/policy.d/canonicalization
including configuration file /etc/freeradius/3.0/policy.d/accounting
including configuration file /etc/freeradius/3.0/policy.d/filter
including configuration file /etc/freeradius/3.0/policy.d/debug
including configuration file /etc/freeradius/3.0/policy.d/dhcp
including configuration file /etc/freeradius/3.0/policy.d/eap
including files in directory /etc/freeradius/3.0/sites-enabled/
including configuration file /etc/freeradius/3.0/sites-enabled/default
including configuration file /etc/freeradius/3.0/sites-enabled/inner-tunnel
main {
security {
user = "freerad"
group = "freerad"
allow_core_dumps = no
}
name = "freeradius"
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/freeradius"
run_dir = "/var/run/freeradius"
}
main {
name = "freeradius"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/freeradius"
run_dir = "/var/run/freeradius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/freeradius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 16384
postauth_client_lost = no
pidfile = "/var/run/freeradius/freeradius.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
colourise = yes
msg_denied = "You are already logged in - access denied"
}
resources {
}
security {
max_attributes = 200
reject_delay = 1.000000
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = <<< secret >>>
response_window = 20.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 120
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = <<< secret >>>
nas_type = "other"
proto = "*"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client localhost_ipv6 {
ipaddr = 192.168.0.0/24
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client localhost_ipv6 {
ipv6addr = ::1
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Debugger not attached
systemd watchdog is disabled
# Creating Auth-Type = mschap
# Creating Auth-Type = digest
# Creating Auth-Type = eap
# Creating Auth-Type = PAP
# Creating Auth-Type = CHAP
# Creating Auth-Type = MS-CHAP
# Creating Autz-Type = New-TLS-Connection
radiusd: #### Instantiating modules ####
modules {
# Loaded module rlm_soh
# Loading module "soh" from file /etc/freeradius/3.0/mods-enabled/soh
soh {
dhcp = yes
}
# Loaded module rlm_files
# Loading module "files" from file /etc/freeradius/3.0/mods-enabled/files
files {
filename = "/etc/freeradius/3.0/mods-config/files/authorize"
acctusersfile = "/etc/freeradius/3.0/mods-config/files/accounting"
preproxy_usersfile = "/etc/freeradius/3.0/mods-config/files/pre-proxy"
}
# Loaded module rlm_digest
# Loading module "digest" from file
/etc/freeradius/3.0/mods-enabled/digest
# Loaded module rlm_exec
# Loading module "exec" from file /etc/freeradius/3.0/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Loaded module rlm_radutmp
# Loading module "radutmp" from file
/etc/freeradius/3.0/mods-enabled/radutmp
radutmp {
filename = "/var/log/freeradius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
# Loaded module rlm_expiration
# Loading module "expiration" from file
/etc/freeradius/3.0/mods-enabled/expiration
# Loaded module rlm_logintime
# Loading module "logintime" from file
/etc/freeradius/3.0/mods-enabled/logintime
logintime {
minimum_timeout = 60
}
# Loaded module rlm_utf8
# Loading module "utf8" from file /etc/freeradius/3.0/mods-enabled/utf8
# Loaded module rlm_linelog
# Loading module "linelog" from file
/etc/freeradius/3.0/mods-enabled/linelog
linelog {
filename = "/var/log/freeradius/linelog"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = "This is a log message for %{User-Name}"
reference = "messages.%{%{reply:Packet-Type}:-default}"
}
# Loading module "log_accounting" from file
/etc/freeradius/3.0/mods-enabled/linelog
linelog log_accounting {
filename = "/var/log/freeradius/linelog-accounting"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = ""
reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
}
# Loaded module rlm_realm
# Loading module "IPASS" from file /etc/freeradius/3.0/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
# Loading module "suffix" from file /etc/freeradius/3.0/mods-enabled/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
# Loading module "bangpath" from file
/etc/freeradius/3.0/mods-enabled/realm
realm bangpath {
format = "prefix"
delimiter = "!"
ignore_default = no
ignore_null = no
}
# Loading module "realmpercent" from file
/etc/freeradius/3.0/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
# Loading module "ntdomain" from file
/etc/freeradius/3.0/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\\"
ignore_default = no
ignore_null = no
}
# Loaded module rlm_detail
# Loading module "auth_log" from file
/etc/freeradius/3.0/mods-enabled/detail.log
detail auth_log {
filename =
"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "reply_log" from file
/etc/freeradius/3.0/mods-enabled/detail.log
detail reply_log {
filename =
"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "pre_proxy_log" from file
/etc/freeradius/3.0/mods-enabled/detail.log
detail pre_proxy_log {
filename =
"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "post_proxy_log" from file
/etc/freeradius/3.0/mods-enabled/detail.log
detail post_proxy_log {
filename =
"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_attr_filter
# Loading module "attr_filter.post-proxy" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/etc/freeradius/3.0/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.pre-proxy" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/etc/freeradius/3.0/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.access_reject" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename = "/etc/freeradius/3.0/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.access_challenge" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename = "/etc/freeradius/3.0/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.accounting_response" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename =
"/etc/freeradius/3.0/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.coa" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.coa {
filename = "/etc/freeradius/3.0/mods-config/attr_filter/coa"
key = "%{User-Name}"
relaxed = no
}
# Loaded module rlm_replicate
# Loading module "replicate" from file
/etc/freeradius/3.0/mods-enabled/replicate
# Loaded module rlm_preprocess
# Loading module "preprocess" from file
/etc/freeradius/3.0/mods-enabled/preprocess
preprocess {
huntgroups = "/etc/freeradius/3.0/mods-config/preprocess/huntgroups"
hints = "/etc/freeradius/3.0/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
# Loaded module rlm_mschap
# Loading module "mschap" from file
/etc/freeradius/3.0/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
winbind_retry_with_normalised_username = no
}
# Loading module "detail" from file
/etc/freeradius/3.0/mods-enabled/detail
detail {
filename =
"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "echo" from file /etc/freeradius/3.0/mods-enabled/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
# Loaded module rlm_unix
# Loading module "unix" from file /etc/freeradius/3.0/mods-enabled/unix
unix {
radwtmp = "/var/log/freeradius/radwtmp"
}
Creating attribute Unix-Group
# Loaded module rlm_always
# Loading module "reject" from file
/etc/freeradius/3.0/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Loading module "fail" from file /etc/freeradius/3.0/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Loading module "ok" from file /etc/freeradius/3.0/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Loading module "handled" from file
/etc/freeradius/3.0/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Loading module "invalid" from file
/etc/freeradius/3.0/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Loading module "userlock" from file
/etc/freeradius/3.0/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Loading module "notfound" from file
/etc/freeradius/3.0/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Loading module "noop" from file /etc/freeradius/3.0/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Loading module "updated" from file
/etc/freeradius/3.0/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Loaded module rlm_expr
# Loading module "expr" from file /etc/freeradius/3.0/mods-enabled/expr
expr {
safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_:
/äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
}
# Loading module "sradutmp" from file
/etc/freeradius/3.0/mods-enabled/sradutmp
radutmp sradutmp {
filename = "/var/log/freeradius/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
# Loaded module rlm_unpack
# Loading module "unpack" from file
/etc/freeradius/3.0/mods-enabled/unpack
# Loading module "ntlm_auth" from file
/etc/freeradius/3.0/mods-enabled/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN
--username=%{mschap:User-Name} --password=%{User-Password}"
shell_escape = yes
}
# Loaded module rlm_chap
# Loading module "chap" from file /etc/freeradius/3.0/mods-enabled/chap
# Loaded module rlm_passwd
# Loading module "etc_passwd" from file
/etc/freeradius/3.0/mods-enabled/passwd
passwd etc_passwd {
filename = "/etc/passwd"
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
# Loaded module rlm_dynamic_clients
# Loading module "dynamic_clients" from file
/etc/freeradius/3.0/mods-enabled/dynamic_clients
# Loaded module rlm_eap
# Loading module "eap" from file /etc/freeradius/3.0/mods-enabled/eap
eap {
default_eap_type = "tls"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 16384
}
# Loaded module rlm_cache
# Loading module "cache_eap" from file
/etc/freeradius/3.0/mods-enabled/cache_eap
cache cache_eap {
driver = "rlm_cache_rbtree"
key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
ttl = 15
max_entries = 0
epoch = 0
add_stats = no
}
# Loaded module rlm_pap
# Loading module "pap" from file /etc/freeradius/3.0/mods-enabled/pap
pap {
normalise = yes
}
instantiate {
}
# Instantiating module "files" from file
/etc/freeradius/3.0/mods-enabled/files
reading pairlist file /etc/freeradius/3.0/mods-config/files/authorize
reading pairlist file /etc/freeradius/3.0/mods-config/files/accounting
reading pairlist file /etc/freeradius/3.0/mods-config/files/pre-proxy
# Instantiating module "expiration" from file
/etc/freeradius/3.0/mods-enabled/expiration
# Instantiating module "logintime" from file
/etc/freeradius/3.0/mods-enabled/logintime
# Instantiating module "linelog" from file
/etc/freeradius/3.0/mods-enabled/linelog
# Instantiating module "log_accounting" from file
/etc/freeradius/3.0/mods-enabled/linelog
# Instantiating module "IPASS" from file
/etc/freeradius/3.0/mods-enabled/realm
# Instantiating module "suffix" from file
/etc/freeradius/3.0/mods-enabled/realm
# Instantiating module "bangpath" from file
/etc/freeradius/3.0/mods-enabled/realm
# Instantiating module "realmpercent" from file
/etc/freeradius/3.0/mods-enabled/realm
# Instantiating module "ntdomain" from file
/etc/freeradius/3.0/mods-enabled/realm
# Instantiating module "auth_log" from file
/etc/freeradius/3.0/mods-enabled/detail.log
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in
detail output
# Instantiating module "reply_log" from file
/etc/freeradius/3.0/mods-enabled/detail.log
# Instantiating module "pre_proxy_log" from file
/etc/freeradius/3.0/mods-enabled/detail.log
# Instantiating module "post_proxy_log" from file
/etc/freeradius/3.0/mods-enabled/detail.log
# Instantiating module "attr_filter.post-proxy" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file
/etc/freeradius/3.0/mods-config/attr_filter/access_reject
# Instantiating module "attr_filter.access_challenge" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file
/etc/freeradius/3.0/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file
/etc/freeradius/3.0/mods-config/attr_filter/accounting_response
# Instantiating module "attr_filter.coa" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/coa
# Instantiating module "preprocess" from file
/etc/freeradius/3.0/mods-enabled/preprocess
reading pairlist file /etc/freeradius/3.0/mods-config/preprocess/huntgroups
reading pairlist file /etc/freeradius/3.0/mods-config/preprocess/hints
# Instantiating module "mschap" from file
/etc/freeradius/3.0/mods-enabled/mschap
rlm_mschap (mschap): using internal authentication
# Instantiating module "detail" from file
/etc/freeradius/3.0/mods-enabled/detail
# Instantiating module "reject" from file
/etc/freeradius/3.0/mods-enabled/always
# Instantiating module "fail" from file
/etc/freeradius/3.0/mods-enabled/always
# Instantiating module "ok" from file
/etc/freeradius/3.0/mods-enabled/always
# Instantiating module "handled" from file
/etc/freeradius/3.0/mods-enabled/always
# Instantiating module "invalid" from file
/etc/freeradius/3.0/mods-enabled/always
# Instantiating module "userlock" from file
/etc/freeradius/3.0/mods-enabled/always
# Instantiating module "notfound" from file
/etc/freeradius/3.0/mods-enabled/always
# Instantiating module "noop" from file
/etc/freeradius/3.0/mods-enabled/always
# Instantiating module "updated" from file
/etc/freeradius/3.0/mods-enabled/always
# Instantiating module "etc_passwd" from file
/etc/freeradius/3.0/mods-enabled/passwd
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
# Instantiating module "eap" from file
/etc/freeradius/3.0/mods-enabled/eap
# Linked to sub-module rlm_eap_md5
# Linked to sub-module rlm_eap_gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
}
tls-config tls-common {
verify_depth = 0
ca_path = "/etc/freeradius/3.0/certs"
pem_file_type = yes
private_key_file = "/etc/freeradius/3.0/certs/server.key"
certificate_file = "/etc/freeradius/3.0/certs/server.crt"
ca_file = "/etc/freeradius/3.0/certs/ca.pem"
private_key_password = <<< secret >>>
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
ca_path_reload_interval = 0
cipher_list = "DEFAULT"
cipher_server_preference = no
reject_unknown_intermediate_ca = no
ecdh_curve = ""
tls_max_version = "1.2"
tls_min_version = "1.2"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
skip_if_ocsp_ok = no
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
}
# Linked to sub-module rlm_eap_ttls
ttls {
tls = "tls-common"
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
# Instantiating module "cache_eap" from file
/etc/freeradius/3.0/mods-enabled/cache_eap
rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree)
loaded and linked
# Instantiating module "pap" from file
/etc/freeradius/3.0/mods-enabled/pap
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/freeradius/3.0/radiusd.conf
} # server
server default { # from file /etc/freeradius/3.0/sites-enabled/default
# Loading authenticate {...}
Compiling Auth-Type PAP for attr Auth-Type
Compiling Auth-Type CHAP for attr Auth-Type
Compiling Auth-Type MS-CHAP for attr Auth-Type
# Loading authorize {...}
Ignoring "sql" (see raddb/mods-available/README.rst)
Ignoring "ldap" (see raddb/mods-available/README.rst)
Compiling Autz-Type New-TLS-Connection for attr Autz-Type
# Loading preacct {...}
# Loading accounting {...}
# Loading post-proxy {...}
# Loading post-auth {...}
Compiling Post-Auth-Type REJECT for attr Post-Auth-Type
Compiling Post-Auth-Type Challenge for attr Post-Auth-Type
Compiling Post-Auth-Type Client-Lost for attr Post-Auth-Type
} # server default
server inner-tunnel { # from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
# Loading authenticate {...}
Compiling Auth-Type PAP for attr Auth-Type
Compiling Auth-Type CHAP for attr Auth-Type
Compiling Auth-Type MS-CHAP for attr Auth-Type
# Loading authorize {...}
# Loading session {...}
# Loading post-proxy {...}
# Loading post-auth {...}
# Skipping contents of 'if' as it is always 'false' --
/etc/freeradius/3.0/sites-enabled/inner-tunnel:336
Compiling Post-Auth-Type REJECT for attr Post-Auth-Type
} # server inner-tunnel
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on proxy address * port 55848
Listening on proxy address :: port 41827
Ready to process requests
(0) Received Access-Request Id 0 from 127.0.0.1:44657 to 127.0.0.1:1812
length 146
(0) User-Name = "user at example.org"
(0) NAS-IP-Address = 127.0.0.1
(0) Calling-Station-Id = "02-00-00-00-00-01"
(0) Framed-MTU = 1400
(0) NAS-Port-Type = Wireless-802.11
(0) Service-Type = Framed-User
(0) Connect-Info = "CONNECT 11Mbps 802.11b"
(0) EAP-Message = 0x020200150175736572406578616d706c652e6f7267
(0) Message-Authenticator = 0xfcc1f63f6c4f4b9e44611b14119b76e9
(0) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /@\./) {
(0) if (&User-Name =~ /@\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: Looking up realm "example.org" for User-Name = "user at example.org
"
(0) suffix: No such realm "example.org"
(0) [suffix] = noop
(0) eap: Peer sent EAP Response (code 2) ID 2 length 21
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0) authenticate {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_tls to process data
(0) eap_tls: (TLS) Initiating new session
(0) eap_tls: (TLS) Setting verify mode to require certificate from client
(0) eap: Sending EAP Request (code 1) ID 3 length 6
(0) eap: EAP session adding &reply:State = 0x915bb6629158bb63
(0) [eap] = handled
(0) } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0) Challenge { ... } # empty sub-section is ignored
(0) session-state: Saving cached attributes
(0) Framed-MTU = 994
(0) Sent Access-Challenge Id 0 from 127.0.0.1:1812 to 127.0.0.1:44657
length 64
(0) EAP-Message = 0x010300060d20
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0x915bb6629158bb63d9e85057a0f8f68a
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 1 from 127.0.0.1:44657 to 127.0.0.1:1812
length 333
(1) User-Name = "user at example.org"
(1) NAS-IP-Address = 127.0.0.1
(1) Calling-Station-Id = "02-00-00-00-00-01"
(1) Framed-MTU = 1400
(1) NAS-Port-Type = Wireless-802.11
(1) Service-Type = Framed-User
(1) Connect-Info = "CONNECT 11Mbps 802.11b"
(1) EAP-Message =
0x020300be0d0016030100b3010000af030355bbaaba22085affa27bf313eaa51f6b0f191d0c63552a96489ae93881e50d63000038c02cc030009fcca9cca8ccaac02bc02f009ec024c028006bc023c0270067c00ac0140039c009c0130033009d009c003d003c0035002f00ff0100004e000b000403000102000a000c000a001d0017001e001900180016000000170000000d002a0028040305030603080708080809080a080b080408050806040105010601030303010302040205020602
(1) State = 0x915bb6629158bb63d9e85057a0f8f68a
(1) Message-Authenticator = 0x9a4a50e19134ea4b731492d61a96ce89
(1) Restoring &session-state
(1) &session-state:Framed-MTU = 994
(1) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(1) authorize {
(1) policy filter_username {
(1) if (&User-Name) {
(1) if (&User-Name) -> TRUE
(1) if (&User-Name) {
(1) if (&User-Name =~ / /) {
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@[^@]*@/ ) {
(1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(1) if (&User-Name =~ /\.\./ ) {
(1) if (&User-Name =~ /\.\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(1) if (&User-Name =~ /\.$/) {
(1) if (&User-Name =~ /\.$/) -> FALSE
(1) if (&User-Name =~ /@\./) {
(1) if (&User-Name =~ /@\./) -> FALSE
(1) } # if (&User-Name) = notfound
(1) } # policy filter_username = notfound
(1) [preprocess] = ok
(1) [chap] = noop
(1) [mschap] = noop
(1) [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: Looking up realm "example.org" for User-Name = "user at example.org
"
(1) suffix: No such realm "example.org"
(1) [suffix] = noop
(1) eap: Peer sent EAP Response (code 2) ID 3 length 190
(1) eap: No EAP Start, assuming it's an on-going EAP conversation
(1) [eap] = updated
(1) [files] = noop
(1) [expiration] = noop
(1) [logintime] = noop
(1) [pap] = noop
(1) } # authorize = updated
(1) Found Auth-Type = eap
(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(1) authenticate {
(1) eap: Expiring EAP session with state 0x915bb6629158bb63
(1) eap: Finished EAP session with state 0x915bb6629158bb63
(1) eap: Previous EAP request found for state 0x915bb6629158bb63, released
from the list
(1) eap: Peer sent packet with method EAP TLS (13)
(1) eap: Calling submodule eap_tls to process data
(1) eap_tls: (TLS) EAP Got final fragment (184 bytes)
(1) eap_tls: WARNING: (TLS) EAP Total received record fragments (184
bytes), does not equal expected expected data length (0 bytes)
(1) eap_tls: (TLS) EAP Done initial handshake
(1) eap_tls: (TLS) Handshake state - before SSL initialization
(1) eap_tls: (TLS) Handshake state - Server before SSL initialization
(1) eap_tls: (TLS) Handshake state - Server before SSL initialization
(1) eap_tls: (TLS) recv TLS 1.3 Handshake, ClientHello
(1) eap_tls: (TLS) Handshake state - Server SSLv3/TLS read client hello
(1) eap_tls: (TLS) send TLS 1.2 Handshake, ServerHello
(1) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write server hello
(1) eap_tls: (TLS) send TLS 1.2 Handshake, Certificate
(1) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write certificate
(1) eap_tls: (TLS) send TLS 1.2 Handshake, ServerKeyExchange
(1) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write key exchange
(1) eap_tls: (TLS) send TLS 1.2 Handshake, CertificateRequest
(1) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write certificate
request
(1) eap_tls: (TLS) send TLS 1.2 Handshake, ServerHelloDone
(1) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write server done
(1) eap_tls: (TLS) Server : Need to read more data: SSLv3/TLS write server
done
(1) eap_tls: (TLS) In Handshake Phase
(1) eap: Sending EAP Request (code 1) ID 4 length 1004
(1) eap: EAP session adding &reply:State = 0x915bb662905fbb63
(1) [eap] = handled
(1) } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(1) Challenge { ... } # empty sub-section is ignored
(1) session-state: Saving cached attributes
(1) Framed-MTU = 994
(1) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(1) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(1) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(1) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake,
ServerKeyExchange"
(1) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake,
CertificateRequest"
(1) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake,
ServerHelloDone"
(1) Sent Access-Challenge Id 1 from 127.0.0.1:1812 to 127.0.0.1:44657
length 1068
(1) EAP-Message =
0x010403ec0dc000000b97160303003d020000390303c057c95286e8abc5a19ed6e71a2f470f4ab2dd8898e5286933d29cabf629273900c030000011ff01000100000b0004030001020017000016030309450b00094100093e00043a308204363082031ea003020102020101300d06092a864886f70d01010b0500308193310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e6f72673126302406035504030c1d4578616d706c6520436572746966696361746520417574686f72697479301e170d3234303232383031333232345a170d3234303432383031333232345a307c310b3009060355040613024652310f300d06035504080c0652616469757331153013060355040a0c0c4578616d706c6520496e632e3123302106035504030c1a4578616d70
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0x915bb662905fbb63d9e85057a0f8f68a
(1) Finished request
Waking up in 4.9 seconds.
(2) Received Access-Request Id 2 from 127.0.0.1:44657 to 127.0.0.1:1812
length 149
(2) User-Name = "user at example.org"
(2) NAS-IP-Address = 127.0.0.1
(2) Calling-Station-Id = "02-00-00-00-00-01"
(2) Framed-MTU = 1400
(2) NAS-Port-Type = Wireless-802.11
(2) Service-Type = Framed-User
(2) Connect-Info = "CONNECT 11Mbps 802.11b"
(2) EAP-Message = 0x020400060d00
(2) State = 0x915bb662905fbb63d9e85057a0f8f68a
(2) Message-Authenticator = 0xca7a9d5362cebf2ec100e51e4cb1639d
(2) Restoring &session-state
(2) &session-state:Framed-MTU = 994
(2) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3
Handshake, ClientHello"
(2) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, ServerHello"
(2) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, Certificate"
(2) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, ServerKeyExchange"
(2) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, CertificateRequest"
(2) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, ServerHelloDone"
(2) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(2) authorize {
(2) policy filter_username {
(2) if (&User-Name) {
(2) if (&User-Name) -> TRUE
(2) if (&User-Name) {
(2) if (&User-Name =~ / /) {
(2) if (&User-Name =~ / /) -> FALSE
(2) if (&User-Name =~ /@[^@]*@/ ) {
(2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(2) if (&User-Name =~ /\.\./ ) {
(2) if (&User-Name =~ /\.\./ ) -> FALSE
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(2) if (&User-Name =~ /\.$/) {
(2) if (&User-Name =~ /\.$/) -> FALSE
(2) if (&User-Name =~ /@\./) {
(2) if (&User-Name =~ /@\./) -> FALSE
(2) } # if (&User-Name) = notfound
(2) } # policy filter_username = notfound
(2) [preprocess] = ok
(2) [chap] = noop
(2) [mschap] = noop
(2) [digest] = noop
(2) suffix: Checking for suffix after "@"
(2) suffix: Looking up realm "example.org" for User-Name = "user at example.org
"
(2) suffix: No such realm "example.org"
(2) [suffix] = noop
(2) eap: Peer sent EAP Response (code 2) ID 4 length 6
(2) eap: No EAP Start, assuming it's an on-going EAP conversation
(2) [eap] = updated
(2) [files] = noop
(2) [expiration] = noop
(2) [logintime] = noop
(2) [pap] = noop
(2) } # authorize = updated
(2) Found Auth-Type = eap
(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(2) authenticate {
(2) eap: Expiring EAP session with state 0x915bb662905fbb63
(2) eap: Finished EAP session with state 0x915bb662905fbb63
(2) eap: Previous EAP request found for state 0x915bb662905fbb63, released
from the list
(2) eap: Peer sent packet with method EAP TLS (13)
(2) eap: Calling submodule eap_tls to process data
(2) eap_tls: (TLS) Peer ACKed our handshake fragment
(2) eap: Sending EAP Request (code 1) ID 5 length 1004
(2) eap: EAP session adding &reply:State = 0x915bb662935ebb63
(2) [eap] = handled
(2) } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(2) Challenge { ... } # empty sub-section is ignored
(2) session-state: Saving cached attributes
(2) Framed-MTU = 994
(2) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(2) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(2) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(2) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake,
ServerKeyExchange"
(2) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake,
CertificateRequest"
(2) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake,
ServerHelloDone"
(2) Sent Access-Challenge Id 2 from 127.0.0.1:1812 to 127.0.0.1:44657
length 1068
(2) EAP-Message =
0x010503ec0dc000000b9705ecb4b01e01e674cd17114248e5953c68d50808bfda8aedcbef7857bfaf2b3cd70f07eee53029230aa473f0afbf9e955f5178f7cf70f115fabdcbe7c4fa45f95e8e9176145705fd1797d7f024b3b33fc9171eb0263c7423df92605a8c34330475ec57f4e7db3053004b588ee2264d51a48100835f69f92f1bebdbeb03d94d7eed49ddbe8eba3444d1daf370d6a9a4869ea7236e8851466bf4bb28fcd5a1c439674838242589003aba0004fe308204fa308203e2a00302010202142557e1728d04afe1d4dc8f3ba7ed9f02a1142468300d06092a864886f70d01010b0500308193310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e6f72673126302406035504030c1d4578616d706c65204365727469666963617465204175
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0x915bb662935ebb63d9e85057a0f8f68a
(2) Finished request
Waking up in 4.9 seconds.
(3) Received Access-Request Id 3 from 127.0.0.1:44657 to 127.0.0.1:1812
length 149
(3) User-Name = "user at example.org"
(3) NAS-IP-Address = 127.0.0.1
(3) Calling-Station-Id = "02-00-00-00-00-01"
(3) Framed-MTU = 1400
(3) NAS-Port-Type = Wireless-802.11
(3) Service-Type = Framed-User
(3) Connect-Info = "CONNECT 11Mbps 802.11b"
(3) EAP-Message = 0x020500060d00
(3) State = 0x915bb662935ebb63d9e85057a0f8f68a
(3) Message-Authenticator = 0x157e8ecd40493b8b25d5dc23f0d83404
(3) Restoring &session-state
(3) &session-state:Framed-MTU = 994
(3) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3
Handshake, ClientHello"
(3) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, ServerHello"
(3) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, Certificate"
(3) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, ServerKeyExchange"
(3) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, CertificateRequest"
(3) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, ServerHelloDone"
(3) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(3) authorize {
(3) policy filter_username {
(3) if (&User-Name) {
(3) if (&User-Name) -> TRUE
(3) if (&User-Name) {
(3) if (&User-Name =~ / /) {
(3) if (&User-Name =~ / /) -> FALSE
(3) if (&User-Name =~ /@[^@]*@/ ) {
(3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(3) if (&User-Name =~ /\.\./ ) {
(3) if (&User-Name =~ /\.\./ ) -> FALSE
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(3) if (&User-Name =~ /\.$/) {
(3) if (&User-Name =~ /\.$/) -> FALSE
(3) if (&User-Name =~ /@\./) {
(3) if (&User-Name =~ /@\./) -> FALSE
(3) } # if (&User-Name) = notfound
(3) } # policy filter_username = notfound
(3) [preprocess] = ok
(3) [chap] = noop
(3) [mschap] = noop
(3) [digest] = noop
(3) suffix: Checking for suffix after "@"
(3) suffix: Looking up realm "example.org" for User-Name = "user at example.org
"
(3) suffix: No such realm "example.org"
(3) [suffix] = noop
(3) eap: Peer sent EAP Response (code 2) ID 5 length 6
(3) eap: No EAP Start, assuming it's an on-going EAP conversation
(3) [eap] = updated
(3) [files] = noop
(3) [expiration] = noop
(3) [logintime] = noop
(3) [pap] = noop
(3) } # authorize = updated
(3) Found Auth-Type = eap
(3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(3) authenticate {
(3) eap: Expiring EAP session with state 0x915bb662935ebb63
(3) eap: Finished EAP session with state 0x915bb662935ebb63
(3) eap: Previous EAP request found for state 0x915bb662935ebb63, released
from the list
(3) eap: Peer sent packet with method EAP TLS (13)
(3) eap: Calling submodule eap_tls to process data
(3) eap_tls: (TLS) Peer ACKed our handshake fragment
(3) eap: Sending EAP Request (code 1) ID 6 length 989
(3) eap: EAP session adding &reply:State = 0x915bb662925dbb63
(3) [eap] = handled
(3) } # authenticate = handled
(3) Using Post-Auth-Type Challenge
(3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(3) Challenge { ... } # empty sub-section is ignored
(3) session-state: Saving cached attributes
(3) Framed-MTU = 994
(3) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(3) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(3) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(3) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake,
ServerKeyExchange"
(3) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake,
CertificateRequest"
(3) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake,
ServerHelloDone"
(3) Sent Access-Challenge Id 3 from 127.0.0.1:1812 to 127.0.0.1:44657
length 1053
(3) EAP-Message =
0x010603dd0d8000000b9778616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e6f72673126302406035504030c1d4578616d706c6520436572746966696361746520417574686f7269747982142557e1728d04afe1d4dc8f3ba7ed9f02a1142468300f0603551d130101ff040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e6f72672f6578616d706c655f63612e63726c300d06092a864886f70d01010b05000382010100555b2e66c6da9a6ffd14172dbedf3d1e5338f55da258fafeb78d26408f25e04b82c56c5773e15ad3b035946ecc123e61001c5718bb698e44c8741fc483cb47e4928fe23a31df3bfaa251a3fde3c9214339af971304506bc9d405d0c5d55a1b105eeb8442aee49682191f524ef1c90329fcfb65076f6d7159d78e076ba54d7a3e70e1e92cdb86762d742d098e03a3a75e8c270718aee58d740c5cced0b9b6c3a20b02354f8b
(3) Message-Authenticator = 0x00000000000000000000000000000000
(3) State = 0x915bb662925dbb63d9e85057a0f8f68a
(3) Finished request
Waking up in 4.9 seconds.
(4) Received Access-Request Id 4 from 127.0.0.1:44657 to 127.0.0.1:1812
length 1561
(4) User-Name = "user at example.org"
(4) NAS-IP-Address = 127.0.0.1
(4) Calling-Station-Id = "02-00-00-00-00-01"
(4) Framed-MTU = 1400
(4) NAS-Port-Type = Wireless-802.11
(4) Service-Type = Framed-User
(4) Connect-Info = "CONNECT 11Mbps 802.11b"
(4) EAP-Message =
0x020605800dc000000a8f16030309200b00091c00091900041530820411308202f9a003020102020102300d06092a864886f70d01010b0500308193310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e6f72673126302406035504030c1d4578616d706c6520436572746966696361746520417574686f72697479301e170d3234303232383031333232355a170d3234303432383031333232355a3071310b3009060355040613024652310f300d06035504080c0652616469757331153013060355040a0c0c4578616d706c6520496e632e3119301706035504030c1075736572406578616d706c652e6f7267311f301d06092a864886f70d010901161075736572406578616d706c652e6f726730820122300d06092a864886f70d0101010500038201
(4) State = 0x915bb662925dbb63d9e85057a0f8f68a
(4) Message-Authenticator = 0x50ce128c4e9a716c72b3380993132908
(4) Restoring &session-state
(4) &session-state:Framed-MTU = 994
(4) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3
Handshake, ClientHello"
(4) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, ServerHello"
(4) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, Certificate"
(4) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, ServerKeyExchange"
(4) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, CertificateRequest"
(4) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, ServerHelloDone"
(4) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(4) authorize {
(4) policy filter_username {
(4) if (&User-Name) {
(4) if (&User-Name) -> TRUE
(4) if (&User-Name) {
(4) if (&User-Name =~ / /) {
(4) if (&User-Name =~ / /) -> FALSE
(4) if (&User-Name =~ /@[^@]*@/ ) {
(4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(4) if (&User-Name =~ /\.\./ ) {
(4) if (&User-Name =~ /\.\./ ) -> FALSE
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(4) if (&User-Name =~ /\.$/) {
(4) if (&User-Name =~ /\.$/) -> FALSE
(4) if (&User-Name =~ /@\./) {
(4) if (&User-Name =~ /@\./) -> FALSE
(4) } # if (&User-Name) = notfound
(4) } # policy filter_username = notfound
(4) [preprocess] = ok
(4) [chap] = noop
(4) [mschap] = noop
(4) [digest] = noop
(4) suffix: Checking for suffix after "@"
(4) suffix: Looking up realm "example.org" for User-Name = "user at example.org
"
(4) suffix: No such realm "example.org"
(4) [suffix] = noop
(4) eap: Peer sent EAP Response (code 2) ID 6 length 1408
(4) eap: No EAP Start, assuming it's an on-going EAP conversation
(4) [eap] = updated
(4) [files] = noop
(4) [expiration] = noop
(4) [logintime] = noop
(4) [pap] = noop
(4) } # authorize = updated
(4) Found Auth-Type = eap
(4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(4) authenticate {
(4) eap: Expiring EAP session with state 0x915bb662925dbb63
(4) eap: Finished EAP session with state 0x915bb662925dbb63
(4) eap: Previous EAP request found for state 0x915bb662925dbb63, released
from the list
(4) eap: Peer sent packet with method EAP TLS (13)
(4) eap: Calling submodule eap_tls to process data
(4) eap_tls: (TLS) EAP Peer says that the final record size will be 2703
bytes
(4) eap_tls: (TLS) EAP Expecting 2 fragments
(4) eap_tls: (TLS) EAP Got first TLS fragment (1398 bytes). Peer says more
fragments will follow
(4) eap_tls: (TLS) EAP ACKing fragment, the peer should send more data.
(4) eap: Sending EAP Request (code 1) ID 7 length 6
(4) eap: EAP session adding &reply:State = 0x915bb662955cbb63
(4) [eap] = handled
(4) } # authenticate = handled
(4) Using Post-Auth-Type Challenge
(4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(4) Challenge { ... } # empty sub-section is ignored
(4) session-state: Saving cached attributes
(4) Framed-MTU = 994
(4) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(4) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(4) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(4) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake,
ServerKeyExchange"
(4) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake,
CertificateRequest"
(4) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake,
ServerHelloDone"
(4) Sent Access-Challenge Id 4 from 127.0.0.1:1812 to 127.0.0.1:44657
length 64
(4) EAP-Message = 0x010700060d00
(4) Message-Authenticator = 0x00000000000000000000000000000000
(4) State = 0x915bb662955cbb63d9e85057a0f8f68a
(4) Finished request
Waking up in 4.9 seconds.
(5) Received Access-Request Id 5 from 127.0.0.1:44657 to 127.0.0.1:1812
length 1464
(5) User-Name = "user at example.org"
(5) NAS-IP-Address = 127.0.0.1
(5) Calling-Station-Id = "02-00-00-00-00-01"
(5) Framed-MTU = 1400
(5) NAS-Port-Type = Wireless-802.11
(5) Service-Type = Framed-User
(5) Connect-Info = "CONNECT 11Mbps 802.11b"
(5) EAP-Message =
0x0207051f0d00706c652e6f72673126302406035504030c1d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a02820101008fd8ebe0ef83c9187f256e38e9ef2d6ef1e365f03987f64178ad8c099f79c9e10f79d3d296a75ff7fe44d7da66b8ba79f74ec0c2f6dab09a0c9d5e8bd725476b08a5dfd353d7d7e469a9cf5316bd19da820a61f3803c6aa2e95c37445c43ab0944dc3606c4218104b27c305d280aeede42e736bac91bcba157fc93d0e1c09774cf067dbb512b716b667a4eba19884aca067a10bb7ec4cb2819492d2cd2abd023eb49b2a8e014cdb8a11919160933ee62710fb3d7e0e886b083f7220e3be12283970f5b343c9ca3f348b728ec195e4cfc279d54f3a1fb1d2ae18d0344622ea8f4a582ed3679d381e3fbd40fca2c9e8cf651f2ddba621312b81203fc918f4d20310203010001a38201423082013e301d0603551d0e0416041468e8d758bafd2cf855
(5) State = 0x915bb662955cbb63d9e85057a0f8f68a
(5) Message-Authenticator = 0x4b372884eaee0e458add2352d318a081
(5) Restoring &session-state
(5) &session-state:Framed-MTU = 994
(5) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3
Handshake, ClientHello"
(5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, ServerHello"
(5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, Certificate"
(5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, ServerKeyExchange"
(5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, CertificateRequest"
(5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, ServerHelloDone"
(5) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(5) authorize {
(5) policy filter_username {
(5) if (&User-Name) {
(5) if (&User-Name) -> TRUE
(5) if (&User-Name) {
(5) if (&User-Name =~ / /) {
(5) if (&User-Name =~ / /) -> FALSE
(5) if (&User-Name =~ /@[^@]*@/ ) {
(5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(5) if (&User-Name =~ /\.\./ ) {
(5) if (&User-Name =~ /\.\./ ) -> FALSE
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(5) if (&User-Name =~ /\.$/) {
(5) if (&User-Name =~ /\.$/) -> FALSE
(5) if (&User-Name =~ /@\./) {
(5) if (&User-Name =~ /@\./) -> FALSE
(5) } # if (&User-Name) = notfound
(5) } # policy filter_username = notfound
(5) [preprocess] = ok
(5) [chap] = noop
(5) [mschap] = noop
(5) [digest] = noop
(5) suffix: Checking for suffix after "@"
(5) suffix: Looking up realm "example.org" for User-Name = "user at example.org
"
(5) suffix: No such realm "example.org"
(5) [suffix] = noop
(5) eap: Peer sent EAP Response (code 2) ID 7 length 1311
(5) eap: No EAP Start, assuming it's an on-going EAP conversation
(5) [eap] = updated
(5) [files] = noop
(5) [expiration] = noop
(5) [logintime] = noop
(5) [pap] = noop
(5) } # authorize = updated
(5) Found Auth-Type = eap
(5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(5) authenticate {
(5) eap: Expiring EAP session with state 0x915bb662955cbb63
(5) eap: Finished EAP session with state 0x915bb662955cbb63
(5) eap: Previous EAP request found for state 0x915bb662955cbb63, released
from the list
(5) eap: Peer sent packet with method EAP TLS (13)
(5) eap: Calling submodule eap_tls to process data
(5) eap_tls: (TLS) EAP Got final fragment (1305 bytes)
(5) eap_tls: (TLS) EAP Done initial handshake
(5) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write server done
(5) eap_tls: (TLS) recv TLS 1.2 Handshake, Certificate
(5) eap_tls: (TLS) Creating attributes from server certificate
(5) eap_tls: TLS-Cert-Serial := "2557e1728d04afe1d4dc8f3ba7ed9f02a1142468"
(5) eap_tls: TLS-Cert-Expiration := "240428013224Z"
(5) eap_tls: TLS-Cert-Valid-Since := "240228013224Z"
(5) eap_tls: TLS-Cert-Subject := "/C=FR/ST=Radius/L=Somewhere/O=Example
Inc./emailAddress=admin at example.org/CN=Example Certificate Authority"
(5) eap_tls: TLS-Cert-Issuer := "/C=FR/ST=Radius/L=Somewhere/O=Example
Inc./emailAddress=admin at example.org/CN=Example Certificate Authority"
(5) eap_tls: TLS-Cert-Common-Name := "Example Certificate Authority"
(5) eap_tls: (TLS) Creating attributes from client certificate
(5) eap_tls: TLS-Client-Cert-Serial := "02"
(5) eap_tls: TLS-Client-Cert-Expiration := "240428013225Z"
(5) eap_tls: TLS-Client-Cert-Valid-Since := "240228013225Z"
(5) eap_tls: TLS-Client-Cert-Subject := "/C=FR/ST=Radius/O=Example
Inc./CN=user at example.org/emailAddress=user at example.org"
(5) eap_tls: TLS-Client-Cert-Issuer :=
"/C=FR/ST=Radius/L=Somewhere/O=Example Inc./emailAddress=
admin at example.org/CN=Example Certificate Authority"
(5) eap_tls: TLS-Client-Cert-Common-Name := "user at example.org"
(5) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Client
Authentication"
(5) eap_tls: TLS-Client-Cert-X509v3-Subject-Key-Identifier +=
"BF:8B:EE:28:D4:A2:2A:EE:30:BA:18:5B:11:76:50:45:1C:BC:A9:27"
(5) eap_tls: TLS-Client-Cert-X509v3-Authority-Key-Identifier +=
"68:E8:D7:58:BA:FD:2C:F8:55:E5:99:F0:1D:1B:E1:B0:49:7C:45:43"
(5) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage-OID +=
"1.3.6.1.5.5.7.3.2"
Certificate chain - 1 cert(s) untrusted
(TLS) untrusted certificate with depth [1] subject name
/C=FR/ST=Radius/L=Somewhere/O=Example Inc./emailAddress=
admin at example.org/CN=Example Certificate Authority
(TLS) untrusted certificate with depth [0] subject name
/C=FR/ST=Radius/O=Example Inc./CN=
user at example.org/emailAddress=user at example.org
(5) eap_tls: (TLS) Handshake state - Server SSLv3/TLS read client
certificate
(5) eap_tls: (TLS) recv TLS 1.2 Handshake, ClientKeyExchange
(5) eap_tls: (TLS) Handshake state - Server SSLv3/TLS read client key
exchange
(5) eap_tls: (TLS) recv TLS 1.2 Handshake, CertificateVerify
(5) eap_tls: (TLS) Handshake state - Server SSLv3/TLS read certificate
verify
(5) eap_tls: (TLS) Handshake state - Server SSLv3/TLS read change cipher
spec
(5) eap_tls: (TLS) recv TLS 1.2 Handshake, Finished
(5) eap_tls: (TLS) Handshake state - Server SSLv3/TLS read finished
(5) eap_tls: (TLS) send TLS 1.2 ChangeCipherSpec
(5) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write change cipher
spec
(5) eap_tls: (TLS) send TLS 1.2 Handshake, Finished
(5) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write finished
(5) eap_tls: (TLS) Handshake state - SSL negotiation finished successfully
(5) eap_tls: (TLS) Connection Established
(5) eap_tls: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(5) eap_tls: TLS-Session-Version = "TLS 1.2"
(5) eap: Sending EAP Request (code 1) ID 8 length 61
(5) eap: EAP session adding &reply:State = 0x915bb6629453bb63
(5) [eap] = handled
(5) } # authenticate = handled
(5) Using Post-Auth-Type Challenge
(5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(5) Challenge { ... } # empty sub-section is ignored
(5) session-state: Saving cached attributes
(5) Framed-MTU = 994
(5) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(5) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(5) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(5) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake,
ServerKeyExchange"
(5) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake,
CertificateRequest"
(5) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake,
ServerHelloDone"
(5) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Certificate"
(5) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake,
ClientKeyExchange"
(5) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake,
CertificateVerify"
(5) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished"
(5) TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec"
(5) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished"
(5) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(5) TLS-Session-Version = "TLS 1.2"
(5) Sent Access-Challenge Id 5 from 127.0.0.1:1812 to 127.0.0.1:44657
length 119
(5) EAP-Message =
0x0108003d0d80000000331403030001011603030028e8ed43d5f14d7ea2d6d952a993702475cd35a16cc73f1546cffda13f01adc2ff0958fd830c2539cb
(5) Message-Authenticator = 0x00000000000000000000000000000000
(5) State = 0x915bb6629453bb63d9e85057a0f8f68a
(5) Finished request
Waking up in 4.9 seconds.
(6) Received Access-Request Id 6 from 127.0.0.1:44657 to 127.0.0.1:1812
length 149
(6) User-Name = "user at example.org"
(6) NAS-IP-Address = 127.0.0.1
(6) Calling-Station-Id = "02-00-00-00-00-01"
(6) Framed-MTU = 1400
(6) NAS-Port-Type = Wireless-802.11
(6) Service-Type = Framed-User
(6) Connect-Info = "CONNECT 11Mbps 802.11b"
(6) EAP-Message = 0x020800060d00
(6) State = 0x915bb6629453bb63d9e85057a0f8f68a
(6) Message-Authenticator = 0xeeed5fc00c06ed5bb63f1ef809fb0ff2
(6) Restoring &session-state
(6) &session-state:Framed-MTU = 994
(6) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3
Handshake, ClientHello"
(6) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, ServerHello"
(6) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, Certificate"
(6) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, ServerKeyExchange"
(6) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, CertificateRequest"
(6) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, ServerHelloDone"
(6) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2
Handshake, Certificate"
(6) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2
Handshake, ClientKeyExchange"
(6) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2
Handshake, CertificateVerify"
(6) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2
Handshake, Finished"
(6) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
ChangeCipherSpec"
(6) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, Finished"
(6) &session-state:TLS-Session-Cipher-Suite =
"ECDHE-RSA-AES256-GCM-SHA384"
(6) &session-state:TLS-Session-Version = "TLS 1.2"
(6) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(6) authorize {
(6) policy filter_username {
(6) if (&User-Name) {
(6) if (&User-Name) -> TRUE
(6) if (&User-Name) {
(6) if (&User-Name =~ / /) {
(6) if (&User-Name =~ / /) -> FALSE
(6) if (&User-Name =~ /@[^@]*@/ ) {
(6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(6) if (&User-Name =~ /\.\./ ) {
(6) if (&User-Name =~ /\.\./ ) -> FALSE
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(6) if (&User-Name =~ /\.$/) {
(6) if (&User-Name =~ /\.$/) -> FALSE
(6) if (&User-Name =~ /@\./) {
(6) if (&User-Name =~ /@\./) -> FALSE
(6) } # if (&User-Name) = notfound
(6) } # policy filter_username = notfound
(6) [preprocess] = ok
(6) [chap] = noop
(6) [mschap] = noop
(6) [digest] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: Looking up realm "example.org" for User-Name = "user at example.org
"
(6) suffix: No such realm "example.org"
(6) [suffix] = noop
(6) eap: Peer sent EAP Response (code 2) ID 8 length 6
(6) eap: No EAP Start, assuming it's an on-going EAP conversation
(6) [eap] = updated
(6) [files] = noop
(6) [expiration] = noop
(6) [logintime] = noop
(6) [pap] = noop
(6) } # authorize = updated
(6) Found Auth-Type = eap
(6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(6) authenticate {
(6) eap: Expiring EAP session with state 0x915bb6629453bb63
(6) eap: Finished EAP session with state 0x915bb6629453bb63
(6) eap: Previous EAP request found for state 0x915bb6629453bb63, released
from the list
(6) eap: Peer sent packet with method EAP TLS (13)
(6) eap: Calling submodule eap_tls to process data
(6) eap_tls: (TLS) Peer ACKed our handshake fragment. handshake is finished
(6) eap: Sending EAP Success (code 3) ID 8 length 4
(6) eap: Freeing handler
(6) [eap] = ok
(6) } # authenticate = ok
(6) # Executing section post-auth from file
/etc/freeradius/3.0/sites-enabled/default
(6) post-auth {
(6) if (session-state:User-Name && reply:User-Name && request:User-Name
&& (reply:User-Name == request:User-Name)) {
(6) if (session-state:User-Name && reply:User-Name && request:User-Name
&& (reply:User-Name == request:User-Name)) -> FALSE
(6) update {
(6) &reply::Framed-MTU += &session-state:Framed-MTU[*] -> 994
(6) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.3 Handshake,
ClientHello'
(6) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake,
ServerHello'
(6) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake,
Certificate'
(6) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake,
ServerKeyExchange'
(6) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake,
CertificateRequest'
(6) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake,
ServerHelloDone'
(6) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.2 Handshake,
Certificate'
(6) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.2 Handshake,
ClientKeyExchange'
(6) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.2 Handshake,
CertificateVerify'
(6) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.2 Handshake,
Finished'
(6) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2
ChangeCipherSpec'
(6) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake,
Finished'
(6) &reply::TLS-Session-Cipher-Suite +=
&session-state:TLS-Session-Cipher-Suite[*] -> 'ECDHE-RSA-AES256-GCM-SHA384'
(6) &reply::TLS-Session-Version +=
&session-state:TLS-Session-Version[*] -> 'TLS 1.2'
(6) } # update = noop
(6) [exec] = noop
(6) policy remove_reply_message_if_eap {
(6) if (&reply:EAP-Message && &reply:Reply-Message) {
(6) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(6) else {
(6) [noop] = noop
(6) } # else = noop
(6) } # policy remove_reply_message_if_eap = noop
(6) if (EAP-Key-Name && &reply:EAP-Session-Id) {
(6) if (EAP-Key-Name && &reply:EAP-Session-Id) -> FALSE
(6) } # post-auth = noop
(6) Sent Access-Accept Id 6 from 127.0.0.1:1812 to 127.0.0.1:44657 length
184
(6) MS-MPPE-Recv-Key =
0x2ce77c48a85743806af23a14abdbf24dc8ea52969462cc9cd7a5035b15aef473
(6) MS-MPPE-Send-Key =
0xc697aee46a8d611863036bd4cb69f412ff6f4a005165780b1ec25dcf40a28128
(6) EAP-Message = 0x03080004
(6) Message-Authenticator = 0x00000000000000000000000000000000
(6) User-Name = "user at example.org"
(6) Framed-MTU += 994
(6) Finished request
Waking up in 4.9 seconds.
(0) Cleaning up request packet ID 0 with timestamp +25 due to cleanup_delay
was reached
(1) Cleaning up request packet ID 1 with timestamp +25 due to cleanup_delay
was reached
(2) Cleaning up request packet ID 2 with timestamp +25 due to cleanup_delay
was reached
(3) Cleaning up request packet ID 3 with timestamp +25 due to cleanup_delay
was reached
(4) Cleaning up request packet ID 4 with timestamp +25 due to cleanup_delay
was reached
(5) Cleaning up request packet ID 5 with timestamp +25 due to cleanup_delay
was reached
(6) Cleaning up request packet ID 6 with timestamp +25 due to cleanup_delay
was reached
Ready to process requests
EAPOL_TEST.config
Reading configuration file 'eapol_test.conf'
Line: 1 - start of a new network block
key_mgmt: 0x8
eap methods - hexdump(len=16): 00 00 00 00 0d 00 00 00 00 00 00 00 00 00 00
00
identity - hexdump_ascii(len=16):
75 73 65 72 40 65 78 61 6d 70 6c 65 2e 6f 72 67 user at example.org
client_cert - hexdump_ascii(len=36):
2f 65 74 63 2f 66 72 65 65 72 61 64 69 75 73 2f /etc/freeradius/
33 2e 30 2f 63 65 72 74 73 2f 63 6c 69 65 6e 74 3.0/certs/client
2e 63 72 74 .crt
private_key - hexdump_ascii(len=36):
2f 65 74 63 2f 66 72 65 65 72 61 64 69 75 73 2f /etc/freeradius/
33 2e 30 2f 63 65 72 74 73 2f 63 6c 69 65 6e 74 3.0/certs/client
2e 6b 65 79 .key
private_key_passwd - hexdump_ascii(len=8):
77 68 61 74 65 76 65 72 whatever
ca_cert - hexdump_ascii(len=32):
2f 65 74 63 2f 66 72 65 65 72 61 64 69 75 73 2f /etc/freeradius/
33 2e 30 2f 63 65 72 74 73 2f 63 61 2e 70 65 6d 3.0/certs/ca.pem
Priority group 0
id=0 ssid=''
Authentication server 127.0.0.1:1812
RADIUS local address: 127.0.0.1:40286
ENGINE: Loading builtin engines
ENGINE: Loading builtin engines
EAPOL: SUPP_PAE entering state DISCONNECTED
EAPOL: KEY_RX entering state NO_KEY_RECEIVE
EAPOL: SUPP_BE entering state INITIALIZE
EAP: EAP entering state DISABLED
EAPOL: External notification - portValid=0
EAPOL: External notification - portEnabled=1
EAPOL: SUPP_PAE entering state CONNECTING
EAPOL: SUPP_BE entering state IDLE
EAP: EAP entering state INITIALIZE
EAP: EAP entering state IDLE
Sending fake EAP-Request-Identity
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_PAE entering state RESTART
EAP: EAP entering state INITIALIZE
EAP: EAP entering state IDLE
EAPOL: SUPP_PAE entering state AUTHENTICATING
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request id=77 method=1 vendor=0 vendorMethod=0
EAP: EAP entering state IDENTITY
CTRL-EVENT-EAP-STARTED EAP authentication started
EAP: Status notification: started (param=)
EAP: EAP-Request Identity data - hexdump_ascii(len=0):
EAP: using real identity - hexdump_ascii(len=16):
75 73 65 72 40 65 78 61 6d 70 6c 65 2e 6f 72 67 user at example.org
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp
WPA: eapol_test_eapol_send(type=0 len=21)
TX EAP -> RADIUS - hexdump(len=21): 02 4d 00 15 01 75 73 65 72 40 65 78 61
6d 70 6c 65 2e 6f 72 67
Encapsulating EAP message into a RADIUS packet
Learned identity from EAP-Response-Identity - hexdump(len=16): 75 73 65 72
40 65 78 61 6d 70 6c 65 2e 6f 72 67
Sending RADIUS message to authentication server
RADIUS message: code=1 (Access-Request) identifier=0 length=146
Attribute 1 (User-Name) length=18
Value: 'user at example.org'
Attribute 4 (NAS-IP-Address) length=6
Value: 127.0.0.1
Attribute 31 (Calling-Station-Id) length=19
Value: '02-00-00-00-00-01'
Attribute 12 (Framed-MTU) length=6
Value: 1400
Attribute 61 (NAS-Port-Type) length=6
Value: 19
Attribute 6 (Service-Type) length=6
Value: 2
Attribute 77 (Connect-Info) length=24
Value: 'CONNECT 11Mbps 802.11b'
Attribute 79 (EAP-Message) length=23
Value: 024d00150175736572406578616d706c652e6f7267
Attribute 80 (Message-Authenticator) length=18
Value: 5765424494243530746e574e5aec17e6
Next RADIUS client retransmit in 3 seconds
EAPOL: SUPP_BE entering state RECEIVE
Received 64 bytes from RADIUS server
Received RADIUS message
RADIUS message: code=11 (Access-Challenge) identifier=0 length=64
Attribute 79 (EAP-Message) length=8
Value: 014e00060d20
Attribute 80 (Message-Authenticator) length=18
Value: d936830309023cb23a0345057e2c5d2b
Attribute 24 (State) length=18
Value: edd2cd8eed9cc0b549867676db0ddfbf
STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending
request, round trip time 0.00 sec
RADIUS packet matching with station
decapsulated EAP packet (code=1 id=78 len=6) from RADIUS server:
EAP-Request-TLS (13)
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request id=78 method=13 vendor=0 vendorMethod=0
EAP: EAP entering state GET_METHOD
CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13
EAP: Status notification: accept proposed method (param=TLS)
EAP: Initialize selected EAP method: vendor 0 method 13 (TLS)
TLS: using phase1 config options
TLS: Trusted root certificate(s) loaded
OpenSSL: SSL_use_certificate_chain_file --> OK
OpenSSL: tls_use_private_key_file (PEM) --> loaded
SSL: Private key loaded successfully
CTRL-EVENT-EAP-METHOD EAP vendor 0 method 13 (TLS) selected
EAP: EAP entering state METHOD
SSL: Received packet(len=6) - Flags 0x20
EAP-TLS: Start
SSL: (where=0x10 ret=0x1)
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:before SSL initialization
OpenSSL: TX ver=0x301 content_type=256 (TLS header info/)
OpenSSL: Message - hexdump(len=5): 16 03 01 00 b3
OpenSSL: TX ver=0x303 content_type=22 (handshake/client hello)
OpenSSL: Message - hexdump(len=179): 01 00 00 af 03 03 fe d5 af 5e 92 5e df
28 8b 3a 05 6a 3b 3e a9 8e 41 47 b3 cf ff ee 88 27 e6 3c 15 56 17 56 73 0a
00 00 38 c0 2c c0 30 00 9f cc a9 cc a8 cc aa c0 2b c0 2f 00 9e c0 24 c0 28
00 6b c0 23 c0 27 00 67 c0 0a c0 14 00 39 c0 09 c0 13 00 33 00 9d 00 9c 00
3d 00 3c 00 35 00 2f 00 ff 01 00 00 4e 00 0b 00 04 03 00 01 02 00 0a 00 0c
00 0a 00 1d 00 17 00 1e 00 19 00 18 00 16 00 00 00 17 00 00 00 0d 00 2a 00
28 04 03 05 03 06 03 08 07 08 08 08 09 08 0a 08 0b 08 04 08 05 08 06 04 01
05 01 06 01 03 03 03 01 03 02 04 02 05 02 06 02
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:SSLv3/TLS write client hello
SSL: (where=0x1002 ret=0xffffffff)
SSL: SSL_connect:error in SSLv3/TLS write client hello
SSL: SSL_connect - want more data
SSL: 184 bytes pending from ssl_out
SSL: Using TLS version TLSv1.2
SSL: 184 bytes left to be sent out (of total 184 bytes)
EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL
eapRespData=0x55ff45bc6ad0
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp
WPA: eapol_test_eapol_send(type=0 len=190)
TX EAP -> RADIUS - hexdump(len=190): 02 4e 00 be 0d 00 16 03 01 00 b3 01 00
00 af 03 03 fe d5 af 5e 92 5e df 28 8b 3a 05 6a 3b 3e a9 8e 41 47 b3 cf ff
ee 88 27 e6 3c 15 56 17 56 73 0a 00 00 38 c0 2c c0 30 00 9f cc a9 cc a8 cc
aa c0 2b c0 2f 00 9e c0 24 c0 28 00 6b c0 23 c0 27 00 67 c0 0a c0 14 00 39
c0 09 c0 13 00 33 00 9d 00 9c 00 3d 00 3c 00 35 00 2f 00 ff 01 00 00 4e 00
0b 00 04 03 00 01 02 00 0a 00 0c 00 0a 00 1d 00 17 00 1e 00 19 00 18 00 16
00 00 00 17 00 00 00 0d 00 2a 00 28 04 03 05 03 06 03 08 07 08 08 08 09 08
0a 08 0b 08 04 08 05 08 06 04 01 05 01 06 01 03 03 03 01 03 02 04 02 05 02
06 02
Encapsulating EAP message into a RADIUS packet
Copied RADIUS State Attribute
Sending RADIUS message to authentication server
RADIUS message: code=1 (Access-Request) identifier=1 length=333
Attribute 1 (User-Name) length=18
Value: 'user at example.org'
Attribute 4 (NAS-IP-Address) length=6
Value: 127.0.0.1
Attribute 31 (Calling-Station-Id) length=19
Value: '02-00-00-00-00-01'
Attribute 12 (Framed-MTU) length=6
Value: 1400
Attribute 61 (NAS-Port-Type) length=6
Value: 19
Attribute 6 (Service-Type) length=6
Value: 2
Attribute 77 (Connect-Info) length=24
Value: 'CONNECT 11Mbps 802.11b'
Attribute 79 (EAP-Message) length=192
Value:
024e00be0d0016030100b3010000af0303fed5af5e925edf288b3a056a3b3ea98e4147b3cfffee8827e63c15561756730a000038c02cc030009fcca9cca8ccaac02bc02f009ec024c028006bc023c0270067c00ac0140039c009c0130033009d009c003d003c0035002f00ff0100004e000b000403000102000a000c000a001d0017001e001900180016000000170000000d002a0028040305030603080708080809080a080b080408050806040105010601030303010302040205020602
Attribute 24 (State) length=18
Value: edd2cd8eed9cc0b549867676db0ddfbf
Attribute 80 (Message-Authenticator) length=18
Value: 9fd5aa074756c60ac77358debc329fc4
Next RADIUS client retransmit in 3 seconds
EAPOL: SUPP_BE entering state RECEIVE
Received 1068 bytes from RADIUS server
Received RADIUS message
RADIUS message: code=11 (Access-Challenge) identifier=1 length=1068
Attribute 79 (EAP-Message) length=255
Value:
014f03ec0dc000000b97160303003d020000390303f61d14e65035acccf7f101ae2de543a9bd8ef9d61c9cd4e1362ea674a439c09f00c030000011ff01000100000b0004030001020017000016030309450b00094100093e00043a308204363082031ea003020102020101300d06092a864886f70d01010b0500308193310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e6f72673126302406035504030c1d4578616d706c65204365
Attribute 79 (EAP-Message) length=255
Value:
72746966696361746520417574686f72697479301e170d3234303232383031333232345a170d3234303432383031333232345a307c310b3009060355040613024652310f300d06035504080c0652616469757331153013060355040a0c0c4578616d706c6520496e632e3123302106035504030c1a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e6f726730820122300d06092a864886f70d01010105000382010f003082010a028201010090f40284a31ef1c54d2c4089d96d751eee590fe2a0f81288945416a8b00fb47a680dc5c3113908c26c4a11
Attribute 79 (EAP-Message) length=255
Value:
14b5ab75ea295fda69c5e15de6906813dac9fea2889f9f79d0c051fcc97e07e03d896a230dec1d4f604c710b647bdad81fc53655ea7387ae8553f7da01f272631f39c568eac2fe6878e15572a2f01d37f8f44a09e6e5c2a864606c271ecd1187c51040e852021bd2d50431f377668f442f96cec8117c73ef5fc3ee3e0911a0fcb57131ace51b49d05fc11bdecdeda1ad35f1a9db86cf06607f8ceade1cdd2acfb52ccd15116f1cb816ec154a22448df328dd45f51843a8669f1b0c31ab31da1ebf5b860ab7a45d1fcdbd40dcbf6d1e4e849547e67d0203010001a381aa3081a730130603551d25040c300a06082b0601050507030130360603551d1f04
Attribute 79 (EAP-Message) length=247
Value:
2f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e636f6d2f6578616d706c655f63612e63726c30180603551d200411300f300d060b2b0601040182be68010302301d0603551d0e041604143a44f16099a6e3432b1695cf5483ac52abe60fdf301f0603551d2304183016801468e8d758bafd2cf855e599f01d1be1b0497c4543300d06092a864886f70d01010b050003820101003fa79358983442290ecbe3fd48e904e37da1b69f8b560857f83c25cfad385713a2a07806c5276f47f2f0693d4247026b137eaeda12b44356ccbdad27bc443ca2ae17928c9344ab6995d4009a3a7eda75ab4ec523577b08
Attribute 80 (Message-Authenticator) length=18
Value: b8b7e03e1c7730eb5738e5229836fac4
Attribute 24 (State) length=18
Value: edd2cd8eec9dc0b549867676db0ddfbf
STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending
request, round trip time 0.00 sec
RADIUS packet matching with station
decapsulated EAP packet (code=1 id=79 len=1004) from RADIUS server:
EAP-Request-TLS (13)
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request id=79 method=13 vendor=0 vendorMethod=0
EAP: EAP entering state METHOD
SSL: Received packet(len=1004) - Flags 0xc0
SSL: TLS Message Length: 2967
SSL: Need 1973 bytes more input data
SSL: Building ACK (type=13 id=79 ver=0)
EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL
eapRespData=0x55ff45bb9440
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp
WPA: eapol_test_eapol_send(type=0 len=6)
TX EAP -> RADIUS - hexdump(len=6): 02 4f 00 06 0d 00
Encapsulating EAP message into a RADIUS packet
Copied RADIUS State Attribute
Sending RADIUS message to authentication server
RADIUS message: code=1 (Access-Request) identifier=2 length=149
Attribute 1 (User-Name) length=18
Value: 'user at example.org'
Attribute 4 (NAS-IP-Address) length=6
Value: 127.0.0.1
Attribute 31 (Calling-Station-Id) length=19
Value: '02-00-00-00-00-01'
Attribute 12 (Framed-MTU) length=6
Value: 1400
Attribute 61 (NAS-Port-Type) length=6
Value: 19
Attribute 6 (Service-Type) length=6
Value: 2
Attribute 77 (Connect-Info) length=24
Value: 'CONNECT 11Mbps 802.11b'
Attribute 79 (EAP-Message) length=8
Value: 024f00060d00
Attribute 24 (State) length=18
Value: edd2cd8eec9dc0b549867676db0ddfbf
Attribute 80 (Message-Authenticator) length=18
Value: 6adf378f78bcffea0a989b134718c3ce
Next RADIUS client retransmit in 3 seconds
EAPOL: SUPP_BE entering state RECEIVE
Received 1068 bytes from RADIUS server
Received RADIUS message
RADIUS message: code=11 (Access-Challenge) identifier=2 length=1068
Attribute 79 (EAP-Message) length=255
Value:
015003ec0dc000000b9705ecb4b01e01e674cd17114248e5953c68d50808bfda8aedcbef7857bfaf2b3cd70f07eee53029230aa473f0afbf9e955f5178f7cf70f115fabdcbe7c4fa45f95e8e9176145705fd1797d7f024b3b33fc9171eb0263c7423df92605a8c34330475ec57f4e7db3053004b588ee2264d51a48100835f69f92f1bebdbeb03d94d7eed49ddbe8eba3444d1daf370d6a9a4869ea7236e8851466bf4bb28fcd5a1c439674838242589003aba0004fe308204fa308203e2a00302010202142557e1728d04afe1d4dc8f3ba7ed9f02a1142468300d06092a864886f70d01010b0500308193310b3009060355040613024652310f300d06
Attribute 79 (EAP-Message) length=255
Value:
035504080c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e6f72673126302406035504030c1d4578616d706c6520436572746966696361746520417574686f72697479301e170d3234303232383031333232345a170d3234303432383031333232345a308193310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d01090116
Attribute 79 (EAP-Message) length=255
Value:
1161646d696e406578616d706c652e6f72673126302406035504030c1d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a02820101008fd8ebe0ef83c9187f256e38e9ef2d6ef1e365f03987f64178ad8c099f79c9e10f79d3d296a75ff7fe44d7da66b8ba79f74ec0c2f6dab09a0c9d5e8bd725476b08a5dfd353d7d7e469a9cf5316bd19da820a61f3803c6aa2e95c37445c43ab0944dc3606c4218104b27c305d280aeede42e736bac91bcba157fc93d0e1c09774cf067dbb512b716b667a4eba19884aca067a10bb7ec4cb2819492d2cd2abd023eb49
Attribute 79 (EAP-Message) length=247
Value:
b2a8e014cdb8a11919160933ee62710fb3d7e0e886b083f7220e3be12283970f5b343c9ca3f348b728ec195e4cfc279d54f3a1fb1d2ae18d0344622ea8f4a582ed3679d381e3fbd40fca2c9e8cf651f2ddba621312b81203fc918f4d20310203010001a38201423082013e301d0603551d0e0416041468e8d758bafd2cf855e599f01d1be1b0497c45433081d30603551d230481cb3081c8801468e8d758bafd2cf855e599f01d1be1b0497c4543a18199a48196308193310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c45
Attribute 80 (Message-Authenticator) length=18
Value: d7b344b5c88528d5c384639186ed3f9b
Attribute 24 (State) length=18
Value: edd2cd8eef82c0b549867676db0ddfbf
STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending
request, round trip time 0.00 sec
RADIUS packet matching with station
decapsulated EAP packet (code=1 id=80 len=1004) from RADIUS server:
EAP-Request-TLS (13)
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request id=80 method=13 vendor=0 vendorMethod=0
EAP: EAP entering state METHOD
SSL: Received packet(len=1004) - Flags 0xc0
SSL: TLS Message Length: 2967
SSL: Need 979 bytes more input data
SSL: Building ACK (type=13 id=80 ver=0)
EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL
eapRespData=0x55ff45bb9440
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp
WPA: eapol_test_eapol_send(type=0 len=6)
TX EAP -> RADIUS - hexdump(len=6): 02 50 00 06 0d 00
Encapsulating EAP message into a RADIUS packet
Copied RADIUS State Attribute
Sending RADIUS message to authentication server
RADIUS message: code=1 (Access-Request) identifier=3 length=149
Attribute 1 (User-Name) length=18
Value: 'user at example.org'
Attribute 4 (NAS-IP-Address) length=6
Value: 127.0.0.1
Attribute 31 (Calling-Station-Id) length=19
Value: '02-00-00-00-00-01'
Attribute 12 (Framed-MTU) length=6
Value: 1400
Attribute 61 (NAS-Port-Type) length=6
Value: 19
Attribute 6 (Service-Type) length=6
Value: 2
Attribute 77 (Connect-Info) length=24
Value: 'CONNECT 11Mbps 802.11b'
Attribute 79 (EAP-Message) length=8
Value: 025000060d00
Attribute 24 (State) length=18
Value: edd2cd8eef82c0b549867676db0ddfbf
Attribute 80 (Message-Authenticator) length=18
Value: e32b0f568fbec391ea359d5727310723
Next RADIUS client retransmit in 3 seconds
EAPOL: SUPP_BE entering state RECEIVE
Received 1053 bytes from RADIUS server
Received RADIUS message
RADIUS message: code=11 (Access-Challenge) identifier=3 length=1053
Attribute 79 (EAP-Message) length=255
Value:
015103dd0d8000000b9778616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e6f72673126302406035504030c1d4578616d706c6520436572746966696361746520417574686f7269747982142557e1728d04afe1d4dc8f3ba7ed9f02a1142468300f0603551d130101ff040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e6f72672f6578616d706c655f63612e63726c300d06092a864886f70d01010b05000382010100555b2e66c6da9a6ffd14172dbedf3d1e5338f55da258fafeb78d26408f25e04b82c56c5773e15ad3b03594
Attribute 79 (EAP-Message) length=255
Value:
6ecc123e61001c5718bb698e44c8741fc483cb47e4928fe23a31df3bfaa251a3fde3c9214339af971304506bc9d405d0c5d55a1b105eeb8442aee49682191f524ef1c90329fcfb65076f6d7159d78e076ba54d7a3e70e1e92cdb86762d742d098e03a3a75e8c270718aee58d740c5cced0b9b6c3a20b02354f8bb632af96b1706c91d7ac96407cfc680f49e343daaa744c3f36fc287d24339ca136b228df51b0926c6e9d2c320805fbc420e9be9e07409a208ebc4745ab0c387395c286d77147e17a31168e561d8e07439e91fc7597bf4c3b2d0580160303012c0c00012803001d20ec42a2c97b33ba7b758710660f249db1988f182ac4f3a1bec6aa63
Attribute 79 (EAP-Message) length=255
Value:
b913ee06640804010071938d1b655469023aba67bba8063176e9fe7eb476650270df1f10569a2e8e8ae832af529c07a234ea2b32e8910fc8b2d136b0374b4331273847c1583930a6417be5ffe5f9300a8d3ad03f08e01dd027ad6db66ec547b75767d995c35f1bf99c802cad871fa2cd75e7a77cdcdba8145690d8e39b1c9b895041cf8d2c46de6747b1a099e91d7d81357d542b8f323e1e46647917248b878ee0982dacae6cdd2d0e21eb5a516bbd1eeda979b30d2126ce0050ed33357b07afac697c1fbf67007dacc3328d7409bc95160dc7f3e2c607fe9aae3fb6f003c001ae617d34769d8fb52ba5da8ffb8f4a3434b971fafecb547c090addd690
Attribute 79 (EAP-Message) length=232
Value:
3ba1a8d942046e945a826dbd16030300cc0d0000c8030102400028040305030603080708080809080a080b08040805080604010501060103030301030204020502060200980096308193310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e6f72673126302406035504030c1d4578616d706c6520436572746966696361746520417574686f7269747916030300040e000000
Attribute 80 (Message-Authenticator) length=18
Value: d4c6474e5e1b5a24f47f58d519f69e43
Attribute 24 (State) length=18
Value: edd2cd8eee83c0b549867676db0ddfbf
STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending
request, round trip time 0.00 sec
RADIUS packet matching with station
decapsulated EAP packet (code=1 id=81 len=989) from RADIUS server:
EAP-Request-TLS (13)
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request id=81 method=13 vendor=0 vendorMethod=0
EAP: EAP entering state METHOD
SSL: Received packet(len=989) - Flags 0x80
SSL: TLS Message Length: 2967
OpenSSL: RX ver=0x303 content_type=256 (TLS header info/)
OpenSSL: Message - hexdump(len=5): 16 03 03 00 3d
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:SSLv3/TLS write client hello
OpenSSL: RX ver=0x303 content_type=22 (handshake/server hello)
OpenSSL: Message - hexdump(len=61): 02 00 00 39 03 03 f6 1d 14 e6 50 35 ac
cc f7 f1 01 ae 2d e5 43 a9 bd 8e f9 d6 1c 9c d4 e1 36 2e a6 74 a4 39 c0 9f
00 c0 30 00 00 11 ff 01 00 01 00 00 0b 00 04 03 00 01 02 00 17 00 00
OpenSSL: Server selected cipher suite 0xc030
OpenSSL: RX ver=0x303 content_type=256 (TLS header info/)
OpenSSL: Message - hexdump(len=5): 16 03 03 09 45
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:SSLv3/TLS read server hello
OpenSSL: RX ver=0x303 content_type=22 (handshake/certificate)
OpenSSL: Message - hexdump(len=2373): 0b 00 09 41 00 09 3e 00 04 3a 30 82
04 36 30 82 03 1e a0 03 02 01 02 02 01 01 30 0d 06 09 2a 86 48 86 f7 0d 01
01 0b 05 00 30 81 93 31 0b 30 09 06 03 55 04 06 13 02 46 52 31 0f 30 0d 06
03 55 04 08 0c 06 52 61 64 69 75 73 31 12 30 10 06 03 55 04 07 0c 09 53 6f
6d 65 77 68 65 72 65 31 15 30 13 06 03 55 04 0a 0c 0c 45 78 61 6d 70 6c 65
20 49 6e 63 2e 31 20 30 1e 06 09 2a 86 48 86 f7 0d 01 09 01 16 11 61 64 6d
69 6e 40 65 78 61 6d 70 6c 65 2e 6f 72 67 31 26 30 24 06 03 55 04 03 0c 1d
45 78 61 6d 70 6c 65 20 43 65 72 74 69 66 69 63 61 74 65 20 41 75 74 68 6f
72 69 74 79 30 1e 17 0d 32 34 30 32 32 38 30 31 33 32 32 34 5a 17 0d 32 34
30 34 32 38 30 31 33 32 32 34 5a 30 7c 31 0b 30 09 06 03 55 04 06 13 02 46
52 31 0f 30 0d 06 03 55 04 08 0c 06 52 61 64 69 75 73 31 15 30 13 06 03 55
04 0a 0c 0c 45 78 61 6d 70 6c 65 20 49 6e 63 2e 31 23 30 21 06 03 55 04 03
0c 1a 45 78 61 6d 70 6c 65 20 53 65 72 76 65 72 20 43 65 72 74 69 66 69 63
61 74 65 31 20 30 1e 06 09 2a 86 48 86 f7 0d 01 09 01 16 11 61 64 6d 69 6e
40 65 78 61 6d 70 6c 65 2e 6f 72 67 30 82 01 22 30 0d 06 09 2a 86 48 86 f7
0d 01 01 01 05 00 03 82 01 0f 00 30 82 01 0a 02 82 01 01 00 90 f4 02 84 a3
1e f1 c5 4d 2c 40 89 d9 6d 75 1e ee 59 0f e2 a0 f8 12 88 94 54 16 a8 b0 0f
b4 7a 68 0d c5 c3 11 39 08 c2 6c 4a 11 14 b5 ab 75 ea 29 5f da 69 c5 e1 5d
e6 90 68 13 da c9 fe a2 88 9f 9f 79 d0 c0 51 fc c9 7e 07 e0 3d 89 6a 23 0d
ec 1d 4f 60 4c 71 0b 64 7b da d8 1f c5 36 55 ea 73 87 ae 85 53 f7 da 01 f2
72 63 1f 39 c5 68 ea c2 fe 68 78 e1 55 72 a2 f0 1d 37 f8 f4 4a 09 e6 e5 c2
a8 64 60 6c 27 1e cd 11 87 c5 10 40 e8 52 02 1b d2 d5 04 31 f3 77 66 8f 44
2f 96 ce c8 11 7c 73 ef 5f c3 ee 3e 09 11 a0 fc b5 71 31 ac e5 1b 49 d0 5f
c1 1b de cd ed a1 ad 35 f1 a9 db 86 cf 06 60 7f 8c ea de 1c dd 2a cf b5 2c
cd 15 11 6f 1c b8 16 ec 15 4a 22 44 8d f3 28 dd 45 f5 18 43 a8 66 9f 1b 0c
31 ab 31 da 1e bf 5b 86 0a b7 a4 5d 1f cd bd 40 dc bf 6d 1e 4e 84 95 47 e6
7d 02 03 01 00 01 a3 81 aa 30 81 a7 30 13 06 03 55 1d 25 04 0c 30 0a 06 08
2b 06 01 05 05 07 03 01 30 36 06 03 55 1d 1f 04 2f 30 2d 30 2b a0 29 a0 27
86 25 68 74 74 70 3a 2f 2f 77 77 77 2e 65 78 61 6d 70 6c 65 2e 63 6f 6d 2f
65 78 61 6d 70 6c 65 5f 63 61 2e 63 72 6c 30 18 06 03 55 1d 20 04 11 30 0f
30 0d 06 0b 2b 06 01 04 01 82 be 68 01 03 02 30 1d 06 03 55 1d 0e 04 16 04
14 3a 44 f1 60 99 a6 e3 43 2b 16 95 cf 54 83 ac 52 ab e6 0f df 30 1f 06 03
55 1d 23 04 18 30 16 80 14 68 e8 d7 58 ba fd 2c f8 55 e5 99 f0 1d 1b e1 b0
49 7c 45 43 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 82 01 01 00 3f
a7 93 58 98 34 42 29 0e cb e3 fd 48 e9 04 e3 7d a1 b6 9f 8b 56 08 57 f8 3c
25 cf ad 38 57 13 a2 a0 78 06 c5 27 6f 47 f2 f0 69 3d 42 47 02 6b 13 7e ae
da 12 b4 43 56 cc bd ad 27 bc 44 3c a2 ae 17 92 8c 93 44 ab 69 95 d4 00 9a
3a 7e da 75 ab 4e c5 23 57 7b 08 05 ec b4 b0 1e 01 e6 74 cd 17 11 42 48 e5
95 3c 68 d5 08 08 bf da 8a ed cb ef 78 57 bf af 2b 3c d7 0f 07 ee e5 30 29
23 0a a4 73 f0 af bf 9e 95 5f 51 78 f7 cf 70 f1 15 fa bd cb e7 c4 fa 45 f9
5e 8e 91 76 14 57 05 fd 17 97 d7 f0 24 b3 b3 3f c9 17 1e b0 26 3c 74 23 df
92 60 5a 8c 34 33 04 75 ec 57 f4 e7 db 30 53 00 4b 58 8e e2 26 4d 51 a4 81
00 83 5f 69 f9 2f 1b eb db eb 03 d9 4d 7e ed 49 dd be 8e ba 34 44 d1 da f3
70 d6 a9 a4 86 9e a7 23 6e 88 51 46 6b f4 bb 28 fc d5 a1 c4 39 67 48 38 24
25 89 00 3a ba 00 04 fe 30 82 04 fa 30 82 03 e2 a0 03 02 01 02 02 14 25 57
e1 72 8d 04 af e1 d4 dc 8f 3b a7 ed 9f 02 a1 14 24 68 30 0d 06 09 2a 86 48
86 f7 0d 01 01 0b 05 00 30 81 93 31 0b 30 09 06 03 55 04 06 13 02 46 52 31
0f 30 0d 06 03 55 04 08 0c 06 52 61 64 69 75 73 31 12 30 10 06 03 55 04 07
0c 09 53 6f 6d 65 77 68 65 72 65 31 15 30 13 06 03 55 04 0a 0c 0c 45 78 61
6d 70 6c 65 20 49 6e 63 2e 31 20 30 1e 06 09 2a 86 48 86 f7 0d 01 09 01 16
11 61 64 6d 69 6e 40 65 78 61 6d 70 6c 65 2e 6f 72 67 31 26 30 24 06 03 55
04 03 0c 1d 45 78 61 6d 70 6c 65 20 43 65 72 74 69 66 69 63 61 74 65 20 41
75 74 68 6f 72 69 74 79 30 1e 17 0d 32 34 30 32 32 38 30 31 33 32 32 34 5a
17 0d 32 34 30 34 32 38 30 31 33 32 32 34 5a 30 81 93 31 0b 30 09 06 03 55
04 06 13 02 46 52 31 0f 30 0d 06 03 55 04 08 0c 06 52 61 64 69 75 73 31 12
30 10 06 03 55 04 07 0c 09 53 6f 6d 65 77 68 65 72 65 31 15 30 13 06 03 55
04 0a 0c 0c 45 78 61 6d 70 6c 65 20 49 6e 63 2e 31 20 30 1e 06 09 2a 86 48
86 f7 0d 01 09 01 16 11 61 64 6d 69 6e 40 65 78 61 6d 70 6c 65 2e 6f 72 67
31 26 30 24 06 03 55 04 03 0c 1d 45 78 61 6d 70 6c 65 20 43 65 72 74 69 66
69 63 61 74 65 20 41 75 74 68 6f 72 69 74 79 30 82 01 22 30 0d 06 09 2a 86
48 86 f7 0d 01 01 01 05 00 03 82 01 0f 00 30 82 01 0a 02 82 01 01 00 8f d8
eb e0 ef 83 c9 18 7f 25 6e 38 e9 ef 2d 6e f1 e3 65 f0 39 87 f6 41 78 ad 8c
09 9f 79 c9 e1 0f 79 d3 d2 96 a7 5f f7 fe 44 d7 da 66 b8 ba 79 f7 4e c0 c2
f6 da b0 9a 0c 9d 5e 8b d7 25 47 6b 08 a5 df d3 53 d7 d7 e4 69 a9 cf 53 16
bd 19 da 82 0a 61 f3 80 3c 6a a2 e9 5c 37 44 5c 43 ab 09 44 dc 36 06 c4 21
81 04 b2 7c 30 5d 28 0a ee de 42 e7 36 ba c9 1b cb a1 57 fc 93 d0 e1 c0 97
74 cf 06 7d bb 51 2b 71 6b 66 7a 4e ba 19 88 4a ca 06 7a 10 bb 7e c4 cb 28
19 49 2d 2c d2 ab d0 23 eb 49 b2 a8 e0 14 cd b8 a1 19 19 16 09 33 ee 62 71
0f b3 d7 e0 e8 86 b0 83 f7 22 0e 3b e1 22 83 97 0f 5b 34 3c 9c a3 f3 48 b7
28 ec 19 5e 4c fc 27 9d 54 f3 a1 fb 1d 2a e1 8d 03 44 62 2e a8 f4 a5 82 ed
36 79 d3 81 e3 fb d4 0f ca 2c 9e 8c f6 51 f2 dd ba 62 13 12 b8 12 03 fc 91
8f 4d 20 31 02 03 01 00 01 a3 82 01 42 30 82 01 3e 30 1d 06 03 55 1d 0e 04
16 04 14 68 e8 d7 58 ba fd 2c f8 55 e5 99 f0 1d 1b e1 b0 49 7c 45 43 30 81
d3 06 03 55 1d 23 04 81 cb 30 81 c8 80 14 68 e8 d7 58 ba fd 2c f8 55 e5 99
f0 1d 1b e1 b0 49 7c 45 43 a1 81 99 a4 81 96 30 81 93 31 0b 30 09 06 03 55
04 06 13 02 46 52 31 0f 30 0d 06 03 55 04 08 0c 06 52 61 64 69 75 73 31 12
30 10 06 03 55 04 07 0c 09 53 6f 6d 65 77 68 65 72 65 31 15 30 13 06 03 55
04 0a 0c 0c 45 78 61 6d 70 6c 65 20 49 6e 63 2e 31 20 30 1e 06 09 2a 86 48
86 f7 0d 01 09 01 16 11 61 64 6d 69 6e 40 65 78 61 6d 70 6c 65 2e 6f 72 67
31 26 30 24 06 03 55 04 03 0c 1d 45 78 61 6d 70 6c 65 20 43 65 72 74 69 66
69 63 61 74 65 20 41 75 74 68 6f 72 69 74 79 82 14 25 57 e1 72 8d 04 af e1
d4 dc 8f 3b a7 ed 9f 02 a1 14 24 68 30 0f 06 03 55 1d 13 01 01 ff 04 05 30
03 01 01 ff 30 36 06 03 55 1d 1f 04 2f 30 2d 30 2b a0 29 a0 27 86 25 68 74
74 70 3a 2f 2f 77 77 77 2e 65 78 61 6d 70 6c 65 2e 6f 72 67 2f 65 78 61 6d
70 6c 65 5f 63 61 2e 63 72 6c 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00
03 82 01 01 00 55 5b 2e 66 c6 da 9a 6f fd 14 17 2d be df 3d 1e 53 38 f5 5d
a2 58 fa fe b7 8d 26 40 8f 25 e0 4b 82 c5 6c 57 73 e1 5a d3 b0 35 94 6e cc
12 3e 61 00 1c 57 18 bb 69 8e 44 c8 74 1f c4 83 cb 47 e4 92 8f e2 3a 31 df
3b fa a2 51 a3 fd e3 c9 21 43 39 af 97 13 04 50 6b c9 d4 05 d0 c5 d5 5a 1b
10 5e eb 84 42 ae e4 96 82 19 1f 52 4e f1 c9 03 29 fc fb 65 07 6f 6d 71 59
d7 8e 07 6b a5 4d 7a 3e 70 e1 e9 2c db 86 76 2d 74 2d 09 8e 03 a3 a7 5e 8c
27 07 18 ae e5 8d 74 0c 5c ce d0 b9 b6 c3 a2 0b 02 35 4f 8b b6 32 af 96 b1
70 6c 91 d7 ac 96 40 7c fc 68 0f 49 e3 43 da aa 74 4c 3f 36 fc 28 7d 24 33
9c a1 36 b2 28 df 51 b0 92 6c 6e 9d 2c 32 08 05 fb c4 20 e9 be 9e 07 40 9a
20 8e bc 47 45 ab 0c 38 73 95 c2 86 d7 71 47 e1 7a 31 16 8e 56 1d 8e 07 43
9e 91 fc 75 97 bf 4c 3b 2d 05 80
OpenSSL: Peer certificate - depth 1
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
25:57:e1:72:8d:04:af:e1:d4:dc:8f:3b:a7:ed:9f:02:a1:14:24:68
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=FR, ST=Radius, L=Somewhere, O=Example Inc./emailAddress=
admin at example.org, CN=Example Certificate Authority
Validity
Not Before: Feb 28 01:32:24 2024 GMT
Not After : Apr 28 01:32:24 2024 GMT
Subject: C=FR, ST=Radius, L=Somewhere, O=Example Inc./emailAddress=
admin at example.org, CN=Example Certificate Authority
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:8f:d8:eb:e0:ef:83:c9:18:7f:25:6e:38:e9:ef:
2d:6e:f1:e3:65:f0:39:87:f6:41:78:ad:8c:09:9f:
79:c9:e1:0f:79:d3:d2:96:a7:5f:f7:fe:44:d7:da:
66:b8:ba:79:f7:4e:c0:c2:f6:da:b0:9a:0c:9d:5e:
8b:d7:25:47:6b:08:a5:df:d3:53:d7:d7:e4:69:a9:
cf:53:16:bd:19:da:82:0a:61:f3:80:3c:6a:a2:e9:
5c:37:44:5c:43:ab:09:44:dc:36:06:c4:21:81:04:
b2:7c:30:5d:28:0a:ee:de:42:e7:36:ba:c9:1b:cb:
a1:57:fc:93:d0:e1:c0:97:74:cf:06:7d:bb:51:2b:
71:6b:66:7a:4e:ba:19:88:4a:ca:06:7a:10:bb:7e:
c4:cb:28:19:49:2d:2c:d2:ab:d0:23:eb:49:b2:a8:
e0:14:cd:b8:a1:19:19:16:09:33:ee:62:71:0f:b3:
d7:e0:e8:86:b0:83:f7:22:0e:3b:e1:22:83:97:0f:
5b:34:3c:9c:a3:f3:48:b7:28:ec:19:5e:4c:fc:27:
9d:54:f3:a1:fb:1d:2a:e1:8d:03:44:62:2e:a8:f4:
a5:82:ed:36:79:d3:81:e3:fb:d4:0f:ca:2c:9e:8c:
f6:51:f2:dd:ba:62:13:12:b8:12:03:fc:91:8f:4d:
20:31
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
68:E8:D7:58:BA:FD:2C:F8:55:E5:99:F0:1D:1B:E1:B0:49:7C:45:43
X509v3 Authority Key Identifier:
keyid:68:E8:D7:58:BA:FD:2C:F8:55:E5:99:F0:1D:1B:E1:B0:49:7C:45:43
DirName:/C=FR/ST=Radius/L=Somewhere/O=Example
Inc./emailAddress=admin at example.org/CN=Example Certificate Authority
serial:25:57:E1:72:8D:04:AF:E1:D4:DC:8F:3B:A7:ED:9F:02:A1:14:24:68
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 CRL Distribution Points:
Full Name:
URI:http://www.example.org/example_ca.crl
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
55:5b:2e:66:c6:da:9a:6f:fd:14:17:2d:be:df:3d:1e:53:38:
f5:5d:a2:58:fa:fe:b7:8d:26:40:8f:25:e0:4b:82:c5:6c:57:
73:e1:5a:d3:b0:35:94:6e:cc:12:3e:61:00:1c:57:18:bb:69:
8e:44:c8:74:1f:c4:83:cb:47:e4:92:8f:e2:3a:31:df:3b:fa:
a2:51:a3:fd:e3:c9:21:43:39:af:97:13:04:50:6b:c9:d4:05:
d0:c5:d5:5a:1b:10:5e:eb:84:42:ae:e4:96:82:19:1f:52:4e:
f1:c9:03:29:fc:fb:65:07:6f:6d:71:59:d7:8e:07:6b:a5:4d:
7a:3e:70:e1:e9:2c:db:86:76:2d:74:2d:09:8e:03:a3:a7:5e:
8c:27:07:18:ae:e5:8d:74:0c:5c:ce:d0:b9:b6:c3:a2:0b:02:
35:4f:8b:b6:32:af:96:b1:70:6c:91:d7:ac:96:40:7c:fc:68:
0f:49:e3:43:da:aa:74:4c:3f:36:fc:28:7d:24:33:9c:a1:36:
b2:28:df:51:b0:92:6c:6e:9d:2c:32:08:05:fb:c4:20:e9:be:
9e:07:40:9a:20:8e:bc:47:45:ab:0c:38:73:95:c2:86:d7:71:
47:e1:7a:31:16:8e:56:1d:8e:07:43:9e:91:fc:75:97:bf:4c:
3b:2d:05:80
CTRL-EVENT-EAP-PEER-CERT depth=1
subject='/C=FR/ST=Radius/L=Somewhere/O=Example Inc./emailAddress=
admin at example.org/CN=Example Certificate Authority'
hash=d9eac2b02db2002517073d70ad51fa46a6059ab4c460b5d258c55c26e0f3e389
TLS: tls_verify_cb - preverify_ok=1 err=0 (ok) ca_cert_verify=1 depth=1
buf='/C=FR/ST=Radius/L=Somewhere/O=Example Inc./emailAddress=
admin at example.org/CN=Example Certificate Authority'
OpenSSL: Peer certificate - depth 0
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=FR, ST=Radius, L=Somewhere, O=Example Inc./emailAddress=
admin at example.org, CN=Example Certificate Authority
Validity
Not Before: Feb 28 01:32:24 2024 GMT
Not After : Apr 28 01:32:24 2024 GMT
Subject: C=FR, ST=Radius, O=Example Inc., CN=Example Server
Certificate/emailAddress=admin at example.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:90:f4:02:84:a3:1e:f1:c5:4d:2c:40:89:d9:6d:
75:1e:ee:59:0f:e2:a0:f8:12:88:94:54:16:a8:b0:
0f:b4:7a:68:0d:c5:c3:11:39:08:c2:6c:4a:11:14:
b5:ab:75:ea:29:5f:da:69:c5:e1:5d:e6:90:68:13:
da:c9:fe:a2:88:9f:9f:79:d0:c0:51:fc:c9:7e:07:
e0:3d:89:6a:23:0d:ec:1d:4f:60:4c:71:0b:64:7b:
da:d8:1f:c5:36:55:ea:73:87:ae:85:53:f7:da:01:
f2:72:63:1f:39:c5:68:ea:c2:fe:68:78:e1:55:72:
a2:f0:1d:37:f8:f4:4a:09:e6:e5:c2:a8:64:60:6c:
27:1e:cd:11:87:c5:10:40:e8:52:02:1b:d2:d5:04:
31:f3:77:66:8f:44:2f:96:ce:c8:11:7c:73:ef:5f:
c3:ee:3e:09:11:a0:fc:b5:71:31:ac:e5:1b:49:d0:
5f:c1:1b:de:cd:ed:a1:ad:35:f1:a9:db:86:cf:06:
60:7f:8c:ea:de:1c:dd:2a:cf:b5:2c:cd:15:11:6f:
1c:b8:16:ec:15:4a:22:44:8d:f3:28:dd:45:f5:18:
43:a8:66:9f:1b:0c:31:ab:31:da:1e:bf:5b:86:0a:
b7:a4:5d:1f:cd:bd:40:dc:bf:6d:1e:4e:84:95:47:
e6:7d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 CRL Distribution Points:
Full Name:
URI:http://www.example.com/example_ca.crl
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.40808.1.3.2
X509v3 Subject Key Identifier:
3A:44:F1:60:99:A6:E3:43:2B:16:95:CF:54:83:AC:52:AB:E6:0F:DF
X509v3 Authority Key Identifier:
68:E8:D7:58:BA:FD:2C:F8:55:E5:99:F0:1D:1B:E1:B0:49:7C:45:43
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
3f:a7:93:58:98:34:42:29:0e:cb:e3:fd:48:e9:04:e3:7d:a1:
b6:9f:8b:56:08:57:f8:3c:25:cf:ad:38:57:13:a2:a0:78:06:
c5:27:6f:47:f2:f0:69:3d:42:47:02:6b:13:7e:ae:da:12:b4:
43:56:cc:bd:ad:27:bc:44:3c:a2:ae:17:92:8c:93:44:ab:69:
95:d4:00:9a:3a:7e:da:75:ab:4e:c5:23:57:7b:08:05:ec:b4:
b0:1e:01:e6:74:cd:17:11:42:48:e5:95:3c:68:d5:08:08:bf:
da:8a:ed:cb:ef:78:57:bf:af:2b:3c:d7:0f:07:ee:e5:30:29:
23:0a:a4:73:f0:af:bf:9e:95:5f:51:78:f7:cf:70:f1:15:fa:
bd:cb:e7:c4:fa:45:f9:5e:8e:91:76:14:57:05:fd:17:97:d7:
f0:24:b3:b3:3f:c9:17:1e:b0:26:3c:74:23:df:92:60:5a:8c:
34:33:04:75:ec:57:f4:e7:db:30:53:00:4b:58:8e:e2:26:4d:
51:a4:81:00:83:5f:69:f9:2f:1b:eb:db:eb:03:d9:4d:7e:ed:
49:dd:be:8e:ba:34:44:d1:da:f3:70:d6:a9:a4:86:9e:a7:23:
6e:88:51:46:6b:f4:bb:28:fc:d5:a1:c4:39:67:48:38:24:25:
89:00:3a:ba
OpenSSL: Certificate Policy 1.3.6.1.4.1.40808.1.3.2
CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/C=FR/ST=Radius/O=Example
Inc./CN=Example Server Certificate/emailAddress=admin at example.org'
hash=073547d6385e05633e2e810ad0e344cdd22c846f929bc63041a12f0c068cdb08
TLS: tls_verify_cb - preverify_ok=1 err=0 (ok) ca_cert_verify=1 depth=0
buf='/C=FR/ST=Radius/O=Example Inc./CN=Example Server
Certificate/emailAddress=admin at example.org'
EAP: Status notification: remote certificate verification (param=success)
OpenSSL: RX ver=0x303 content_type=256 (TLS header info/)
OpenSSL: Message - hexdump(len=5): 16 03 03 01 2c
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:SSLv3/TLS read server certificate
OpenSSL: RX ver=0x303 content_type=22 (handshake/server key exchange)
OpenSSL: Message - hexdump(len=300): 0c 00 01 28 03 00 1d 20 ec 42 a2 c9 7b
33 ba 7b 75 87 10 66 0f 24 9d b1 98 8f 18 2a c4 f3 a1 be c6 aa 63 b9 13 ee
06 64 08 04 01 00 71 93 8d 1b 65 54 69 02 3a ba 67 bb a8 06 31 76 e9 fe 7e
b4 76 65 02 70 df 1f 10 56 9a 2e 8e 8a e8 32 af 52 9c 07 a2 34 ea 2b 32 e8
91 0f c8 b2 d1 36 b0 37 4b 43 31 27 38 47 c1 58 39 30 a6 41 7b e5 ff e5 f9
30 0a 8d 3a d0 3f 08 e0 1d d0 27 ad 6d b6 6e c5 47 b7 57 67 d9 95 c3 5f 1b
f9 9c 80 2c ad 87 1f a2 cd 75 e7 a7 7c dc db a8 14 56 90 d8 e3 9b 1c 9b 89
50 41 cf 8d 2c 46 de 67 47 b1 a0 99 e9 1d 7d 81 35 7d 54 2b 8f 32 3e 1e 46
64 79 17 24 8b 87 8e e0 98 2d ac ae 6c dd 2d 0e 21 eb 5a 51 6b bd 1e ed a9
79 b3 0d 21 26 ce 00 50 ed 33 35 7b 07 af ac 69 7c 1f bf 67 00 7d ac c3 32
8d 74 09 bc 95 16 0d c7 f3 e2 c6 07 fe 9a ae 3f b6 f0 03 c0 01 ae 61 7d 34
76 9d 8f b5 2b a5 da 8f fb 8f 4a 34 34 b9 71 fa fe cb 54 7c 09 0a dd d6 90
3b a1 a8 d9 42 04 6e 94 5a 82 6d bd
OpenSSL: RX ver=0x303 content_type=256 (TLS header info/)
OpenSSL: Message - hexdump(len=5): 16 03 03 00 cc
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:SSLv3/TLS read server key exchange
OpenSSL: RX ver=0x303 content_type=22 (handshake/certificate request)
OpenSSL: Message - hexdump(len=204): 0d 00 00 c8 03 01 02 40 00 28 04 03 05
03 06 03 08 07 08 08 08 09 08 0a 08 0b 08 04 08 05 08 06 04 01 05 01 06 01
03 03 03 01 03 02 04 02 05 02 06 02 00 98 00 96 30 81 93 31 0b 30 09 06 03
55 04 06 13 02 46 52 31 0f 30 0d 06 03 55 04 08 0c 06 52 61 64 69 75 73 31
12 30 10 06 03 55 04 07 0c 09 53 6f 6d 65 77 68 65 72 65 31 15 30 13 06 03
55 04 0a 0c 0c 45 78 61 6d 70 6c 65 20 49 6e 63 2e 31 20 30 1e 06 09 2a 86
48 86 f7 0d 01 09 01 16 11 61 64 6d 69 6e 40 65 78 61 6d 70 6c 65 2e 6f 72
67 31 26 30 24 06 03 55 04 03 0c 1d 45 78 61 6d 70 6c 65 20 43 65 72 74 69
66 69 63 61 74 65 20 41 75 74 68 6f 72 69 74 79
OpenSSL: RX ver=0x303 content_type=256 (TLS header info/)
OpenSSL: Message - hexdump(len=5): 16 03 03 00 04
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:SSLv3/TLS read server certificate request
OpenSSL: RX ver=0x303 content_type=22 (handshake/server hello done)
OpenSSL: Message - hexdump(len=4): 0e 00 00 00
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:SSLv3/TLS read server done
OpenSSL: TX ver=0x303 content_type=256 (TLS header info/)
OpenSSL: Message - hexdump(len=5): 16 03 03 09 20
OpenSSL: TX ver=0x303 content_type=22 (handshake/certificate)
OpenSSL: Message - hexdump(len=2336): 0b 00 09 1c 00 09 19 00 04 15 30 82
04 11 30 82 02 f9 a0 03 02 01 02 02 01 02 30 0d 06 09 2a 86 48 86 f7 0d 01
01 0b 05 00 30 81 93 31 0b 30 09 06 03 55 04 06 13 02 46 52 31 0f 30 0d 06
03 55 04 08 0c 06 52 61 64 69 75 73 31 12 30 10 06 03 55 04 07 0c 09 53 6f
6d 65 77 68 65 72 65 31 15 30 13 06 03 55 04 0a 0c 0c 45 78 61 6d 70 6c 65
20 49 6e 63 2e 31 20 30 1e 06 09 2a 86 48 86 f7 0d 01 09 01 16 11 61 64 6d
69 6e 40 65 78 61 6d 70 6c 65 2e 6f 72 67 31 26 30 24 06 03 55 04 03 0c 1d
45 78 61 6d 70 6c 65 20 43 65 72 74 69 66 69 63 61 74 65 20 41 75 74 68 6f
72 69 74 79 30 1e 17 0d 32 34 30 32 32 38 30 31 33 32 32 35 5a 17 0d 32 34
30 34 32 38 30 31 33 32 32 35 5a 30 71 31 0b 30 09 06 03 55 04 06 13 02 46
52 31 0f 30 0d 06 03 55 04 08 0c 06 52 61 64 69 75 73 31 15 30 13 06 03 55
04 0a 0c 0c 45 78 61 6d 70 6c 65 20 49 6e 63 2e 31 19 30 17 06 03 55 04 03
0c 10 75 73 65 72 40 65 78 61 6d 70 6c 65 2e 6f 72 67 31 1f 30 1d 06 09 2a
86 48 86 f7 0d 01 09 01 16 10 75 73 65 72 40 65 78 61 6d 70 6c 65 2e 6f 72
67 30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 0f 00
30 82 01 0a 02 82 01 01 00 d1 c6 40 45 7c 20 4f 03 e3 c2 98 b4 de b9 79 0c
67 db 36 e0 99 ff 1f c5 fe 86 42 58 0d 3a 09 50 d3 e6 86 88 e0 1d 84 31 46
e6 75 b2 d6 f9 47 3d ba 8c d1 0f 40 b3 fb 58 55 36 75 e8 6d 5f f9 74 68 8d
e4 e5 bb 94 64 41 b6 8f 4a 81 31 dc fc 8d f7 6d 25 84 be a3 68 b9 1b 6b 05
4d d1 07 3e 66 ca ce 43 8b 74 35 3b 35 1e 22 40 8d fb a5 96 79 ce 1f 23 04
a6 c0 a7 58 b1 f9 ce 5d f4 4f af 05 c7 b0 23 cc ce 0e 2d 7a ad 2e 60 be 0e
65 2e 5b 3b ad e9 8d d6 b8 df f6 1d 85 0d e9 56 ca b4 fd c5 97 16 52 c6 28
99 aa 32 62 00 11 1b c9 a0 99 57 71 45 75 32 2d 7c 20 3f d4 d7 d0 03 73 5b
f2 6e 45 ec 37 35 f7 18 99 bc 3c 16 4d aa 01 89 ea 33 96 9d e7 85 74 e0 3b
d1 c6 4d 3e 23 71 7a 7a 35 b7 60 08 94 72 3e 61 98 25 49 d9 03 83 fa 96 a9
a2 42 9a 13 03 e0 2a 07 ee e3 f8 2d 4d 8f 39 02 03 01 00 01 a3 81 90 30 81
8d 30 13 06 03 55 1d 25 04 0c 30 0a 06 08 2b 06 01 05 05 07 03 02 30 36 06
03 55 1d 1f 04 2f 30 2d 30 2b a0 29 a0 27 86 25 68 74 74 70 3a 2f 2f 77 77
77 2e 65 78 61 6d 70 6c 65 2e 63 6f 6d 2f 65 78 61 6d 70 6c 65 5f 63 61 2e
63 72 6c 30 1d 06 03 55 1d 0e 04 16 04 14 bf 8b ee 28 d4 a2 2a ee 30 ba 18
5b 11 76 50 45 1c bc a9 27 30 1f 06 03 55 1d 23 04 18 30 16 80 14 68 e8 d7
58 ba fd 2c f8 55 e5 99 f0 1d 1b e1 b0 49 7c 45 43 30 0d 06 09 2a 86 48 86
f7 0d 01 01 0b 05 00 03 82 01 01 00 5d ee d5 bf fc 30 3a 44 32 e4 68 16 9d
fb 14 6b f5 bd 26 9e 19 6d 22 21 5c 0f 51 42 d7 b5 da ed 63 94 b7 8d 8b f9
41 b4 c9 e9 0b c3 99 71 89 d5 67 25 e9 4e 46 42 01 15 eb 96 08 01 37 18 41
75 53 c0 00 6b 75 fe 76 30 74 bf 66 74 c5 11 2d 6f 6c 4f 75 fc d7 14 20 fb
86 29 80 13 7b 45 1a 95 57 77 14 5d 5d b9 fd f3 6f 6b da 4a bb ff ec 75 f8
f7 de f4 7a af fb db fa aa 41 ef ba 6c 35 b9 1d 46 55 4d 70 a3 da b7 77 e0
8d 19 28 6f 3a 83 5e f1 12 34 1c e0 9a 2b f5 98 73 17 9b d4 0e 45 f5 04 cd
e2 08 d3 13 2c a4 30 91 4b 69 4c 5d ab df 94 30 89 61 fd 14 ff d3 59 75 1f
cc 29 28 93 a5 c8 96 76 ad ac 6c 48 4a 16 c9 d3 0c df 42 be 93 53 08 69 5e
68 b7 d9 64 d5 09 58 cf f5 45 43 65 f6 02 9a 6a f7 fe 25 c3 9f a6 99 06 b3
f7 94 0e b2 6b 45 41 d5 c9 e3 28 94 80 51 a3 08 44 4c 00 04 fe 30 82 04 fa
30 82 03 e2 a0 03 02 01 02 02 14 25 57 e1 72 8d 04 af e1 d4 dc 8f 3b a7 ed
9f 02 a1 14 24 68 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 81 93 31
0b 30 09 06 03 55 04 06 13 02 46 52 31 0f 30 0d 06 03 55 04 08 0c 06 52 61
64 69 75 73 31 12 30 10 06 03 55 04 07 0c 09 53 6f 6d 65 77 68 65 72 65 31
15 30 13 06 03 55 04 0a 0c 0c 45 78 61 6d 70 6c 65 20 49 6e 63 2e 31 20 30
1e 06 09 2a 86 48 86 f7 0d 01 09 01 16 11 61 64 6d 69 6e 40 65 78 61 6d 70
6c 65 2e 6f 72 67 31 26 30 24 06 03 55 04 03 0c 1d 45 78 61 6d 70 6c 65 20
43 65 72 74 69 66 69 63 61 74 65 20 41 75 74 68 6f 72 69 74 79 30 1e 17 0d
32 34 30 32 32 38 30 31 33 32 32 34 5a 17 0d 32 34 30 34 32 38 30 31 33 32
32 34 5a 30 81 93 31 0b 30 09 06 03 55 04 06 13 02 46 52 31 0f 30 0d 06 03
55 04 08 0c 06 52 61 64 69 75 73 31 12 30 10 06 03 55 04 07 0c 09 53 6f 6d
65 77 68 65 72 65 31 15 30 13 06 03 55 04 0a 0c 0c 45 78 61 6d 70 6c 65 20
49 6e 63 2e 31 20 30 1e 06 09 2a 86 48 86 f7 0d 01 09 01 16 11 61 64 6d 69
6e 40 65 78 61 6d 70 6c 65 2e 6f 72 67 31 26 30 24 06 03 55 04 03 0c 1d 45
78 61 6d 70 6c 65 20 43 65 72 74 69 66 69 63 61 74 65 20 41 75 74 68 6f 72
69 74 79 30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01
0f 00 30 82 01 0a 02 82 01 01 00 8f d8 eb e0 ef 83 c9 18 7f 25 6e 38 e9 ef
2d 6e f1 e3 65 f0 39 87 f6 41 78 ad 8c 09 9f 79 c9 e1 0f 79 d3 d2 96 a7 5f
f7 fe 44 d7 da 66 b8 ba 79 f7 4e c0 c2 f6 da b0 9a 0c 9d 5e 8b d7 25 47 6b
08 a5 df d3 53 d7 d7 e4 69 a9 cf 53 16 bd 19 da 82 0a 61 f3 80 3c 6a a2 e9
5c 37 44 5c 43 ab 09 44 dc 36 06 c4 21 81 04 b2 7c 30 5d 28 0a ee de 42 e7
36 ba c9 1b cb a1 57 fc 93 d0 e1 c0 97 74 cf 06 7d bb 51 2b 71 6b 66 7a 4e
ba 19 88 4a ca 06 7a 10 bb 7e c4 cb 28 19 49 2d 2c d2 ab d0 23 eb 49 b2 a8
e0 14 cd b8 a1 19 19 16 09 33 ee 62 71 0f b3 d7 e0 e8 86 b0 83 f7 22 0e 3b
e1 22 83 97 0f 5b 34 3c 9c a3 f3 48 b7 28 ec 19 5e 4c fc 27 9d 54 f3 a1 fb
1d 2a e1 8d 03 44 62 2e a8 f4 a5 82 ed 36 79 d3 81 e3 fb d4 0f ca 2c 9e 8c
f6 51 f2 dd ba 62 13 12 b8 12 03 fc 91 8f 4d 20 31 02 03 01 00 01 a3 82 01
42 30 82 01 3e 30 1d 06 03 55 1d 0e 04 16 04 14 68 e8 d7 58 ba fd 2c f8 55
e5 99 f0 1d 1b e1 b0 49 7c 45 43 30 81 d3 06 03 55 1d 23 04 81 cb 30 81 c8
80 14 68 e8 d7 58 ba fd 2c f8 55 e5 99 f0 1d 1b e1 b0 49 7c 45 43 a1 81 99
a4 81 96 30 81 93 31 0b 30 09 06 03 55 04 06 13 02 46 52 31 0f 30 0d 06 03
55 04 08 0c 06 52 61 64 69 75 73 31 12 30 10 06 03 55 04 07 0c 09 53 6f 6d
65 77 68 65 72 65 31 15 30 13 06 03 55 04 0a 0c 0c 45 78 61 6d 70 6c 65 20
49 6e 63 2e 31 20 30 1e 06 09 2a 86 48 86 f7 0d 01 09 01 16 11 61 64 6d 69
6e 40 65 78 61 6d 70 6c 65 2e 6f 72 67 31 26 30 24 06 03 55 04 03 0c 1d 45
78 61 6d 70 6c 65 20 43 65 72 74 69 66 69 63 61 74 65 20 41 75 74 68 6f 72
69 74 79 82 14 25 57 e1 72 8d 04 af e1 d4 dc 8f 3b a7 ed 9f 02 a1 14 24 68
30 0f 06 03 55 1d 13 01 01 ff 04 05 30 03 01 01 ff 30 36 06 03 55 1d 1f 04
2f 30 2d 30 2b a0 29 a0 27 86 25 68 74 74 70 3a 2f 2f 77 77 77 2e 65 78 61
6d 70 6c 65 2e 6f 72 67 2f 65 78 61 6d 70 6c 65 5f 63 61 2e 63 72 6c 30 0d
06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 82 01 01 00 55 5b 2e 66 c6 da 9a
6f fd 14 17 2d be df 3d 1e 53 38 f5 5d a2 58 fa fe b7 8d 26 40 8f 25 e0 4b
82 c5 6c 57 73 e1 5a d3 b0 35 94 6e cc 12 3e 61 00 1c 57 18 bb 69 8e 44 c8
74 1f c4 83 cb 47 e4 92 8f e2 3a 31 df 3b fa a2 51 a3 fd e3 c9 21 43 39 af
97 13 04 50 6b c9 d4 05 d0 c5 d5 5a 1b 10 5e eb 84 42 ae e4 96 82 19 1f 52
4e f1 c9 03 29 fc fb 65 07 6f 6d 71 59 d7 8e 07 6b a5 4d 7a 3e 70 e1 e9 2c
db 86 76 2d 74 2d 09 8e 03 a3 a7 5e 8c 27 07 18 ae e5 8d 74 0c 5c ce d0 b9
b6 c3 a2 0b 02 35 4f 8b b6 32 af 96 b1 70 6c 91 d7 ac 96 40 7c fc 68 0f 49
e3 43 da aa 74 4c 3f 36 fc 28 7d 24 33 9c a1 36 b2 28 df 51 b0 92 6c 6e 9d
2c 32 08 05 fb c4 20 e9 be 9e 07 40 9a 20 8e bc 47 45 ab 0c 38 73 95 c2 86
d7 71 47 e1 7a 31 16 8e 56 1d 8e 07 43 9e 91 fc 75 97 bf 4c 3b 2d 05 80
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:SSLv3/TLS write client certificate
OpenSSL: TX ver=0x303 content_type=256 (TLS header info/)
OpenSSL: Message - hexdump(len=5): 16 03 03 00 25
OpenSSL: TX ver=0x303 content_type=22 (handshake/client key exchange)
OpenSSL: Message - hexdump(len=37): 10 00 00 21 20 8d d6 f6 a6 33 0a f7 f9
a6 0e 4e 88 a4 4d 42 bc e3 f9 03 4b 93 b6 eb 6e 75 0f f8 fc 1a 79 cc 7f
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:SSLv3/TLS write client key exchange
OpenSSL: TX ver=0x303 content_type=256 (TLS header info/)
OpenSSL: Message - hexdump(len=5): 16 03 03 01 08
OpenSSL: TX ver=0x303 content_type=22 (handshake/certificate verify)
OpenSSL: Message - hexdump(len=264): 0f 00 01 04 08 04 01 00 19 50 dc 25 20
c7 d1 09 52 26 0f d9 66 db 0e d4 fc 5c 3d 27 f8 39 f9 ca 21 2b 12 35 97 2a
2b 70 e6 70 56 f9 e0 f4 2d 12 3b 49 d6 f3 70 f7 d0 c2 52 2a d4 21 74 d5 f0
36 2d 5f 0a a3 35 ff e7 79 20 a9 09 10 20 86 b6 a6 a8 42 b4 9e 99 1e 7b aa
5a 0c 47 30 c5 bf 8d d1 a9 ec 58 6a 3e 0f 2c 3c 50 32 ab 75 3d 51 a1 2c 74
4c 12 9c f2 5b bb 9d 32 58 0e 77 bf 76 fe c2 f1 d1 4f 48 95 98 ab 5a 0e 35
6c ca 41 4f f4 2f 0f ba 76 c6 7c 86 4e 01 84 c4 f2 bd 64 8b 88 71 59 fe 32
e8 b9 c2 02 b2 7d 00 cf 19 88 2f d7 5c af 8c 2b 9b a3 c0 92 94 33 39 88 4a
a4 f0 12 55 c3 94 6d 09 de 15 f8 2f 57 4d 79 da fd d3 8e 7c 5f 6c db 6e 6b
c5 3f b8 97 87 c9 da 63 f2 21 6b 28 c5 bb 8a 5f 5d d7 28 7a f3 bf 39 c7 c9
d0 8b 6f 2a e9 0f 03 f1 be d8 1f da e9 d3 0f e3 57 e9 3f c7 4a 14 d6 8b 81
b2
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:SSLv3/TLS write certificate verify
OpenSSL: TX ver=0x303 content_type=256 (TLS header info/)
OpenSSL: Message - hexdump(len=5): 14 03 03 00 01
OpenSSL: TX ver=0x303 content_type=20 (change cipher spec/)
OpenSSL: Message - hexdump(len=1): 01
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:SSLv3/TLS write change cipher spec
OpenSSL: TX ver=0x303 content_type=256 (TLS header info/)
OpenSSL: Message - hexdump(len=5): 16 03 03 00 28
OpenSSL: TX ver=0x303 content_type=22 (handshake/finished)
OpenSSL: Message - hexdump(len=16): 14 00 00 0c a8 6f b1 7e d2 14 c7 c2 de
bf 56 20
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:SSLv3/TLS write finished
SSL: (where=0x1002 ret=0xffffffff)
SSL: SSL_connect:error in SSLv3/TLS write finished
SSL: SSL_connect - want more data
SSL: 2703 bytes pending from ssl_out
SSL: Using TLS version TLSv1.2
SSL: 2703 bytes left to be sent out (of total 2703 bytes)
SSL: sending 1398 bytes, more fragments will follow
EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL
eapRespData=0x55ff45bf6220
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp
WPA: eapol_test_eapol_send(type=0 len=1408)
TX EAP -> RADIUS - hexdump(len=1408): 02 51 05 80 0d c0 00 00 0a 8f 16 03
03 09 20 0b 00 09 1c 00 09 19 00 04 15 30 82 04 11 30 82 02 f9 a0 03 02 01
02 02 01 02 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 81 93 31 0b 30
09 06 03 55 04 06 13 02 46 52 31 0f 30 0d 06 03 55 04 08 0c 06 52 61 64 69
75 73 31 12 30 10 06 03 55 04 07 0c 09 53 6f 6d 65 77 68 65 72 65 31 15 30
13 06 03 55 04 0a 0c 0c 45 78 61 6d 70 6c 65 20 49 6e 63 2e 31 20 30 1e 06
09 2a 86 48 86 f7 0d 01 09 01 16 11 61 64 6d 69 6e 40 65 78 61 6d 70 6c 65
2e 6f 72 67 31 26 30 24 06 03 55 04 03 0c 1d 45 78 61 6d 70 6c 65 20 43 65
72 74 69 66 69 63 61 74 65 20 41 75 74 68 6f 72 69 74 79 30 1e 17 0d 32 34
30 32 32 38 30 31 33 32 32 35 5a 17 0d 32 34 30 34 32 38 30 31 33 32 32 35
5a 30 71 31 0b 30 09 06 03 55 04 06 13 02 46 52 31 0f 30 0d 06 03 55 04 08
0c 06 52 61 64 69 75 73 31 15 30 13 06 03 55 04 0a 0c 0c 45 78 61 6d 70 6c
65 20 49 6e 63 2e 31 19 30 17 06 03 55 04 03 0c 10 75 73 65 72 40 65 78 61
6d 70 6c 65 2e 6f 72 67 31 1f 30 1d 06 09 2a 86 48 86 f7 0d 01 09 01 16 10
75 73 65 72 40 65 78 61 6d 70 6c 65 2e 6f 72 67 30 82 01 22 30 0d 06 09 2a
86 48 86 f7 0d 01 01 01 05 00 03 82 01 0f 00 30 82 01 0a 02 82 01 01 00 d1
c6 40 45 7c 20 4f 03 e3 c2 98 b4 de b9 79 0c 67 db 36 e0 99 ff 1f c5 fe 86
42 58 0d 3a 09 50 d3 e6 86 88 e0 1d 84 31 46 e6 75 b2 d6 f9 47 3d ba 8c d1
0f 40 b3 fb 58 55 36 75 e8 6d 5f f9 74 68 8d e4 e5 bb 94 64 41 b6 8f 4a 81
31 dc fc 8d f7 6d 25 84 be a3 68 b9 1b 6b 05 4d d1 07 3e 66 ca ce 43 8b 74
35 3b 35 1e 22 40 8d fb a5 96 79 ce 1f 23 04 a6 c0 a7 58 b1 f9 ce 5d f4 4f
af 05 c7 b0 23 cc ce 0e 2d 7a ad 2e 60 be 0e 65 2e 5b 3b ad e9 8d d6 b8 df
f6 1d 85 0d e9 56 ca b4 fd c5 97 16 52 c6 28 99 aa 32 62 00 11 1b c9 a0 99
57 71 45 75 32 2d 7c 20 3f d4 d7 d0 03 73 5b f2 6e 45 ec 37 35 f7 18 99 bc
3c 16 4d aa 01 89 ea 33 96 9d e7 85 74 e0 3b d1 c6 4d 3e 23 71 7a 7a 35 b7
60 08 94 72 3e 61 98 25 49 d9 03 83 fa 96 a9 a2 42 9a 13 03 e0 2a 07 ee e3
f8 2d 4d 8f 39 02 03 01 00 01 a3 81 90 30 81 8d 30 13 06 03 55 1d 25 04 0c
30 0a 06 08 2b 06 01 05 05 07 03 02 30 36 06 03 55 1d 1f 04 2f 30 2d 30 2b
a0 29 a0 27 86 25 68 74 74 70 3a 2f 2f 77 77 77 2e 65 78 61 6d 70 6c 65 2e
63 6f 6d 2f 65 78 61 6d 70 6c 65 5f 63 61 2e 63 72 6c 30 1d 06 03 55 1d 0e
04 16 04 14 bf 8b ee 28 d4 a2 2a ee 30 ba 18 5b 11 76 50 45 1c bc a9 27 30
1f 06 03 55 1d 23 04 18 30 16 80 14 68 e8 d7 58 ba fd 2c f8 55 e5 99 f0 1d
1b e1 b0 49 7c 45 43 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 82 01
01 00 5d ee d5 bf fc 30 3a 44 32 e4 68 16 9d fb 14 6b f5 bd 26 9e 19 6d 22
21 5c 0f 51 42 d7 b5 da ed 63 94 b7 8d 8b f9 41 b4 c9 e9 0b c3 99 71 89 d5
67 25 e9 4e 46 42 01 15 eb 96 08 01 37 18 41 75 53 c0 00 6b 75 fe 76 30 74
bf 66 74 c5 11 2d 6f 6c 4f 75 fc d7 14 20 fb 86 29 80 13 7b 45 1a 95 57 77
14 5d 5d b9 fd f3 6f 6b da 4a bb ff ec 75 f8 f7 de f4 7a af fb db fa aa 41
ef ba 6c 35 b9 1d 46 55 4d 70 a3 da b7 77 e0 8d 19 28 6f 3a 83 5e f1 12 34
1c e0 9a 2b f5 98 73 17 9b d4 0e 45 f5 04 cd e2 08 d3 13 2c a4 30 91 4b 69
4c 5d ab df 94 30 89 61 fd 14 ff d3 59 75 1f cc 29 28 93 a5 c8 96 76 ad ac
6c 48 4a 16 c9 d3 0c df 42 be 93 53 08 69 5e 68 b7 d9 64 d5 09 58 cf f5 45
43 65 f6 02 9a 6a f7 fe 25 c3 9f a6 99 06 b3 f7 94 0e b2 6b 45 41 d5 c9 e3
28 94 80 51 a3 08 44 4c 00 04 fe 30 82 04 fa 30 82 03 e2 a0 03 02 01 02 02
14 25 57 e1 72 8d 04 af e1 d4 dc 8f 3b a7 ed 9f 02 a1 14 24 68 30 0d 06 09
2a 86 48 86 f7 0d 01 01 0b 05 00 30 81 93 31 0b 30 09 06 03 55 04 06 13 02
46 52 31 0f 30 0d 06 03 55 04 08 0c 06 52 61 64 69 75 73 31 12 30 10 06 03
55 04 07 0c 09 53 6f 6d 65 77 68 65 72 65 31 15 30 13 06 03 55 04 0a 0c 0c
45 78 61 6d 70 6c 65 20 49 6e 63 2e 31 20 30 1e 06 09 2a 86 48 86 f7 0d 01
09 01 16 11 61 64 6d 69 6e 40 65 78 61 6d 70 6c 65 2e 6f 72 67 31 26 30 24
06 03 55 04 03 0c 1d 45 78 61 6d 70 6c 65 20 43 65 72 74 69 66 69 63 61 74
65 20 41 75 74 68 6f 72 69 74 79 30 1e 17 0d 32 34 30 32 32 38 30 31 33 32
32 34 5a 17 0d 32 34 30 34 32 38 30 31 33 32 32 34 5a 30 81 93 31 0b 30 09
06 03 55 04 06 13 02 46 52 31 0f 30 0d 06 03 55 04 08 0c 06 52 61 64 69 75
73 31 12 30 10 06 03 55 04 07 0c 09 53 6f 6d 65 77 68 65 72 65 31 15 30 13
06 03 55 04 0a 0c 0c 45 78 61 6d 70 6c 65 20 49 6e 63 2e 31 20 30 1e 06 09
2a 86 48 86 f7 0d 01 09 01 16 11 61 64 6d 69 6e 40 65 78 61 6d
Encapsulating EAP message into a RADIUS packet
Copied RADIUS State Attribute
Sending RADIUS message to authentication server
RADIUS message: code=1 (Access-Request) identifier=4 length=1561
Attribute 1 (User-Name) length=18
Value: 'user at example.org'
Attribute 4 (NAS-IP-Address) length=6
Value: 127.0.0.1
Attribute 31 (Calling-Station-Id) length=19
Value: '02-00-00-00-00-01'
Attribute 12 (Framed-MTU) length=6
Value: 1400
Attribute 61 (NAS-Port-Type) length=6
Value: 19
Attribute 6 (Service-Type) length=6
Value: 2
Attribute 77 (Connect-Info) length=24
Value: 'CONNECT 11Mbps 802.11b'
Attribute 79 (EAP-Message) length=255
Value:
025105800dc000000a8f16030309200b00091c00091900041530820411308202f9a003020102020102300d06092a864886f70d01010b0500308193310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e6f72673126302406035504030c1d4578616d706c6520436572746966696361746520417574686f72697479301e170d3234303232383031333232355a170d3234303432383031333232355a3071310b3009060355040613024652
Attribute 79 (EAP-Message) length=255
Value:
310f300d06035504080c0652616469757331153013060355040a0c0c4578616d706c6520496e632e3119301706035504030c1075736572406578616d706c652e6f7267311f301d06092a864886f70d010901161075736572406578616d706c652e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100d1c640457c204f03e3c298b4deb9790c67db36e099ff1fc5fe8642580d3a0950d3e68688e01d843146e675b2d6f9473dba8cd10f40b3fb58553675e86d5ff974688de4e5bb946441b68f4a8131dcfc8df76d2584bea368b91b6b054dd1073e66cace438b74353b351e22408dfba59679ce1f2304a6c0a758
Attribute 79 (EAP-Message) length=255
Value:
b1f9ce5df44faf05c7b023ccce0e2d7aad2e60be0e652e5b3bade98dd6b8dff61d850de956cab4fdc5971652c62899aa326200111bc9a09957714575322d7c203fd4d7d003735bf26e45ec3735f71899bc3c164daa0189ea33969de78574e03bd1c64d3e23717a7a35b7600894723e61982549d90383fa96a9a2429a1303e02a07eee3f82d4d8f390203010001a3819030818d30130603551d25040c300a06082b0601050507030230360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e636f6d2f6578616d706c655f63612e63726c301d0603551d0e04160414bf8bee28d4a22aee30ba185b117650451cbc
Attribute 79 (EAP-Message) length=255
Value:
a927301f0603551d2304183016801468e8d758bafd2cf855e599f01d1be1b0497c4543300d06092a864886f70d01010b050003820101005deed5bffc303a4432e468169dfb146bf5bd269e196d22215c0f5142d7b5daed6394b78d8bf941b4c9e90bc3997189d56725e94e46420115eb9608013718417553c0006b75fe763074bf6674c5112d6f6c4f75fcd71420fb862980137b451a955777145d5db9fdf36f6bda4abbffec75f8f7def47aaffbdbfaaa41efba6c35b91d46554d70a3dab777e08d19286f3a835ef112341ce09a2bf59873179bd40e45f504cde208d3132ca430914b694c5dabdf94308961fd14ffd359751fcc292893a5c89676adac
Attribute 79 (EAP-Message) length=255
Value:
6c484a16c9d30cdf42be935308695e68b7d964d50958cff5454365f6029a6af7fe25c39fa69906b3f7940eb26b4541d5c9e328948051a308444c0004fe308204fa308203e2a00302010202142557e1728d04afe1d4dc8f3ba7ed9f02a1142468300d06092a864886f70d01010b0500308193310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e6f72673126302406035504030c1d4578616d706c652043657274696669636174652041
Attribute 79 (EAP-Message) length=145
Value:
7574686f72697479301e170d3234303232383031333232345a170d3234303432383031333232345a308193310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d
Attribute 24 (State) length=18
Value: edd2cd8eee83c0b549867676db0ddfbf
Attribute 80 (Message-Authenticator) length=18
Value: 1213b7b549a42a80cf22c97939bd0db2
Next RADIUS client retransmit in 3 seconds
EAPOL: SUPP_BE entering state RECEIVE
Received 64 bytes from RADIUS server
Received RADIUS message
RADIUS message: code=11 (Access-Challenge) identifier=4 length=64
Attribute 79 (EAP-Message) length=8
Value: 015200060d00
Attribute 80 (Message-Authenticator) length=18
Value: cd281f4551bdcfb766e10e04929a11e1
Attribute 24 (State) length=18
Value: edd2cd8ee980c0b549867676db0ddfbf
STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending
request, round trip time 0.00 sec
RADIUS packet matching with station
decapsulated EAP packet (code=1 id=82 len=6) from RADIUS server:
EAP-Request-TLS (13)
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request id=82 method=13 vendor=0 vendorMethod=0
EAP: EAP entering state METHOD
SSL: Received packet(len=6) - Flags 0x00
SSL: 1305 bytes left to be sent out (of total 2703 bytes)
EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL
eapRespData=0x55ff45bd66e0
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp
WPA: eapol_test_eapol_send(type=0 len=1311)
TX EAP -> RADIUS - hexdump(len=1311): 02 52 05 1f 0d 00 70 6c 65 2e 6f 72
67 31 26 30 24 06 03 55 04 03 0c 1d 45 78 61 6d 70 6c 65 20 43 65 72 74 69
66 69 63 61 74 65 20 41 75 74 68 6f 72 69 74 79 30 82 01 22 30 0d 06 09 2a
86 48 86 f7 0d 01 01 01 05 00 03 82 01 0f 00 30 82 01 0a 02 82 01 01 00 8f
d8 eb e0 ef 83 c9 18 7f 25 6e 38 e9 ef 2d 6e f1 e3 65 f0 39 87 f6 41 78 ad
8c 09 9f 79 c9 e1 0f 79 d3 d2 96 a7 5f f7 fe 44 d7 da 66 b8 ba 79 f7 4e c0
c2 f6 da b0 9a 0c 9d 5e 8b d7 25 47 6b 08 a5 df d3 53 d7 d7 e4 69 a9 cf 53
16 bd 19 da 82 0a 61 f3 80 3c 6a a2 e9 5c 37 44 5c 43 ab 09 44 dc 36 06 c4
21 81 04 b2 7c 30 5d 28 0a ee de 42 e7 36 ba c9 1b cb a1 57 fc 93 d0 e1 c0
97 74 cf 06 7d bb 51 2b 71 6b 66 7a 4e ba 19 88 4a ca 06 7a 10 bb 7e c4 cb
28 19 49 2d 2c d2 ab d0 23 eb 49 b2 a8 e0 14 cd b8 a1 19 19 16 09 33 ee 62
71 0f b3 d7 e0 e8 86 b0 83 f7 22 0e 3b e1 22 83 97 0f 5b 34 3c 9c a3 f3 48
b7 28 ec 19 5e 4c fc 27 9d 54 f3 a1 fb 1d 2a e1 8d 03 44 62 2e a8 f4 a5 82
ed 36 79 d3 81 e3 fb d4 0f ca 2c 9e 8c f6 51 f2 dd ba 62 13 12 b8 12 03 fc
91 8f 4d 20 31 02 03 01 00 01 a3 82 01 42 30 82 01 3e 30 1d 06 03 55 1d 0e
04 16 04 14 68 e8 d7 58 ba fd 2c f8 55 e5 99 f0 1d 1b e1 b0 49 7c 45 43 30
81 d3 06 03 55 1d 23 04 81 cb 30 81 c8 80 14 68 e8 d7 58 ba fd 2c f8 55 e5
99 f0 1d 1b e1 b0 49 7c 45 43 a1 81 99 a4 81 96 30 81 93 31 0b 30 09 06 03
55 04 06 13 02 46 52 31 0f 30 0d 06 03 55 04 08 0c 06 52 61 64 69 75 73 31
12 30 10 06 03 55 04 07 0c 09 53 6f 6d 65 77 68 65 72 65 31 15 30 13 06 03
55 04 0a 0c 0c 45 78 61 6d 70 6c 65 20 49 6e 63 2e 31 20 30 1e 06 09 2a 86
48 86 f7 0d 01 09 01 16 11 61 64 6d 69 6e 40 65 78 61 6d 70 6c 65 2e 6f 72
67 31 26 30 24 06 03 55 04 03 0c 1d 45 78 61 6d 70 6c 65 20 43 65 72 74 69
66 69 63 61 74 65 20 41 75 74 68 6f 72 69 74 79 82 14 25 57 e1 72 8d 04 af
e1 d4 dc 8f 3b a7 ed 9f 02 a1 14 24 68 30 0f 06 03 55 1d 13 01 01 ff 04 05
30 03 01 01 ff 30 36 06 03 55 1d 1f 04 2f 30 2d 30 2b a0 29 a0 27 86 25 68
74 74 70 3a 2f 2f 77 77 77 2e 65 78 61 6d 70 6c 65 2e 6f 72 67 2f 65 78 61
6d 70 6c 65 5f 63 61 2e 63 72 6c 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05
00 03 82 01 01 00 55 5b 2e 66 c6 da 9a 6f fd 14 17 2d be df 3d 1e 53 38 f5
5d a2 58 fa fe b7 8d 26 40 8f 25 e0 4b 82 c5 6c 57 73 e1 5a d3 b0 35 94 6e
cc 12 3e 61 00 1c 57 18 bb 69 8e 44 c8 74 1f c4 83 cb 47 e4 92 8f e2 3a 31
df 3b fa a2 51 a3 fd e3 c9 21 43 39 af 97 13 04 50 6b c9 d4 05 d0 c5 d5 5a
1b 10 5e eb 84 42 ae e4 96 82 19 1f 52 4e f1 c9 03 29 fc fb 65 07 6f 6d 71
59 d7 8e 07 6b a5 4d 7a 3e 70 e1 e9 2c db 86 76 2d 74 2d 09 8e 03 a3 a7 5e
8c 27 07 18 ae e5 8d 74 0c 5c ce d0 b9 b6 c3 a2 0b 02 35 4f 8b b6 32 af 96
b1 70 6c 91 d7 ac 96 40 7c fc 68 0f 49 e3 43 da aa 74 4c 3f 36 fc 28 7d 24
33 9c a1 36 b2 28 df 51 b0 92 6c 6e 9d 2c 32 08 05 fb c4 20 e9 be 9e 07 40
9a 20 8e bc 47 45 ab 0c 38 73 95 c2 86 d7 71 47 e1 7a 31 16 8e 56 1d 8e 07
43 9e 91 fc 75 97 bf 4c 3b 2d 05 80 16 03 03 00 25 10 00 00 21 20 8d d6 f6
a6 33 0a f7 f9 a6 0e 4e 88 a4 4d 42 bc e3 f9 03 4b 93 b6 eb 6e 75 0f f8 fc
1a 79 cc 7f 16 03 03 01 08 0f 00 01 04 08 04 01 00 19 50 dc 25 20 c7 d1 09
52 26 0f d9 66 db 0e d4 fc 5c 3d 27 f8 39 f9 ca 21 2b 12 35 97 2a 2b 70 e6
70 56 f9 e0 f4 2d 12 3b 49 d6 f3 70 f7 d0 c2 52 2a d4 21 74 d5 f0 36 2d 5f
0a a3 35 ff e7 79 20 a9 09 10 20 86 b6 a6 a8 42 b4 9e 99 1e 7b aa 5a 0c 47
30 c5 bf 8d d1 a9 ec 58 6a 3e 0f 2c 3c 50 32 ab 75 3d 51 a1 2c 74 4c 12 9c
f2 5b bb 9d 32 58 0e 77 bf 76 fe c2 f1 d1 4f 48 95 98 ab 5a 0e 35 6c ca 41
4f f4 2f 0f ba 76 c6 7c 86 4e 01 84 c4 f2 bd 64 8b 88 71 59 fe 32 e8 b9 c2
02 b2 7d 00 cf 19 88 2f d7 5c af 8c 2b 9b a3 c0 92 94 33 39 88 4a a4 f0 12
55 c3 94 6d 09 de 15 f8 2f 57 4d 79 da fd d3 8e 7c 5f 6c db 6e 6b c5 3f b8
97 87 c9 da 63 f2 21 6b 28 c5 bb 8a 5f 5d d7 28 7a f3 bf 39 c7 c9 d0 8b 6f
2a e9 0f 03 f1 be d8 1f da e9 d3 0f e3 57 e9 3f c7 4a 14 d6 8b 81 b2 14 03
03 00 01 01 16 03 03 00 28 1b 31 eb fa 83 cb d9 c6 cc ed cb 99 07 68 8b 82
af 46 f8 2e 76 e0 76 60 84 2d e8 36 2f 37 9e 14 65 8b 64 e7 8e 6c 8b c6
Encapsulating EAP message into a RADIUS packet
Copied RADIUS State Attribute
Sending RADIUS message to authentication server
RADIUS message: code=1 (Access-Request) identifier=5 length=1464
Attribute 1 (User-Name) length=18
Value: 'user at example.org'
Attribute 4 (NAS-IP-Address) length=6
Value: 127.0.0.1
Attribute 31 (Calling-Station-Id) length=19
Value: '02-00-00-00-00-01'
Attribute 12 (Framed-MTU) length=6
Value: 1400
Attribute 61 (NAS-Port-Type) length=6
Value: 19
Attribute 6 (Service-Type) length=6
Value: 2
Attribute 77 (Connect-Info) length=24
Value: 'CONNECT 11Mbps 802.11b'
Attribute 79 (EAP-Message) length=255
Value:
0252051f0d00706c652e6f72673126302406035504030c1d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a02820101008fd8ebe0ef83c9187f256e38e9ef2d6ef1e365f03987f64178ad8c099f79c9e10f79d3d296a75ff7fe44d7da66b8ba79f74ec0c2f6dab09a0c9d5e8bd725476b08a5dfd353d7d7e469a9cf5316bd19da820a61f3803c6aa2e95c37445c43ab0944dc3606c4218104b27c305d280aeede42e736bac91bcba157fc93d0e1c09774cf067dbb512b716b667a4eba19884aca067a10bb7ec4cb2819492d2cd2abd023eb49b2a8e014cd
Attribute 79 (EAP-Message) length=255
Value:
b8a11919160933ee62710fb3d7e0e886b083f7220e3be12283970f5b343c9ca3f348b728ec195e4cfc279d54f3a1fb1d2ae18d0344622ea8f4a582ed3679d381e3fbd40fca2c9e8cf651f2ddba621312b81203fc918f4d20310203010001a38201423082013e301d0603551d0e0416041468e8d758bafd2cf855e599f01d1be1b0497c45433081d30603551d230481cb3081c8801468e8d758bafd2cf855e599f01d1be1b0497c4543a18199a48196308193310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c4578616d706c6520496e632e3120
Attribute 79 (EAP-Message) length=255
Value:
301e06092a864886f70d010901161161646d696e406578616d706c652e6f72673126302406035504030c1d4578616d706c6520436572746966696361746520417574686f7269747982142557e1728d04afe1d4dc8f3ba7ed9f02a1142468300f0603551d130101ff040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e6f72672f6578616d706c655f63612e63726c300d06092a864886f70d01010b05000382010100555b2e66c6da9a6ffd14172dbedf3d1e5338f55da258fafeb78d26408f25e04b82c56c5773e15ad3b035946ecc123e61001c5718bb698e44c8741fc483cb47e4928f
Attribute 79 (EAP-Message) length=255
Value:
e23a31df3bfaa251a3fde3c9214339af971304506bc9d405d0c5d55a1b105eeb8442aee49682191f524ef1c90329fcfb65076f6d7159d78e076ba54d7a3e70e1e92cdb86762d742d098e03a3a75e8c270718aee58d740c5cced0b9b6c3a20b02354f8bb632af96b1706c91d7ac96407cfc680f49e343daaa744c3f36fc287d24339ca136b228df51b0926c6e9d2c320805fbc420e9be9e07409a208ebc4745ab0c387395c286d77147e17a31168e561d8e07439e91fc7597bf4c3b2d0580160303002510000021208dd6f6a6330af7f9a60e4e88a44d42bce3f9034b93b6eb6e750ff8fc1a79cc7f16030301080f000104080401001950dc2520c7d109
Attribute 79 (EAP-Message) length=255
Value:
52260fd966db0ed4fc5c3d27f839f9ca212b1235972a2b70e67056f9e0f42d123b49d6f370f7d0c2522ad42174d5f0362d5f0aa335ffe77920a909102086b6a6a842b49e991e7baa5a0c4730c5bf8dd1a9ec586a3e0f2c3c5032ab753d51a12c744c129cf25bbb9d32580e77bf76fec2f1d14f489598ab5a0e356cca414ff42f0fba76c67c864e0184c4f2bd648b887159fe32e8b9c202b27d00cf19882fd75caf8c2b9ba3c092943339884aa4f01255c3946d09de15f82f574d79dafdd38e7c5f6cdb6e6bc53fb89787c9da63f2216b28c5bb8a5f5dd7287af3bf39c7c9d08b6f2ae90f03f1bed81fdae9d30fe357e93fc74a14d68b81b21403030001
Attribute 79 (EAP-Message) length=48
Value:
0116030300281b31ebfa83cbd9c6ccedcb9907688b82af46f82e76e07660842de8362f379e14658b64e78e6c8bc6
Attribute 24 (State) length=18
Value: edd2cd8ee980c0b549867676db0ddfbf
Attribute 80 (Message-Authenticator) length=18
Value: d805d0771672ef58541bec3f5cde98e9
Next RADIUS client retransmit in 3 seconds
EAPOL: SUPP_BE entering state RECEIVE
Received 119 bytes from RADIUS server
Received RADIUS message
RADIUS message: code=11 (Access-Challenge) identifier=5 length=119
Attribute 79 (EAP-Message) length=63
Value:
0153003d0d80000000331403030001011603030028e100ea24e0de696191dadcd86e3ad167f1173edcc253566723fe0bf06e8cab5a58d10a790b8d69aa
Attribute 80 (Message-Authenticator) length=18
Value: 7c0302c4097364468fd1529ac929cd4b
Attribute 24 (State) length=18
Value: edd2cd8ee881c0b549867676db0ddfbf
STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending
request, round trip time 0.00 sec
RADIUS packet matching with station
decapsulated EAP packet (code=1 id=83 len=61) from RADIUS server:
EAP-Request-TLS (13)
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request id=83 method=13 vendor=0 vendorMethod=0
EAP: EAP entering state METHOD
SSL: Received packet(len=61) - Flags 0x80
SSL: TLS Message Length: 51
OpenSSL: RX ver=0x303 content_type=256 (TLS header info/)
OpenSSL: Message - hexdump(len=5): 14 03 03 00 01
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:SSLv3/TLS write finished
OpenSSL: RX ver=0x303 content_type=256 (TLS header info/)
OpenSSL: Message - hexdump(len=5): 16 03 03 00 28
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:SSLv3/TLS read change cipher spec
OpenSSL: RX ver=0x303 content_type=22 (handshake/finished)
OpenSSL: Message - hexdump(len=16): 14 00 00 0c 47 aa b4 c6 17 0e 0c 8e 8e
bb 13 fb
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:SSLv3/TLS read finished
SSL: (where=0x20 ret=0x1)
SSL: (where=0x1002 ret=0x1)
SSL: 0 bytes pending from ssl_out
OpenSSL: Handshake finished - resumed=0
SSL: No Application Data included
SSL: Using TLS version TLSv1.2
SSL: No data to be sent out
EAP-TLS: Done
EAP-TLS: Derived key - hexdump(len=64): 7a a7 6b 29 a7 94 b6 00 68 af a3 38
f3 e9 81 8e ed ed 0f cd ce c6 86 75 05 41 9d 8e fe cb d6 58 aa d4 d0 1d 9b
83 70 28 08 14 54 09 b4 a4 ba 60 f5 bd 0d a9 9b 8a 07 f3 98 a7 5c 1e 31 2b
d5 69
EAP-TLS: Derived EMSK - hexdump(len=64): 08 2e e3 b6 ce 7e c1 6e 68 d2 8e
c9 c3 2f 98 81 f5 86 32 f0 ba 0f 81 be 63 49 71 3d 6f 28 03 0e 8a 2d 76 cc
38 98 ca 0f ba b5 6a 50 b3 15 24 bc 0a 51 cb 37 b4 9b c7 a2 bf 3e 6b 20 9a
ea 17 24
EAP-TLS: Derived Session-Id - hexdump(len=65): 0d fe d5 af 5e 92 5e df 28
8b 3a 05 6a 3b 3e a9 8e 41 47 b3 cf ff ee 88 27 e6 3c 15 56 17 56 73 0a f6
1d 14 e6 50 35 ac cc f7 f1 01 ae 2d e5 43 a9 bd 8e f9 d6 1c 9c d4 e1 36 2e
a6 74 a4 39 c0 9f
SSL: Building ACK (type=13 id=83 ver=0)
EAP: method process -> ignore=FALSE methodState=DONE decision=UNCOND_SUCC
eapRespData=0x55ff45bb9560
EAP: Session-Id - hexdump(len=65): 0d fe d5 af 5e 92 5e df 28 8b 3a 05 6a
3b 3e a9 8e 41 47 b3 cf ff ee 88 27 e6 3c 15 56 17 56 73 0a f6 1d 14 e6 50
35 ac cc f7 f1 01 ae 2d e5 43 a9 bd 8e f9 d6 1c 9c d4 e1 36 2e a6 74 a4 39
c0 9f
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp
WPA: eapol_test_eapol_send(type=0 len=6)
TX EAP -> RADIUS - hexdump(len=6): 02 53 00 06 0d 00
Encapsulating EAP message into a RADIUS packet
Copied RADIUS State Attribute
Sending RADIUS message to authentication server
RADIUS message: code=1 (Access-Request) identifier=6 length=149
Attribute 1 (User-Name) length=18
Value: 'user at example.org'
Attribute 4 (NAS-IP-Address) length=6
Value: 127.0.0.1
Attribute 31 (Calling-Station-Id) length=19
Value: '02-00-00-00-00-01'
Attribute 12 (Framed-MTU) length=6
Value: 1400
Attribute 61 (NAS-Port-Type) length=6
Value: 19
Attribute 6 (Service-Type) length=6
Value: 2
Attribute 77 (Connect-Info) length=24
Value: 'CONNECT 11Mbps 802.11b'
Attribute 79 (EAP-Message) length=8
Value: 025300060d00
Attribute 24 (State) length=18
Value: edd2cd8ee881c0b549867676db0ddfbf
Attribute 80 (Message-Authenticator) length=18
Value: ee207023ce0751ba3bfe31c5a0eea8b1
Next RADIUS client retransmit in 3 seconds
EAPOL: SUPP_BE entering state RECEIVE
Received 184 bytes from RADIUS server
Received RADIUS message
RADIUS message: code=2 (Access-Accept) identifier=6 length=184
Attribute 26 (Vendor-Specific) length=58
Value:
000001371134868a899f3acfd82648dfbf7c03ea7935a7869aca0dced9dc09e97dcccb5401b7260ffcae0ab0cee7fdc0eec9cf91724d8941
Attribute 26 (Vendor-Specific) length=58
Value:
0000013710348d0655c6e2447c1257c63d90a459a8bdd11ce29bcd59f7d0db5d03a405a1b7cf8f4e308971a6df4d4e599ce6bc162c1b4f8b
Attribute 79 (EAP-Message) length=6
Value: 03530004
Attribute 80 (Message-Authenticator) length=18
Value: 05bfc525ab78a654cc6d7861a36e6584
Attribute 1 (User-Name) length=18
Value: 'user at example.org'
Attribute 12 (Framed-MTU) length=6
Value: 994
STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending
request, round trip time 0.00 sec
RADIUS packet matching with station
MS-MPPE-Send-Key (sign) - hexdump(len=32): aa d4 d0 1d 9b 83 70 28 08 14 54
09 b4 a4 ba 60 f5 bd 0d a9 9b 8a 07 f3 98 a7 5c 1e 31 2b d5 69
MS-MPPE-Recv-Key (crypt) - hexdump(len=32): 7a a7 6b 29 a7 94 b6 00 68 af
a3 38 f3 e9 81 8e ed ed 0f cd ce c6 86 75 05 41 9d 8e fe cb d6 58
decapsulated EAP packet (code=3 id=83 len=4) from RADIUS server: EAP Success
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Success
EAP: Status notification: completion (param=success)
EAP: EAP entering state SUCCESS
CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
EAPOL: IEEE 802.1X for plaintext connection; no EAPOL-Key frames required
WPA: EAPOL processing complete
Cancelling authentication timeout
State: DISCONNECTED -> COMPLETED
EAPOL: SUPP_PAE entering state AUTHENTICATED
EAPOL: SUPP_BE entering state RECEIVE
EAPOL: SUPP_BE entering state SUCCESS
EAPOL: SUPP_BE entering state IDLE
eapol_sm_cb: result=1
EAPOL: Successfully fetched key (len=32)
PMK from EAPOL - hexdump(len=32): 7a a7 6b 29 a7 94 b6 00 68 af a3 38 f3 e9
81 8e ed ed 0f cd ce c6 86 75 05 41 9d 8e fe cb d6 58
No EAP-Key-Name received from server
WPA: Clear old PMK and PTK
EAP: deinitialize previously used EAP method (13, TLS) at EAP deinit
ENGINE: engine deinit
MPPE keys OK: 1 mismatch: 0
SUCCESS
God bless you,
Thank you again!!!
Regards
On Wed, 28 Feb 2024 at 10:54, Alan DeKok <aland at deployingradius.com> wrote:
> On Feb 28, 2024, at 12:10 AM, Lucas Guimaraes via Freeradius-Users <
> freeradius-users at lists.freeradius.org> wrote:
> > For a few days, I'm trying to test FreeRADIUS server to see how EAP-TLS
> > authentication works on Wifi through a POC first.
> >
> > So far, I think I could advance pretty well since I didn't know very much
> > about the EAP-TLS authentication method.
>
> It can be a bit finicky to configure, but that's largely due to the fact
> that there are a lot of technical details to get right. That's the nature
> of EAP-TLS.
>
> > The expectation using FreeRADIUS is to see this POC working proporly
> using
> > the method EAP-TLS but I'm at a certain point where I don't understand
> why
> > I'm not getting an Access-Accept where should contain the
> MS-MPPE-Recv-Key
> > and MS-MPPE-Send-Key attributes too.
>
> The server only sends those attribute if the EAP authentication works.
>
> > Instead, what I'm understanding is, the server output is kind saying
> > "...Auth-Type sub-section not found. Ignoring...."
>
> The supplicant is going EAP, but somehow the EAP configuration has been
> removed from the "default" virtual server.
>
> I'd suggest also reading http://wiki.freeradius.org/radiusd-X
>
> That page describes how to read the debug output, and what to look for.
>
> > ...
> > server default { # from file /etc/freeradius/3.0/sites-enabled/default
> > # Loading authenticate {...}
> > Compiling Auth-Type PAP for attr Auth-Type
> > Compiling Auth-Type CHAP for attr Auth-Type
> > Compiling Auth-Type MS-CHAP for attr Auth-Type
>
> Note that there's no reference to "eap".
>
> > /etc/freeradius/3.0/sites-enabled/inner-tunnel
> > # Loading authenticate {...}
> > Compiling Auth-Type PAP for attr Auth-Type
> > Compiling Auth-Type CHAP for attr Auth-Type
> > Compiling Auth-Type MS-CHAP for attr Auth-Type
>
> And there's no reference to "eap" here, either.
> >
> > (0) Received Access-Request Id 0 from 127.0.0.1:47287 to 127.0.0.1:1812
> > length 146
> > (0) User-Name = "user at example.org"
> > (0) NAS-IP-Address = 127.0.0.1
> > (0) Calling-Station-Id = "02-00-00-00-00-01"
> > (0) Framed-MTU = 1400
> > (0) NAS-Port-Type = Wireless-802.11
> > (0) Service-Type = Framed-User
> > (0) Connect-Info = "CONNECT 11Mbps 802.11b"
> > (0) EAP-Message = 0x02e400150175736572406578616d706c652e6f7267
>
> A packet with EAP, good.
>
> > (0) eap: Peer sent EAP Response (code 2) ID 228 length 21
> > (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
> > rest of authorize
> > (0) [eap] = ok
> > (0) } # authorize = ok
>
> The EAP module is being run in the "authorize" section.
>
> > (0) Found Auth-Type = eap
> > (0) Auth-Type sub-section not found. Ignoring.
>
> And there's no "Auth-Type EAP" section.
>
> Why? Someone deleted it from the default configuration.
>
> > About the certs, all the certs were generated by the ./bootstrap script
> and
> > nothing was changed from the original files.
>
> The debug output shows this isn't true.
>
> Someone edited the configuration files to remove "eap" from the
> "authenticate" section. And that change broke the server.
>
> So... don't do that.
>
> > Please, I kindly ask for this help to manage to authenticate with
> EAP-TLS.
>
> Go back to the default configuration files. They work.
>
> At the minimum, compare the default configuration files with the local
> versions. You'll note that the "authenticate" section in the default files
> has "eap", and your local copy doesn't have that.
>
> Alan DeKok.
>
>
--
Atenciosamente,
IT Technical Support
+55 11 96797-7832
--
AVISO DE CONFIDENCIALIDAD
Este mensaje de correo electrónico y sus
adjuntos pueden contener información confidencial o legalmente privilegiada
y está destinado únicamente al uso de los destinatarios. Esta prohibido a
las personas o entidades que no sean los destinatarios de este correo
cualquier tipo de modificación, copia, distribución, divulgación, retención
o uso de la información que contiene. La divulgación no autorizada,
difusión, distribución, copia o la adopción de cualquier acción basada en
la información aquí contenida, está prohibida. No puede garantizarse que
los correos electrónicos estén libres de errores, ya que pueden ser
interceptados, enmendados o contener virus. Cualquier persona que se
comunique con nosotros por correo electrónico se considera que ha aceptado
estos riesgos. El Propietario de los datos no se hace responsable de
errores u omisiones en este mensaje y niega cualquier responsabilidad por
cualquier daño que surja del uso del correo electrónico y no se
responsabiliza por su uso abusivo, contrario a la moral, a las buenas
costumbres o a la ley, o realizado fuera de las competencias laborales del
autor del mail.
CONFIDENTIALITY NOTICE
This e-mail message and any
attachments may contain confidential or legally privileged information and
is intended only for the use of the intended recipient(s). Any unauthorized
disclosure, dissemination, distribution, copying or any action in reliance
on the information herein is prohibited. It is prohibited to persons or
entities that are not the recipient(s) of this email any modification,
copying, distribution, disclosure, retention or use of the information
contained therein. E-mails are not secure and cannot be guaranteed to be
error free as they can be intercepted, amended, or contain viruses. Anyone
who communicates with us by e-mail is deemed to have accepted these risks.
The Data Owner is not responsible for errors or omissions in this message
and denies any responsibility for any damage arising from the use of
e-mail. Any opinion and other statement contained in this message and any
attachment are solely those of the author and do not necessarily represent
those of the company.
More information about the Freeradius-Users
mailing list