Seeking assistance with eap_peap error log
Joseph Repuyan
joseph.repuyan at cloud4x.com.au
Fri Jan 31 01:19:09 UTC 2025
Hi Alan,
This is a guest network that doesn't really allow anyone to connect 🙂
Apologies, here is the whole log.
Ready to process requests
(0) Received Access-Request Id 247 from 202.153.214.217:52341 to 172.26.34.11:1812 length 234
(0) User-Name = "mobex"
(0) NAS-Identifier = "MOBEX-ME-Merrylands-RTR01"
(0) Called-Station-Id = "A8-C0-EA-A4-18-69:MVR Guest"
(0) NAS-Port-Type = Wireless-802.11
(0) Service-Type = Framed-User
(0) NAS-Port = 1
(0) Calling-Station-Id = "98-5F-D3-3B-59-6B"
(0) Connect-Info = "CONNECT 54Mbps 802.11a"
(0) Acct-Session-Id = "30416198C3C19D88"
(0) Acct-Multi-Session-Id = "3FF7BAAE83B80DF7"
(0) WLAN-Pairwise-Cipher = 1027076
(0) WLAN-Group-Cipher = 1027074
(0) WLAN-AKM-Suite = 1027073
(0) Framed-MTU = 1400
(0) EAP-Message = 0x0251000a016d6f626578
(0) Message-Authenticator = 0xdec22a50ddf35bcbdfdcc059cc4fad5b
(0) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /@\./) {
(0) if (&User-Name =~ /@\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "mobex", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: Peer sent EAP Response (code 2) ID 81 length 10
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file /etc/freeradius/sites-enabled/default
(0) authenticate {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_md5 to process data
(0) eap_md5: Issuing MD5 Challenge
(0) eap: Sending EAP Request (code 1) ID 82 length 22
(0) eap: EAP session adding &reply:State = 0x954f8648951d820f
(0) [eap] = handled
(0) } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) Post-Auth-Type sub-section not found. Ignoring.
(0) # Executing group from file /etc/freeradius/sites-enabled/default
(0) Sent Access-Challenge Id 247 from 172.26.34.11:1812 to 202.153.214.217:52341 length 80
(0) EAP-Message = 0x015200160410444729aaf32a82869dc7facec3dd21eb
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0x954f8648951d820f80da84d685fb7b66
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 248 from 202.153.214.217:52341 to 172.26.34.11:1812 length 249
(1) User-Name = "mobex"
(1) NAS-Identifier = "MOBEX-ME-Merrylands-RTR01"
(1) Called-Station-Id = "A8-C0-EA-A4-18-69:MVR Guest"
(1) NAS-Port-Type = Wireless-802.11
(1) Service-Type = Framed-User
(1) NAS-Port = 1
(1) Calling-Station-Id = "98-5F-D3-3B-59-6B"
(1) Connect-Info = "CONNECT 54Mbps 802.11a"
(1) Acct-Session-Id = "30416198C3C19D88"
(1) Acct-Multi-Session-Id = "3FF7BAAE83B80DF7"
(1) WLAN-Pairwise-Cipher = 1027076
(1) WLAN-Group-Cipher = 1027074
(1) WLAN-AKM-Suite = 1027073
(1) Framed-MTU = 1400
(1) EAP-Message = 0x02520007031915
(1) State = 0x954f8648951d820f80da84d685fb7b66
(1) Message-Authenticator = 0xe7535d01a9d25d5603c3ef037be994ce
(1) session-state: No cached attributes
(1) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(1) authorize {
(1) policy filter_username {
(1) if (&User-Name) {
(1) if (&User-Name) -> TRUE
(1) if (&User-Name) {
(1) if (&User-Name =~ / /) {
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@[^@]*@/ ) {
(1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(1) if (&User-Name =~ /\.\./ ) {
(1) if (&User-Name =~ /\.\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(1) if (&User-Name =~ /\.$/) {
(1) if (&User-Name =~ /\.$/) -> FALSE
(1) if (&User-Name =~ /@\./) {
(1) if (&User-Name =~ /@\./) -> FALSE
(1) } # if (&User-Name) = notfound
(1) } # policy filter_username = notfound
(1) [preprocess] = ok
(1) [mschap] = noop
(1) [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "mobex", looking up realm NULL
(1) suffix: No such realm "NULL"
(1) [suffix] = noop
(1) eap: Peer sent EAP Response (code 2) ID 82 length 7
(1) eap: No EAP Start, assuming it's an on-going EAP conversation
(1) [eap] = updated
(1) sql: EXPAND %{User-Name}
(1) sql: --> mobex
(1) sql: SQL-User-Name set to 'mobex'
rlm_sql (sql): Reserved connection (0)
(1) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(1) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'mobex' ORDER BY id
(1) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'mobex' ORDER BY id
(1) sql: User found in radcheck table
(1) sql: Conditional check items matched, merging assignment check items
(1) sql: Cleartext-Password := "0axA at AnI"
(1) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
(1) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'mobex' ORDER BY id
(1) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'mobex' ORDER BY id
(1) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(1) sql: --> SELECT groupname FROM radusergroup WHERE username = 'mobex' ORDER BY priority
(1) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'mobex' ORDER BY priority
(1) sql: User not found in any groups
rlm_sql (sql): Released connection (0)
Need more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (5), 1 of 27 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
WARNING: MYSQL_OPT_RECONNECT is deprecated and will be removed in a future version.
rlm_sql_mysql: Connected to database 'radius' on ls-61b6063e62dc97c8929490b8306925389189a3ec.cp4gsew4uu2n.ap-southeast-2.rds.amazonaws.com via TCP/IP, server version 8.0.36, protocol version 10
rlm_sql (sql): Closing expired connection (4) - Hit idle_timeout limit
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): Closing expired connection (3) - Hit idle_timeout limit
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): Closing expired connection (2) - Hit idle_timeout limit
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): You probably need to lower "min"
rlm_sql (sql): Closing expired connection (1) - Hit idle_timeout limit
rlm_sql_mysql: Socket destructor called, closing socket
(1) [sql] = ok
(1) [expiration] = noop
(1) [logintime] = noop
(1) pap: WARNING: Auth-Type already set. Not setting to PAP
(1) [pap] = noop
(1) } # authorize = updated
(1) Found Auth-Type = eap
(1) # Executing group from file /etc/freeradius/sites-enabled/default
(1) authenticate {
(1) eap: Removing EAP session with state 0x954f8648951d820f
(1) eap: Previous EAP request found for state 0x954f8648951d820f, released from the list
(1) eap: Peer sent packet with method EAP NAK (3)
(1) eap: Found mutually acceptable type PEAP (25)
(1) eap: Calling submodule eap_peap to process data
(1) eap_peap: (TLS) PEAP -Initiating new session
(1) eap: Sending EAP Request (code 1) ID 83 length 6
(1) eap: EAP session adding &reply:State = 0x954f8648941c9f0f
(1) [eap] = handled
(1) } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) Post-Auth-Type sub-section not found. Ignoring.
(1) # Executing group from file /etc/freeradius/sites-enabled/default
(1) session-state: Saving cached attributes
(1) Framed-MTU = 994
(1) Sent Access-Challenge Id 248 from 172.26.34.11:1812 to 202.153.214.217:52341 length 64
(1) EAP-Message = 0x015300061920
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0x954f8648941c9f0f80da84d685fb7b66
(1) Finished request
Waking up in 4.9 seconds.
(2) Received Access-Request Id 249 from 202.153.214.217:52341 to 172.26.34.11:1812 length 414
(2) User-Name = "mobex"
(2) NAS-Identifier = "MOBEX-ME-Merrylands-RTR01"
(2) Called-Station-Id = "A8-C0-EA-A4-18-69:MVR Guest"
(2) NAS-Port-Type = Wireless-802.11
(2) Service-Type = Framed-User
(2) NAS-Port = 1
(2) Calling-Station-Id = "98-5F-D3-3B-59-6B"
(2) Connect-Info = "CONNECT 54Mbps 802.11a"
(2) Acct-Session-Id = "30416198C3C19D88"
(2) Acct-Multi-Session-Id = "3FF7BAAE83B80DF7"
(2) WLAN-Pairwise-Cipher = 1027076
(2) WLAN-Group-Cipher = 1027074
(2) WLAN-AKM-Suite = 1027073
(2) Framed-MTU = 1400
(2) EAP-Message = 0x025300ac1980000000a2160303009d010000990303679b0c75b83c303b5c77a728347011d84c9793242b6b635fb70650d91f7b8bf900002ac02cc02bc030c02f009f009ec024c023c028c027c00ac009c014c013009d009c003d003c0035002f000a01000046000500050100000000000a00080006001d00170018000b00020100000d001a00180804080508060401050102010403050302030202060106030023000000170000ff01000100
(2) State = 0x954f8648941c9f0f80da84d685fb7b66
(2) Message-Authenticator = 0x5fac6dfbfc95e4d15b52424d60cacf7c
(2) Restoring &session-state
(2) &session-state:Framed-MTU = 994
(2) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(2) authorize {
(2) policy filter_username {
(2) if (&User-Name) {
(2) if (&User-Name) -> TRUE
(2) if (&User-Name) {
(2) if (&User-Name =~ / /) {
(2) if (&User-Name =~ / /) -> FALSE
(2) if (&User-Name =~ /@[^@]*@/ ) {
(2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(2) if (&User-Name =~ /\.\./ ) {
(2) if (&User-Name =~ /\.\./ ) -> FALSE
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(2) if (&User-Name =~ /\.$/) {
(2) if (&User-Name =~ /\.$/) -> FALSE
(2) if (&User-Name =~ /@\./) {
(2) if (&User-Name =~ /@\./) -> FALSE
(2) } # if (&User-Name) = notfound
(2) } # policy filter_username = notfound
(2) [preprocess] = ok
(2) [mschap] = noop
(2) [digest] = noop
(2) suffix: Checking for suffix after "@"
(2) suffix: No '@' in User-Name = "mobex", looking up realm NULL
(2) suffix: No such realm "NULL"
(2) [suffix] = noop
(2) eap: Peer sent EAP Response (code 2) ID 83 length 172
(2) eap: Continuing tunnel setup
(2) [eap] = ok
(2) } # authorize = ok
(2) Found Auth-Type = eap
(2) # Executing group from file /etc/freeradius/sites-enabled/default
(2) authenticate {
(2) eap: Removing EAP session with state 0x954f8648941c9f0f
(2) eap: Previous EAP request found for state 0x954f8648941c9f0f, released from the list
(2) eap: Peer sent packet with method EAP PEAP (25)
(2) eap: Calling submodule eap_peap to process data
(2) eap_peap: (TLS) EAP Peer says that the final record size will be 162 bytes
(2) eap_peap: (TLS) EAP Got all data (162 bytes)
(2) eap_peap: (TLS) PEAP - Handshake state - before SSL initialization
(2) eap_peap: (TLS) PEAP - Handshake state - Server before SSL initialization
(2) eap_peap: (TLS) PEAP - Handshake state - Server before SSL initialization
(2) eap_peap: (TLS) PEAP - recv TLS 1.3 Handshake, ClientHello
(2) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read client hello
(2) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, ServerHello
(2) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write server hello
(2) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, Certificate
(2) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write certificate
(2) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange
(2) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write key exchange
(2) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone
(2) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write server done
(2) eap_peap: (TLS) PEAP - Server : Need to read more data: SSLv3/TLS write server done
(2) eap_peap: (TLS) PEAP - In Handshake Phase
(2) eap: Sending EAP Request (code 1) ID 84 length 1004
(2) eap: EAP session adding &reply:State = 0x954f8648971b9f0f
(2) [eap] = handled
(2) } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) Post-Auth-Type sub-section not found. Ignoring.
(2) # Executing group from file /etc/freeradius/sites-enabled/default
(2) session-state: Saving cached attributes
(2) Framed-MTU = 994
(2) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(2) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(2) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(2) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(2) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(2) Sent Access-Challenge Id 249 from 172.26.34.11:1812 to 202.153.214.217:52341 length 1068
(2) EAP-Message = 0x015403ec19c000000df8160303003d0200003903034e2bd463aa40035a22d1a4da87b86f0b74799912879d359cd5e6cb45c1757b8700c030000011ff01000100000b000403000102001700001603030c770b000c73000c700006533082064f30820537a00302010202101e03715d070fd53cfde4874d05eeb42e300d06092a864886f70d01010b050030818f310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f726431183016060355040a130f5365637469676f204c696d69746564313730350603550403132e5365637469676f2052534120446f6d61696e2056616c69646174696f6e2053656375726520536572766572204341301e170d3234303431323030303030305a170d3235303431323233353935395a30223120301e06035504030c172a2e6d6f62696c652d657870657274732e636f6d2e617530820122300d06092a864886f70d01010105000382010f00
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0x954f8648971b9f0f80da84d685fb7b66
(2) Finished request
Waking up in 4.9 seconds.
(3) Received Access-Request Id 250 from 202.153.214.217:52341 to 172.26.34.11:1812 length 248
(3) User-Name = "mobex"
(3) NAS-Identifier = "MOBEX-ME-Merrylands-RTR01"
(3) Called-Station-Id = "A8-C0-EA-A4-18-69:MVR Guest"
(3) NAS-Port-Type = Wireless-802.11
(3) Service-Type = Framed-User
(3) NAS-Port = 1
(3) Calling-Station-Id = "98-5F-D3-3B-59-6B"
(3) Connect-Info = "CONNECT 54Mbps 802.11a"
(3) Acct-Session-Id = "30416198C3C19D88"
(3) Acct-Multi-Session-Id = "3FF7BAAE83B80DF7"
(3) WLAN-Pairwise-Cipher = 1027076
(3) WLAN-Group-Cipher = 1027074
(3) WLAN-AKM-Suite = 1027073
(3) Framed-MTU = 1400
(3) EAP-Message = 0x025400061900
(3) State = 0x954f8648971b9f0f80da84d685fb7b66
(3) Message-Authenticator = 0xf04b2bc806ab91a5858e36cb1386c188
(3) Restoring &session-state
(3) &session-state:Framed-MTU = 994
(3) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(3) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(3) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(3) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(3) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(3) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(3) authorize {
(3) policy filter_username {
(3) if (&User-Name) {
(3) if (&User-Name) -> TRUE
(3) if (&User-Name) {
(3) if (&User-Name =~ / /) {
(3) if (&User-Name =~ / /) -> FALSE
(3) if (&User-Name =~ /@[^@]*@/ ) {
(3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(3) if (&User-Name =~ /\.\./ ) {
(3) if (&User-Name =~ /\.\./ ) -> FALSE
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(3) if (&User-Name =~ /\.$/) {
(3) if (&User-Name =~ /\.$/) -> FALSE
(3) if (&User-Name =~ /@\./) {
(3) if (&User-Name =~ /@\./) -> FALSE
(3) } # if (&User-Name) = notfound
(3) } # policy filter_username = notfound
(3) [preprocess] = ok
(3) [mschap] = noop
(3) [digest] = noop
(3) suffix: Checking for suffix after "@"
(3) suffix: No '@' in User-Name = "mobex", looking up realm NULL
(3) suffix: No such realm "NULL"
(3) [suffix] = noop
(3) eap: Peer sent EAP Response (code 2) ID 84 length 6
(3) eap: Continuing tunnel setup
(3) [eap] = ok
(3) } # authorize = ok
(3) Found Auth-Type = eap
(3) # Executing group from file /etc/freeradius/sites-enabled/default
(3) authenticate {
(3) eap: Removing EAP session with state 0x954f8648971b9f0f
(3) eap: Previous EAP request found for state 0x954f8648971b9f0f, released from the list
(3) eap: Peer sent packet with method EAP PEAP (25)
(3) eap: Calling submodule eap_peap to process data
(3) eap_peap: (TLS) Peer ACKed our handshake fragment
(3) eap: Sending EAP Request (code 1) ID 85 length 1000
(3) eap: EAP session adding &reply:State = 0x954f8648961a9f0f
(3) [eap] = handled
(3) } # authenticate = handled
(3) Using Post-Auth-Type Challenge
(3) Post-Auth-Type sub-section not found. Ignoring.
(3) # Executing group from file /etc/freeradius/sites-enabled/default
(3) session-state: Saving cached attributes
(3) Framed-MTU = 994
(3) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(3) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(3) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(3) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(3) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(3) Sent Access-Challenge Id 250 from 172.26.34.11:1812 to 202.153.214.217:52341 length 1064
(3) EAP-Message = 0x015503e819406f62696c652d657870657274732e636f6d2e617582156d6f62696c652d657870657274732e636f6d2e61753082017f060a2b06010401d6790204020482016f0482016b0169007600cf1156eed52e7caff3875bd9692e9be91a71674ab017ecac01d25b77cecc3b080000018ed09c2733000004030047304502207b2682d4a97324309aa85e5eb9284b58e3c6e126d8e7d2428e72984751922a0402210099bb4bf99c288c7dc10a2917dbb78e772b1f0d81fdc700d7e1fa9df16de82a0c007600a2e30ae445efbdad9b7e38ed47677753d7825b8494d72b5e1b2cc4b950a447e70000018ed09c26f40000040300473045022100fb0bb92bf71543ad60bd76f92b343de1575348d768fa72bf52ba7953a75ecfe902206c2116595a48ae5188bc1ab177b7fbf95d196a4af205c51b7b67ccc91802d6220077004e75a3275c9a10c3385b6cd4df3f52eb1df0e08e1b8d69c0b1fa64b1629a39df0000018ed09c26c8000004030048304602210096fe02c838f9
(3) Message-Authenticator = 0x00000000000000000000000000000000
(3) State = 0x954f8648961a9f0f80da84d685fb7b66
(3) Finished request
Waking up in 4.9 seconds.
(4) Received Access-Request Id 251 from 202.153.214.217:52341 to 172.26.34.11:1812 length 248
(4) User-Name = "mobex"
(4) NAS-Identifier = "MOBEX-ME-Merrylands-RTR01"
(4) Called-Station-Id = "A8-C0-EA-A4-18-69:MVR Guest"
(4) NAS-Port-Type = Wireless-802.11
(4) Service-Type = Framed-User
(4) NAS-Port = 1
(4) Calling-Station-Id = "98-5F-D3-3B-59-6B"
(4) Connect-Info = "CONNECT 54Mbps 802.11a"
(4) Acct-Session-Id = "30416198C3C19D88"
(4) Acct-Multi-Session-Id = "3FF7BAAE83B80DF7"
(4) WLAN-Pairwise-Cipher = 1027076
(4) WLAN-Group-Cipher = 1027074
(4) WLAN-AKM-Suite = 1027073
(4) Framed-MTU = 1400
(4) EAP-Message = 0x025500061900
(4) State = 0x954f8648961a9f0f80da84d685fb7b66
(4) Message-Authenticator = 0x98958c84be107e7e5d723e973f6ad750
(4) Restoring &session-state
(4) &session-state:Framed-MTU = 994
(4) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(4) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(4) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(4) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(4) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(4) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(4) authorize {
(4) policy filter_username {
(4) if (&User-Name) {
(4) if (&User-Name) -> TRUE
(4) if (&User-Name) {
(4) if (&User-Name =~ / /) {
(4) if (&User-Name =~ / /) -> FALSE
(4) if (&User-Name =~ /@[^@]*@/ ) {
(4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(4) if (&User-Name =~ /\.\./ ) {
(4) if (&User-Name =~ /\.\./ ) -> FALSE
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(4) if (&User-Name =~ /\.$/) {
(4) if (&User-Name =~ /\.$/) -> FALSE
(4) if (&User-Name =~ /@\./) {
(4) if (&User-Name =~ /@\./) -> FALSE
(4) } # if (&User-Name) = notfound
(4) } # policy filter_username = notfound
(4) [preprocess] = ok
(4) [mschap] = noop
(4) [digest] = noop
(4) suffix: Checking for suffix after "@"
(4) suffix: No '@' in User-Name = "mobex", looking up realm NULL
(4) suffix: No such realm "NULL"
(4) [suffix] = noop
(4) eap: Peer sent EAP Response (code 2) ID 85 length 6
(4) eap: Continuing tunnel setup
(4) [eap] = ok
(4) } # authorize = ok
(4) Found Auth-Type = eap
(4) # Executing group from file /etc/freeradius/sites-enabled/default
(4) authenticate {
(4) eap: Removing EAP session with state 0x954f8648961a9f0f
(4) eap: Previous EAP request found for state 0x954f8648961a9f0f, released from the list
(4) eap: Peer sent packet with method EAP PEAP (25)
(4) eap: Calling submodule eap_peap to process data
(4) eap_peap: (TLS) Peer ACKed our handshake fragment
(4) eap: Sending EAP Request (code 1) ID 86 length 1000
(4) eap: EAP session adding &reply:State = 0x954f864891199f0f
(4) [eap] = handled
(4) } # authenticate = handled
(4) Using Post-Auth-Type Challenge
(4) Post-Auth-Type sub-section not found. Ignoring.
(4) # Executing group from file /etc/freeradius/sites-enabled/default
(4) session-state: Saving cached attributes
(4) Framed-MTU = 994
(4) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(4) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(4) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(4) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(4) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(4) Sent Access-Challenge Id 251 from 172.26.34.11:1812 to 202.153.214.217:52341 length 1064
(4) EAP-Message = 0x015603e819400355040a130f5365637469676f204c696d69746564313730350603550403132e5365637469676f2052534120446f6d61696e2056616c69646174696f6e205365637572652053657276657220434130820122300d06092a864886f70d01010105000382010f003082010a0282010100d67333d6d73c20d000d21745b8d63e07a23fc741ee3230c9b06cfdf49fcb12980f2d3f8d4d010c820f177f622ee9b84879fb16834eadd7322593b707bfb9503fa94cc3402ae939ffd981ca1f163241da8026b9237a87201ee3ff209a3c95446f8775069040b4329316091008233ed2dd870f6f5d51146a0a69c54f017269cfd3934c6d04a0a31b827eb19ab9edc59ec537789f9a0834fb562e58c4090e06645bbc37dcf19f2868a856b092a35c9fbb8898081b241dab3085aeafb02e9e7a9dc1c0421ce202f0eae04ad2ef900eb4c14016f06f85424a64f7a430a0febf2ea3275a8e8b58b8adc319178463ed6f56fd83cb6034c474bee69ddbe1e4e5ca0c5f150203
(4) Message-Authenticator = 0x00000000000000000000000000000000
(4) State = 0x954f864891199f0f80da84d685fb7b66
(4) Finished request
Waking up in 4.9 seconds.
(5) Received Access-Request Id 252 from 202.153.214.217:52341 to 172.26.34.11:1812 length 248
(5) User-Name = "mobex"
(5) NAS-Identifier = "MOBEX-ME-Merrylands-RTR01"
(5) Called-Station-Id = "A8-C0-EA-A4-18-69:MVR Guest"
(5) NAS-Port-Type = Wireless-802.11
(5) Service-Type = Framed-User
(5) NAS-Port = 1
(5) Calling-Station-Id = "98-5F-D3-3B-59-6B"
(5) Connect-Info = "CONNECT 54Mbps 802.11a"
(5) Acct-Session-Id = "30416198C3C19D88"
(5) Acct-Multi-Session-Id = "3FF7BAAE83B80DF7"
(5) WLAN-Pairwise-Cipher = 1027076
(5) WLAN-Group-Cipher = 1027074
(5) WLAN-AKM-Suite = 1027073
(5) Framed-MTU = 1400
(5) EAP-Message = 0x025600061900
(5) State = 0x954f864891199f0f80da84d685fb7b66
(5) Message-Authenticator = 0xa4a3b3504fe440babd5c6a0841c3fb7b
(5) Restoring &session-state
(5) &session-state:Framed-MTU = 994
(5) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(5) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(5) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(5) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(5) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(5) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(5) authorize {
(5) policy filter_username {
(5) if (&User-Name) {
(5) if (&User-Name) -> TRUE
(5) if (&User-Name) {
(5) if (&User-Name =~ / /) {
(5) if (&User-Name =~ / /) -> FALSE
(5) if (&User-Name =~ /@[^@]*@/ ) {
(5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(5) if (&User-Name =~ /\.\./ ) {
(5) if (&User-Name =~ /\.\./ ) -> FALSE
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(5) if (&User-Name =~ /\.$/) {
(5) if (&User-Name =~ /\.$/) -> FALSE
(5) if (&User-Name =~ /@\./) {
(5) if (&User-Name =~ /@\./) -> FALSE
(5) } # if (&User-Name) = notfound
(5) } # policy filter_username = notfound
(5) [preprocess] = ok
(5) [mschap] = noop
(5) [digest] = noop
(5) suffix: Checking for suffix after "@"
(5) suffix: No '@' in User-Name = "mobex", looking up realm NULL
(5) suffix: No such realm "NULL"
(5) [suffix] = noop
(5) eap: Peer sent EAP Response (code 2) ID 86 length 6
(5) eap: Continuing tunnel setup
(5) [eap] = ok
(5) } # authorize = ok
(5) Found Auth-Type = eap
(5) # Executing group from file /etc/freeradius/sites-enabled/default
(5) authenticate {
(5) eap: Removing EAP session with state 0x954f864891199f0f
(5) eap: Previous EAP request found for state 0x954f864891199f0f, released from the list
(5) eap: Peer sent packet with method EAP PEAP (25)
(5) eap: Calling submodule eap_peap to process data
(5) eap_peap: (TLS) Peer ACKed our handshake fragment
(5) eap: Sending EAP Request (code 1) ID 87 length 600
(5) eap: EAP session adding &reply:State = 0x954f864890189f0f
(5) [eap] = handled
(5) } # authenticate = handled
(5) Using Post-Auth-Type Challenge
(5) Post-Auth-Type sub-section not found. Ignoring.
(5) # Executing group from file /etc/freeradius/sites-enabled/default
(5) session-state: Saving cached attributes
(5) Framed-MTU = 994
(5) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(5) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(5) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(5) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(5) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(5) Sent Access-Challenge Id 252 from 172.26.34.11:1812 to 202.153.214.217:52341 length 662
(5) EAP-Message = 0x015702581900e6b4dca6cd21a8860a95d92e85261afdfcb1b657426d95d133f6391406824138f58f58dc805ba4d57d9578fda79bfffdc5a869ab26e7a7a405875ba9b7b8a3200b97a94585ddb38be589378e290dfc0617f638400e42e41206fb7bf3c6116862dfe398f413d8154f8bb169d91060bc642aea31b7e4b5a33a149b26e30b7bfd028eb699c138975936f6a874a286b65eebc664eacfa0a3f96e9eba2d11b6869808582dc9ac2564f25e75b438c1ae7f5a4683ea51cab6f19911356ba56a7bc600b0e7f8be64b2adc8c2f1ace351eaa493e079c8e18140c90a5be1123cc1602ae397c08942ca94cf46981269bb98d0c2d30d724b476ee593c43228638743e4b0323e0ad34bbf239b1429412b9a041f932df1c739483cad5a127f160303012c0c00012803001d20eb5fb67b473620d8fbb6803392566a6b359de9344786f2ea97c313fe8ba11516080401003fd1fcd5b34a3633fcef9c74c7b606c5ee3ddcac2d86034261729e49d4a8d0dca814d0a50344a743
(5) Message-Authenticator = 0x00000000000000000000000000000000
(5) State = 0x954f864890189f0f80da84d685fb7b66
(5) Finished request
Waking up in 4.9 seconds.
(6) Received Access-Request Id 253 from 202.153.214.217:52341 to 172.26.34.11:1812 length 345
(6) User-Name = "mobex"
(6) NAS-Identifier = "MOBEX-ME-Merrylands-RTR01"
(6) Called-Station-Id = "A8-C0-EA-A4-18-69:MVR Guest"
(6) NAS-Port-Type = Wireless-802.11
(6) Service-Type = Framed-User
(6) NAS-Port = 1
(6) Calling-Station-Id = "98-5F-D3-3B-59-6B"
(6) Connect-Info = "CONNECT 54Mbps 802.11a"
(6) Acct-Session-Id = "30416198C3C19D88"
(6) Acct-Multi-Session-Id = "3FF7BAAE83B80DF7"
(6) WLAN-Pairwise-Cipher = 1027076
(6) WLAN-Group-Cipher = 1027074
(6) WLAN-AKM-Suite = 1027073
(6) Framed-MTU = 1400
(6) EAP-Message = 0x0257006719800000005d16030300251000002120b3c1a38f12d2bab456422f4af4862fec0d1e517f1ea69cf3f06731f5d3af561e14030300010116030300280000000000000000626446f911e0e2659fcaa0470f0b7a655fe38a65ee03e72cdaf70c16f717ecc6
(6) State = 0x954f864890189f0f80da84d685fb7b66
(6) Message-Authenticator = 0x5a25f790d35e48c933572f11533aca1a
(6) Restoring &session-state
(6) &session-state:Framed-MTU = 994
(6) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(6) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(6) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(6) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(6) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(6) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(6) authorize {
(6) policy filter_username {
(6) if (&User-Name) {
(6) if (&User-Name) -> TRUE
(6) if (&User-Name) {
(6) if (&User-Name =~ / /) {
(6) if (&User-Name =~ / /) -> FALSE
(6) if (&User-Name =~ /@[^@]*@/ ) {
(6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(6) if (&User-Name =~ /\.\./ ) {
(6) if (&User-Name =~ /\.\./ ) -> FALSE
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(6) if (&User-Name =~ /\.$/) {
(6) if (&User-Name =~ /\.$/) -> FALSE
(6) if (&User-Name =~ /@\./) {
(6) if (&User-Name =~ /@\./) -> FALSE
(6) } # if (&User-Name) = notfound
(6) } # policy filter_username = notfound
(6) [preprocess] = ok
(6) [mschap] = noop
(6) [digest] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "mobex", looking up realm NULL
(6) suffix: No such realm "NULL"
(6) [suffix] = noop
(6) eap: Peer sent EAP Response (code 2) ID 87 length 103
(6) eap: Continuing tunnel setup
(6) [eap] = ok
(6) } # authorize = ok
(6) Found Auth-Type = eap
(6) # Executing group from file /etc/freeradius/sites-enabled/default
(6) authenticate {
(6) eap: Removing EAP session with state 0x954f864890189f0f
(6) eap: Previous EAP request found for state 0x954f864890189f0f, released from the list
(6) eap: Peer sent packet with method EAP PEAP (25)
(6) eap: Calling submodule eap_peap to process data
(6) eap_peap: (TLS) EAP Peer says that the final record size will be 93 bytes
(6) eap_peap: (TLS) EAP Got all data (93 bytes)
(6) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write server done
(6) eap_peap: (TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange
(6) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read client key exchange
(6) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read change cipher spec
(6) eap_peap: (TLS) PEAP - recv TLS 1.2 Handshake, Finished
(6) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read finished
(6) eap_peap: (TLS) PEAP - send TLS 1.2 ChangeCipherSpec
(6) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write change cipher spec
(6) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, Finished
(6) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write finished
(6) eap_peap: (TLS) PEAP - Handshake state - SSL negotiation finished successfully
(6) eap_peap: (TLS) PEAP - Connection Established
(6) eap_peap: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(6) eap_peap: TLS-Session-Version = "TLS 1.2"
(6) eap: Sending EAP Request (code 1) ID 88 length 57
(6) eap: EAP session adding &reply:State = 0x954f864893179f0f
(6) [eap] = handled
(6) } # authenticate = handled
(6) Using Post-Auth-Type Challenge
(6) Post-Auth-Type sub-section not found. Ignoring.
(6) # Executing group from file /etc/freeradius/sites-enabled/default
(6) session-state: Saving cached attributes
(6) Framed-MTU = 994
(6) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(6) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(6) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(6) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(6) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(6) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange"
(6) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished"
(6) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec"
(6) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished"
(6) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(6) TLS-Session-Version = "TLS 1.2"
(6) Sent Access-Challenge Id 253 from 172.26.34.11:1812 to 202.153.214.217:52341 length 115
(6) EAP-Message = 0x015800391900140303000101160303002885bd96aab26ad39cced536777b1037a2fd516b4013ba6aa63c0210b79e1c42b41286bc02f08e769c
(6) Message-Authenticator = 0x00000000000000000000000000000000
(6) State = 0x954f864893179f0f80da84d685fb7b66
(6) Finished request
Waking up in 4.8 seconds.
(7) Received Access-Request Id 254 from 202.153.214.217:52341 to 172.26.34.11:1812 length 283
(7) User-Name = "mobex"
(7) NAS-Identifier = "MOBEX-ME-Merrylands-RTR01"
(7) Called-Station-Id = "A8-C0-EA-A4-18-69:MVR Guest"
(7) NAS-Port-Type = Wireless-802.11
(7) Service-Type = Framed-User
(7) NAS-Port = 1
(7) Calling-Station-Id = "98-5F-D3-3B-59-6B"
(7) Connect-Info = "CONNECT 54Mbps 802.11a"
(7) Acct-Session-Id = "30416198C3C19D88"
(7) Acct-Multi-Session-Id = "3FF7BAAE83B80DF7"
(7) WLAN-Pairwise-Cipher = 1027076
(7) WLAN-Group-Cipher = 1027074
(7) WLAN-AKM-Suite = 1027073
(7) Framed-MTU = 1400
(7) EAP-Message = 0x0258002919800000001f150303001a000000000000000153a7e5b0e7efc29fa5178a8b0d0858333a58
(7) State = 0x954f864893179f0f80da84d685fb7b66
(7) Message-Authenticator = 0x9c64929b1af8638cdd4342673b1e3305
(7) Restoring &session-state
(7) &session-state:Framed-MTU = 994
(7) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(7) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(7) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(7) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(7) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(7) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange"
(7) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished"
(7) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec"
(7) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished"
(7) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(7) &session-state:TLS-Session-Version = "TLS 1.2"
(7) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(7) authorize {
(7) policy filter_username {
(7) if (&User-Name) {
(7) if (&User-Name) -> TRUE
(7) if (&User-Name) {
(7) if (&User-Name =~ / /) {
(7) if (&User-Name =~ / /) -> FALSE
(7) if (&User-Name =~ /@[^@]*@/ ) {
(7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(7) if (&User-Name =~ /\.\./ ) {
(7) if (&User-Name =~ /\.\./ ) -> FALSE
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(7) if (&User-Name =~ /\.$/) {
(7) if (&User-Name =~ /\.$/) -> FALSE
(7) if (&User-Name =~ /@\./) {
(7) if (&User-Name =~ /@\./) -> FALSE
(7) } # if (&User-Name) = notfound
(7) } # policy filter_username = notfound
(7) [preprocess] = ok
(7) [mschap] = noop
(7) [digest] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "mobex", looking up realm NULL
(7) suffix: No such realm "NULL"
(7) [suffix] = noop
(7) eap: Peer sent EAP Response (code 2) ID 88 length 41
(7) eap: Continuing tunnel setup
(7) [eap] = ok
(7) } # authorize = ok
(7) Found Auth-Type = eap
(7) # Executing group from file /etc/freeradius/sites-enabled/default
(7) authenticate {
(7) eap: Removing EAP session with state 0x954f864893179f0f
(7) eap: Previous EAP request found for state 0x954f864893179f0f, released from the list
(7) eap: Peer sent packet with method EAP PEAP (25)
(7) eap: Calling submodule eap_peap to process data
(7) eap_peap: (TLS) EAP Peer says that the final record size will be 31 bytes
(7) eap_peap: (TLS) EAP Got all data (31 bytes)
(7) eap_peap: (TLS) PEAP - recv TLS 1.2 Alert, fatal access_denied
(7) eap_peap: (TLS) PEAP - The client is informing us that there is a failure inside the TLS protocol exchange.
(7) eap_peap: ERROR: (TLS) PEAP - Alert read:fatal:access denied
(7) eap_peap: ERROR: (TLS) Error in fragmentation logic - code 1
(7) eap_peap: ERROR: (TLS) Failed reading application data from OpenSSL: error:0A000419:SSL routines::tlsv1 alert access denied
(7) eap_peap: ERROR: [eaptls process] = fail
(7) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed
(7) eap: Sending EAP Failure (code 4) ID 88 length 4
(7) eap: Failed in EAP select
(7) [eap] = invalid
(7) } # authenticate = invalid
(7) Failed to authenticate the user
(7) Using Post-Auth-Type Reject
(7) # Executing group from file /etc/freeradius/sites-enabled/default
(7) Post-Auth-Type REJECT {
(7) sql: EXPAND .query
(7) sql: --> .query
(7) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (0)
(7) sql: EXPAND %{User-Name}
(7) sql: --> mobex
(7) sql: SQL-User-Name set to 'mobex'
(7) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate ) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S.%M' )
(7) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate ) VALUES ( 'mobex', '', 'Access-Reject', '2025-01-30 16:21:57.209866' )
(7) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate ) VALUES ( 'mobex', '', 'Access-Reject', '2025-01-30 16:21:57.209866' )
(7) sql: SQL query returned: success
(7) sql: 1 record(s) updated
rlm_sql (sql): Released connection (0)
(7) [sql] = ok
(7) attr_filter.access_reject: EXPAND %{User-Name}
(7) attr_filter.access_reject: --> mobex
(7) attr_filter.access_reject: Matched entry DEFAULT at line 11
(7) [attr_filter.access_reject] = updated
(7) [eap] = noop
(7) policy remove_reply_message_if_eap {
(7) if (&reply:EAP-Message && &reply:Reply-Message) {
(7) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(7) else {
(7) [noop] = noop
(7) } # else = noop
(7) } # policy remove_reply_message_if_eap = noop
(7) } # Post-Auth-Type REJECT = updated
(7) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(7) Sending delayed response
(7) Sent Access-Reject Id 254 from 172.26.34.11:1812 to 202.153.214.217:52341 length 44
(7) EAP-Message = 0x04580004
(7) Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.8 seconds.
(0) Cleaning up request packet ID 247 with timestamp +1759 due to cleanup_delay was reached
(1) Cleaning up request packet ID 248 with timestamp +1759 due to cleanup_delay was reached
(2) Cleaning up request packet ID 249 with timestamp +1759 due to cleanup_delay was reached
(3) Cleaning up request packet ID 250 with timestamp +1759 due to cleanup_delay was reached
(4) Cleaning up request packet ID 251 with timestamp +1759 due to cleanup_delay was reached
(5) Cleaning up request packet ID 252 with timestamp +1759 due to cleanup_delay was reached
(6) Cleaning up request packet ID 253 with timestamp +1759 due to cleanup_delay was reached
(7) Cleaning up request packet ID 254 with timestamp +1759 due to cleanup_delay was reached
Ready to process requests
Regards.
Joseph
________________________________
From: Alan DeKok <aland at deployingradius.com>
Sent: Friday, January 31, 2025 11:45
To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Cc: Joseph Repuyan <joseph.repuyan at cloud4x.com.au>
Subject: Re: Seeking assistance with eap_peap error log
On Jan 30, 2025, at 7:25 PM, Joseph Repuyan via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> We have a wireless setup where the SSID password is updated every day. FreeRADIUS is used for authentication and some automation behind to update the password and store them to an SQL database.
> Mobile phones can successfully authenticate using the password for the day, but laptops cannot. The client claims both mac and windows laptops cannot connect but I only have logs of the windows machine attempting to authenticate. Attached are the logs.
Changing passwords every day doesn't really make sense. The laptops will cache the password, and won't always give the user a pop-up when it changes. Which means that the user can't change the password, because the laptop won't let the,
> Near the bottom of the logs, I found these errors.
Or, try reading *all* of the logs. There's a ton more information which you've "helpfully" deleted.
This is documented in as many places as we can put it: http://wiki.freeradius.org/list-help
> From the looks of it, the client itself is complaining about the TLS exchange, but I'm lost as to what to check next. I cannot replicate the issue with my windows laptop using the same FreeRADIUS server (but using different an access point).
If you read all of the debug output, or post it here without deleted almost every bit of useful information, odds are that the answer is in those messages.
The server produces huge amounts of logs for a reason. Something in there is almost always useful. If you ignore nearly all of the messages, it will be much more difficult to fix any problem.
If you're worried about devices being stolen, just give each device a unique username and password. Then if one gets stolen, you can just disable that account, and everything is fine.
But... don't change password every day. It's fake security. It doesn't help. it just causes problems.
Nobody else changes PEAP passwords every day precisely because of the issues you're running into.
Alan DeKok.
More information about the Freeradius-Users
mailing list