FreeRadius in der lmn7 Windows im WLAN

Hallo zusammen,

mein WLAN funktioniert nun schon seit Wochen ohne Probleme: nur eben ohne Windows…
Alle kommen mit WPA2Enterprise ins Netz: nur Windows nicht … wobei, das ist nicht ganz richtig: Windows kommt schon rein, sagt aber: Verbunden, kein Internet
Und es geht auch kein Internet.
In der configdatei
/etc/freeradius/3.0/mods-availible/eap
steht was Aufschlussreiches zu Windows und EAP:
"
COMPATIBILITY

The certificates created using this method are known to be compatible
with ALL operating systems. Some common issues are:

  • Windows requires certain OIDs in the certificates. If it doesn’t
    see them, it will stop doing EAP. The most visible effect is
    that the client starts EAP, gets a few Access-Challenge packets,
    and then a little while later re-starts EAP. If this happens, see
    the FAQ, and the comments in raddb/eap.conf for how to fix it.

  • Windows requires the root certificates to be on the client PC.
    If it doesn’t have them, you will see the same issue as above.

  • Windows XP post SP2 has a bug where it has problems with
    certificate chains. i.e. if the server certificate is an
    intermediate one, and not a root one, then authentication will
    silently fail, as above.

  • Some versions of Windows CE cannot handle 4K RSA certificates.
    They will (again) silently fail, as above.

  • In none of these cases will Windows give the end user any
    reasonable error message describing what went wrong. This leads
    people to blame the RADIUS server. That blame is misplaced.

  • Certificate chains of more than 64K bytes are known to not work.
    This is a problem in FreeRADIUS. However, most clients cannot
    handle 64K certificate chains. Most Access Points will shut down
    the EAP session after about 50 round trips, while 64K certificate
    chains will take about 60 round trips. So don’t use large
    certificate chains. They will only work after everyone upgrade
    everything in the network.

  • All other operating systems are known to work with EAP and
    FreeRADIUS. This includes Linux, *BSD, Mac OS X, Solaris,
    Symbian, along with all known embedded systems, phones, WiFi
    devices, etc.

  • Someone needs to ask Microsoft to please stop making life hard for
    their customers.
    "

Ich hab Gestern also mal ein neues selbstsigniertes Zertifikat nach den Vorgaben im Verzeichnis /etc/freeradius/3.0/certs/ angelegt und verweise in der eap.conf darauf.
Effekt: alle kommen wie gewohnt rein … nur Windows „silently fails“ … also immernoch „Verbunden, kein INternet“.

Hat jemand eine Idee?
Oder Erfahrung mit der config von freeradius?

LG

Holger

Hallo Holger,

arbeitet Dein Windows mit den gleichen routing/DNS/Proxy-Gegebenheiten wie die anderen, erfolgreich verbundenen clients ?

Gruß Christoph

Hi Holger,

was sagen den die Logs bzw. freeradius, wenn du ihn im Debug-Modus laufen lässt (freeradius -X)?

vG Stephan

Hallo Christoph,

arbeitet Dein Windows mit den gleichen routing/DNS/Proxy-Gegebenheiten
wie die anderen, erfolgreich verbundenen clients ?

ichhab extra ein altes Laptop mit Win10 1903 bespielt, damit ich testen
kann …
Ja: die IP ist aus dem gleichen Bereich wie bei meinem Linuxlaptop.
Gateway und DNS sind gleich.

LG

Holger

Hallo Stefan,

was sagen den die Logs bzw. freeradius, wenn du ihn im Debug-Modus
laufen lässt (|freeradius -X|)?
ich hab hier mal zwei Logins nacheinander: zuerst mein Linuxlaptop (MAC mit AC am Ende), dann das Windowslaptop (MAC mit 88 am Ende, aber erst in der nächsten Nachricht, weil sonst zu lang):

Wed Oct  2 14:27:32 2019 : Debug: (27) Received Access-Request Id 72 from 10.17.15.31:59627 to 10.16.1.1:1812 length 312
Wed Oct  2 14:27:32 2019 : Debug: (27)   User-Name = "baumho"
Wed Oct  2 14:27:32 2019 : Debug: (27)   NAS-Identifier = "f09fc2fe0e88"
Wed Oct  2 14:27:32 2019 : Debug: (27)   Called-Station-Id = "F0-9F-C2-FE-0E-88:LMGSR"
Wed Oct  2 14:27:32 2019 : Debug: (27)   NAS-Port-Type = Wireless-802.11
Wed Oct  2 14:27:32 2019 : Debug: (27)   Service-Type = Framed-User
Wed Oct  2 14:27:32 2019 : Debug: (27)   Calling-Station-Id = "60-67-20-B5-12-AC"
Wed Oct  2 14:27:32 2019 : Debug: (27)   Connect-Info = "CONNECT 0Mbps 802.11b"
Wed Oct  2 14:27:32 2019 : Debug: (27)   Acct-Session-Id = "B8695F95492C3A28"
Wed Oct  2 14:27:32 2019 : Debug: (27)   WLAN-Pairwise-Cipher = 1027076
Wed Oct  2 14:27:32 2019 : Debug: (27)   WLAN-Group-Cipher = 1027076
Wed Oct  2 14:27:32 2019 : Debug: (27)   WLAN-AKM-Suite = 1027073
Wed Oct  2 14:27:32 2019 : Debug: (27)   Framed-MTU = 1400
Wed Oct  2 14:27:32 2019 : Debug: (27)   EAP-Message = 0x0251006f15001703030064f6d056a71412327874cb171b5b78a66414a7b4a8cc0cf237b3ed55da13217e560b39f960fb48702dd380a815cf6283b86979b5fca795a32ee3eb7935595e82e3fdbd27a1a073d1f35846ce3755250ae9010eb1bdbb253f756d8b698033669d4f3d266d1b
Wed Oct  2 14:27:32 2019 : Debug: (27)   State = 0xeb6007aaed31127e5bc8d5d0acc56213
Wed Oct  2 14:27:32 2019 : Debug: (27)   Message-Authenticator = 0x68cccfbd3bd77835609fda0eecd1d6f7
Wed Oct  2 14:27:32 2019 : Debug: (27) session-state: No cached attributes
Wed Oct  2 14:27:32 2019 : Debug: (27) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
Wed Oct  2 14:27:32 2019 : Debug: (27)   authorize {
Wed Oct  2 14:27:32 2019 : Debug: (27)     policy filter_username {
Wed Oct  2 14:27:32 2019 : Debug: (27)       if (&User-Name) {
Wed Oct  2 14:27:32 2019 : Debug: (27)       if (&User-Name)  -> TRUE
Wed Oct  2 14:27:32 2019 : Debug: (27)       if (&User-Name)  {
Wed Oct  2 14:27:32 2019 : Debug: (27)         if (&User-Name =~ / /) {
Wed Oct  2 14:27:32 2019 : Debug: (27)         if (&User-Name =~ / /)  -> FALSE
Wed Oct  2 14:27:32 2019 : Debug: (27)         if (&User-Name =~ /@[^@]*@/ ) {
Wed Oct  2 14:27:32 2019 : Debug: (27)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
Wed Oct  2 14:27:32 2019 : Debug: (27)         if (&User-Name =~ /\.\./ ) {
Wed Oct  2 14:27:32 2019 : Debug: (27)         if (&User-Name =~ /\.\./ )  -> FALSE
Wed Oct  2 14:27:32 2019 : Debug: (27)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
Wed Oct  2 14:27:32 2019 : Debug: (27)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
Wed Oct  2 14:27:32 2019 : Debug: (27)         if (&User-Name =~ /\.$/)  {
Wed Oct  2 14:27:32 2019 : Debug: (27)         if (&User-Name =~ /\.$/)   -> FALSE
Wed Oct  2 14:27:32 2019 : Debug: (27)         if (&User-Name =~ /@\./)  {
Wed Oct  2 14:27:32 2019 : Debug: (27)         if (&User-Name =~ /@\./)   -> FALSE
Wed Oct  2 14:27:32 2019 : Debug: (27)       } # if (&User-Name)  = notfound
Wed Oct  2 14:27:32 2019 : Debug: (27)     } # policy filter_username = notfound
Wed Oct  2 14:27:32 2019 : Debug: (27)     modsingle[authorize]: calling preprocess (rlm_preprocess)
Wed Oct  2 14:27:32 2019 : Debug: (27)     modsingle[authorize]: returned from preprocess (rlm_preprocess)
Wed Oct  2 14:27:32 2019 : Debug: (27)     [preprocess] = ok
Wed Oct  2 14:27:32 2019 : Debug: (27)     modsingle[authorize]: calling chap (rlm_chap)
Wed Oct  2 14:27:32 2019 : Debug: (27)     modsingle[authorize]: returned from chap (rlm_chap)
Wed Oct  2 14:27:32 2019 : Debug: (27)     [chap] = noop
Wed Oct  2 14:27:32 2019 : Debug: (27)     modsingle[authorize]: calling mschap (rlm_mschap)
Wed Oct  2 14:27:32 2019 : Debug: (27)     modsingle[authorize]: returned from mschap (rlm_mschap)
Wed Oct  2 14:27:32 2019 : Debug: (27)     [mschap] = noop
Wed Oct  2 14:27:32 2019 : Debug: (27)     modsingle[authorize]: calling digest (rlm_digest)
Wed Oct  2 14:27:32 2019 : Debug: (27)     modsingle[authorize]: returned from digest (rlm_digest)
Wed Oct  2 14:27:32 2019 : Debug: (27)     [digest] = noop
Wed Oct  2 14:27:32 2019 : Debug: (27)     modsingle[authorize]: calling suffix (rlm_realm)
Wed Oct  2 14:27:32 2019 : Debug: (27) suffix: Checking for suffix after "@"
Wed Oct  2 14:27:32 2019 : Debug: (27) suffix: No '@' in User-Name = "baumho", looking up realm NULL
Wed Oct  2 14:27:32 2019 : Debug: (27) suffix: No such realm "NULL"
Wed Oct  2 14:27:32 2019 : Debug: (27)     modsingle[authorize]: returned from suffix (rlm_realm)
Wed Oct  2 14:27:32 2019 : Debug: (27)     [suffix] = noop
Wed Oct  2 14:27:32 2019 : Debug: (27)     modsingle[authorize]: calling eap (rlm_eap)
Wed Oct  2 14:27:32 2019 : Debug: (27) eap: Peer sent EAP Response (code 2) ID 81 length 111
Wed Oct  2 14:27:32 2019 : Debug: (27) eap: Continuing tunnel setup
Wed Oct  2 14:27:32 2019 : Debug: (27)     modsingle[authorize]: returned from eap (rlm_eap)
Wed Oct  2 14:27:32 2019 : Debug: (27)     [eap] = ok
Wed Oct  2 14:27:32 2019 : Debug: (27)   } # authorize = ok
Wed Oct  2 14:27:32 2019 : Debug: (27) Found Auth-Type = eap
Wed Oct  2 14:27:32 2019 : Debug: (27) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
Wed Oct  2 14:27:32 2019 : Debug: (27)   authenticate {
Wed Oct  2 14:27:32 2019 : Debug: (27)     modsingle[authenticate]: calling eap (rlm_eap)
Wed Oct  2 14:27:32 2019 : Debug: (27) eap: Expiring EAP session with state 0x3ee384dc3fe19e4d
Wed Oct  2 14:27:32 2019 : Debug: (27) eap: Finished EAP session with state 0xeb6007aaed31127e
Wed Oct  2 14:27:32 2019 : Debug: (27) eap: Previous EAP request found for state 0xeb6007aaed31127e, released from the list
Wed Oct  2 14:27:32 2019 : Debug: (27) eap: Peer sent packet with method EAP TTLS (21)
Wed Oct  2 14:27:32 2019 : Debug: (27) eap: Calling submodule eap_ttls to process data
Wed Oct  2 14:27:32 2019 : Debug: (27) eap_ttls: Authenticate
Wed Oct  2 14:27:32 2019 : Debug: (27) eap_ttls: Continuing EAP-TLS
Wed Oct  2 14:27:32 2019 : Debug: (27) eap_ttls: Peer sent flags ---
Wed Oct  2 14:27:32 2019 : Debug: (27) eap_ttls: [eaptls verify] = ok
Wed Oct  2 14:27:32 2019 : Debug: (27) eap_ttls: Done initial handshake
Wed Oct  2 14:27:32 2019 : Debug: (27) eap_ttls: [eaptls process] = ok
Wed Oct  2 14:27:32 2019 : Debug: (27) eap_ttls: Session established.  Proceeding to decode tunneled attributes
Wed Oct  2 14:27:32 2019 : Debug: (27) eap_ttls: Got tunneled request
Wed Oct  2 14:27:32 2019 : Debug: (27) eap_ttls:   EAP-Message = 0x020200411a0202003c31ce711d6c524c1830e5ddd7fee478b0a30000000000000000c82a687251cd5d5d0d484a3a054d7d591b8fa8e166aea306006261756d686f
Wed Oct  2 14:27:32 2019 : Debug: (27) eap_ttls:   FreeRADIUS-Proxied-To = 127.0.0.1
Wed Oct  2 14:27:32 2019 : Debug: (27) eap_ttls: Sending tunneled request
Wed Oct  2 14:27:32 2019 : Debug: (27) Virtual server inner-tunnel received request
Wed Oct  2 14:27:32 2019 : Debug: (27)   EAP-Message = 0x020200411a0202003c31ce711d6c524c1830e5ddd7fee478b0a30000000000000000c82a687251cd5d5d0d484a3a054d7d591b8fa8e166aea306006261756d686f
Wed Oct  2 14:27:32 2019 : Debug: (27)   FreeRADIUS-Proxied-To = 127.0.0.1
Wed Oct  2 14:27:32 2019 : Debug: (27)   User-Name = "baumho"
Wed Oct  2 14:27:32 2019 : Debug: (27)   State = 0x3ee384dc3fe19e4dcc7851e2e427c8b8
Wed Oct  2 14:27:32 2019 : WARNING: (27) Outer and inner identities are the same.  User privacy is compromised.
Wed Oct  2 14:27:32 2019 : Debug: (27) server inner-tunnel {
Wed Oct  2 14:27:32 2019 : Debug: (27)   session-state: No cached attributes
Wed Oct  2 14:27:32 2019 : Debug: (27)   # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
Wed Oct  2 14:27:32 2019 : Debug: (27)     authorize {
Wed Oct  2 14:27:32 2019 : Debug: (27)       policy filter_username {
Wed Oct  2 14:27:32 2019 : Debug: (27)         if (&User-Name) {
Wed Oct  2 14:27:32 2019 : Debug: (27)         if (&User-Name)  -> TRUE
Wed Oct  2 14:27:32 2019 : Debug: (27)         if (&User-Name)  {
Wed Oct  2 14:27:32 2019 : Debug: (27)           if (&User-Name =~ / /) {
Wed Oct  2 14:27:32 2019 : Debug: (27)           if (&User-Name =~ / /)  -> FALSE
Wed Oct  2 14:27:32 2019 : Debug: (27)           if (&User-Name =~ /@[^@]*@/ ) {
Wed Oct  2 14:27:32 2019 : Debug: (27)           if (&User-Name =~ /@[^@]*@/ )  -> FALSE
Wed Oct  2 14:27:32 2019 : Debug: (27)           if (&User-Name =~ /\.\./ ) {
Wed Oct  2 14:27:32 2019 : Debug: (27)           if (&User-Name =~ /\.\./ )  -> FALSE
Wed Oct  2 14:27:32 2019 : Debug: (27)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
Wed Oct  2 14:27:32 2019 : Debug: (27)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
Wed Oct  2 14:27:32 2019 : Debug: (27)           if (&User-Name =~ /\.$/)  {
Wed Oct  2 14:27:32 2019 : Debug: (27)           if (&User-Name =~ /\.$/)   -> FALSE
Wed Oct  2 14:27:32 2019 : Debug: (27)           if (&User-Name =~ /@\./)  {
Wed Oct  2 14:27:32 2019 : Debug: (27)           if (&User-Name =~ /@\./)   -> FALSE
Wed Oct  2 14:27:32 2019 : Debug: (27)         } # if (&User-Name)  = notfound
Wed Oct  2 14:27:32 2019 : Debug: (27)       } # policy filter_username = notfound
Wed Oct  2 14:27:32 2019 : Debug: (27)       modsingle[authorize]: calling chap (rlm_chap)
Wed Oct  2 14:27:32 2019 : Debug: (27)       modsingle[authorize]: returned from chap (rlm_chap)
Wed Oct  2 14:27:32 2019 : Debug: (27)       [chap] = noop
Wed Oct  2 14:27:32 2019 : Debug: (27)       modsingle[authorize]: calling mschap (rlm_mschap)
Wed Oct  2 14:27:32 2019 : Debug: (27)       modsingle[authorize]: returned from mschap (rlm_mschap)
Wed Oct  2 14:27:32 2019 : Debug: (27)       [mschap] = noop
Wed Oct  2 14:27:32 2019 : Debug: (27)       modsingle[authorize]: calling suffix (rlm_realm)
Wed Oct  2 14:27:32 2019 : Debug: (27) suffix: Checking for suffix after "@"
Wed Oct  2 14:27:32 2019 : Debug: (27) suffix: No '@' in User-Name = "baumho", looking up realm NULL
Wed Oct  2 14:27:32 2019 : Debug: (27) suffix: No such realm "NULL"
Wed Oct  2 14:27:32 2019 : Debug: (27)       modsingle[authorize]: returned from suffix (rlm_realm)
Wed Oct  2 14:27:32 2019 : Debug: (27)       [suffix] = noop
Wed Oct  2 14:27:32 2019 : Debug: (27)       update control {
Wed Oct  2 14:27:32 2019 : Debug: (27)         &Proxy-To-Realm := LOCAL
Wed Oct  2 14:27:32 2019 : Debug: (27)       } # update control = noop
Wed Oct  2 14:27:32 2019 : Debug: (27)       modsingle[authorize]: calling eap (rlm_eap)
Wed Oct  2 14:27:32 2019 : Debug: (27) eap: Peer sent EAP Response (code 2) ID 2 length 65
Wed Oct  2 14:27:32 2019 : Debug: (27) eap: No EAP Start, assuming it's an on-going EAP conversation
Wed Oct  2 14:27:32 2019 : Debug: (27)       modsingle[authorize]: returned from eap (rlm_eap)
Wed Oct  2 14:27:32 2019 : Debug: (27)       [eap] = updated
Wed Oct  2 14:27:32 2019 : Debug: (27)       modsingle[authorize]: calling files (rlm_files)
Wed Oct  2 14:27:32 2019 : Debug: (27) files: users: Matched entry DEFAULT at line 175
Wed Oct  2 14:27:32 2019 : Debug: (27)       modsingle[authorize]: returned from files (rlm_files)
Wed Oct  2 14:27:32 2019 : Debug: (27)       [files] = ok
Wed Oct  2 14:27:32 2019 : Debug: (27)       modsingle[authorize]: calling expiration (rlm_expiration)
Wed Oct  2 14:27:32 2019 : Debug: (27)       modsingle[authorize]: returned from expiration (rlm_expiration)
Wed Oct  2 14:27:32 2019 : Debug: (27)       [expiration] = noop
Wed Oct  2 14:27:32 2019 : Debug: (27)       modsingle[authorize]: calling logintime (rlm_logintime)
Wed Oct  2 14:27:32 2019 : Debug: (27)       modsingle[authorize]: returned from logintime (rlm_logintime)
Wed Oct  2 14:27:32 2019 : Debug: (27)       [logintime] = noop
Wed Oct  2 14:27:32 2019 : Debug: (27)       modsingle[authorize]: calling pap (rlm_pap)
Wed Oct  2 14:27:32 2019 : Debug: (27)       modsingle[authorize]: returned from pap (rlm_pap)
Wed Oct  2 14:27:32 2019 : Debug: (27)       [pap] = noop
Wed Oct  2 14:27:32 2019 : Debug: (27)     } # authorize = updated
Wed Oct  2 14:27:32 2019 : Debug: (27)   Found Auth-Type = eap
Wed Oct  2 14:27:32 2019 : Debug: (27)   # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
Wed Oct  2 14:27:32 2019 : Debug: (27)     authenticate {
Wed Oct  2 14:27:32 2019 : Debug: (27)       modsingle[authenticate]: calling eap (rlm_eap)
Wed Oct  2 14:27:32 2019 : Debug: (27) eap: Expiring EAP session with state 0x3ee384dc3fe19e4d
Wed Oct  2 14:27:32 2019 : Debug: (27) eap: Finished EAP session with state 0x3ee384dc3fe19e4d
Wed Oct  2 14:27:32 2019 : Debug: (27) eap: Previous EAP request found for state 0x3ee384dc3fe19e4d, released from the list
Wed Oct  2 14:27:32 2019 : Debug: (27) eap: Peer sent packet with method EAP MSCHAPv2 (26)
Wed Oct  2 14:27:32 2019 : Debug: (27) eap: Calling submodule eap_mschapv2 to process data
Wed Oct  2 14:27:32 2019 : Debug: (27) eap_mschapv2: # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
Wed Oct  2 14:27:32 2019 : Debug: (27) eap_mschapv2:   authenticate {
Wed Oct  2 14:27:32 2019 : Debug: (27) eap_mschapv2:     modsingle[authenticate]: calling mschap (rlm_mschap)
Wed Oct  2 14:27:32 2019 : Debug: (27) mschap: Creating challenge hash with username: baumho
Wed Oct  2 14:27:32 2019 : Debug: (27) mschap: Client is using MS-CHAPv2
Wed Oct  2 14:27:32 2019 : Debug: (27) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --domain=BZPF --require-membership-of=BZPF\wifi --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}:
Wed Oct  2 14:27:32 2019 : Debug: --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
Wed Oct  2 14:27:32 2019 : Debug: Parsed xlat tree:
Wed Oct  2 14:27:32 2019 : Debug: literal --> --username=
Wed Oct  2 14:27:32 2019 : Debug: XLAT-IF {
Wed Oct  2 14:27:32 2019 : Debug: 	attribute --> Stripped-User-Name
Wed Oct  2 14:27:32 2019 : Debug: }
Wed Oct  2 14:27:32 2019 : Debug: XLAT-ELSE {
Wed Oct  2 14:27:32 2019 : Debug: 	XLAT-IF {
Wed Oct  2 14:27:32 2019 : Debug: 		attribute --> User-Name
Wed Oct  2 14:27:32 2019 : Debug: 	}
Wed Oct  2 14:27:32 2019 : Debug: 	XLAT-ELSE {
Wed Oct  2 14:27:32 2019 : Debug: 		literal --> None
Wed Oct  2 14:27:32 2019 : Debug: 	}
Wed Oct  2 14:27:32 2019 : Debug: }
Wed Oct  2 14:27:32 2019 : Debug: (27) mschap: EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
Wed Oct  2 14:27:32 2019 : Debug: (27) mschap:    --> --username=baumho
Wed Oct  2 14:27:32 2019 : Debug: --challenge=%{%{mschap:Challenge}:-00}
Wed Oct  2 14:27:32 2019 : Debug: Parsed xlat tree:
Wed Oct  2 14:27:32 2019 : Debug: literal --> --challenge=
Wed Oct  2 14:27:32 2019 : Debug: XLAT-IF {
Wed Oct  2 14:27:32 2019 : Debug: 	xlat --> mschap
Wed Oct  2 14:27:32 2019 : Debug: 	{
Wed Oct  2 14:27:32 2019 : Debug: 		literal --> Challenge
Wed Oct  2 14:27:32 2019 : Debug: 	}
Wed Oct  2 14:27:32 2019 : Debug: }
Wed Oct  2 14:27:32 2019 : Debug: XLAT-ELSE {
Wed Oct  2 14:27:32 2019 : Debug: 	literal --> 00
Wed Oct  2 14:27:32 2019 : Debug: }
Wed Oct  2 14:27:32 2019 : Debug: (27) mschap: Creating challenge hash with username: baumho
Wed Oct  2 14:27:32 2019 : Debug: (27) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00}
Wed Oct  2 14:27:32 2019 : Debug: (27) mschap:    --> --challenge=00049bed3e100bcd
Wed Oct  2 14:27:32 2019 : Debug: --nt-response=%{%{mschap:NT-Response}:-00}
Wed Oct  2 14:27:32 2019 : Debug: Parsed xlat tree:
Wed Oct  2 14:27:32 2019 : Debug: literal --> --nt-response=
Wed Oct  2 14:27:32 2019 : Debug: XLAT-IF {
Wed Oct  2 14:27:32 2019 : Debug: 	xlat --> mschap
Wed Oct  2 14:27:32 2019 : Debug: 	{
Wed Oct  2 14:27:32 2019 : Debug: 		literal --> NT-Response
Wed Oct  2 14:27:32 2019 : Debug: 	}
Wed Oct  2 14:27:32 2019 : Debug: }
Wed Oct  2 14:27:32 2019 : Debug: XLAT-ELSE {
Wed Oct  2 14:27:32 2019 : Debug: 	literal --> 00
Wed Oct  2 14:27:32 2019 : Debug: }
Wed Oct  2 14:27:32 2019 : Debug: (27) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
Wed Oct  2 14:27:32 2019 : Debug: (27) mschap:    --> --nt-response=c82a687251cd5d5d0d484a3a054d7d591b8fa8e166aea306
Wed Oct  2 14:27:32 2019 : Debug: (27) mschap: Program returned code (0) and output 'NT_KEY: 080502FA45DA99D415BF829B0861A1C0'
Wed Oct  2 14:27:32 2019 : Debug: (27) mschap: Adding MS-CHAPv2 MPPE keys
Wed Oct  2 14:27:32 2019 : Debug: (27)     modsingle[authenticate]: returned from mschap (rlm_mschap)
Wed Oct  2 14:27:32 2019 : Debug: (27)     [mschap] = ok
Wed Oct  2 14:27:32 2019 : Debug: (27)   } # authenticate = ok
Wed Oct  2 14:27:32 2019 : Debug: (27) MSCHAP Success
Wed Oct  2 14:27:32 2019 : Debug: (27) eap: Sending EAP Request (code 1) ID 3 length 51
Wed Oct  2 14:27:32 2019 : Debug: (27) eap: EAP session adding &reply:State = 0x3ee384dc3ce09e4d
Wed Oct  2 14:27:32 2019 : Debug: (27)       modsingle[authenticate]: returned from eap (rlm_eap)
Wed Oct  2 14:27:32 2019 : Debug: (27)       [eap] = handled
Wed Oct  2 14:27:32 2019 : Debug: (27)     } # authenticate = handled
Wed Oct  2 14:27:32 2019 : Debug: (27) } # server inner-tunnel
Wed Oct  2 14:27:32 2019 : Debug: (27) Virtual server sending reply
Wed Oct  2 14:27:32 2019 : Debug: (27)   EAP-Message = 0x010300331a0302002e533d46353841464144383441353535363938363830323142443536453830373537453237424645343539
Wed Oct  2 14:27:32 2019 : Debug: (27)   Message-Authenticator = 0x00000000000000000000000000000000
Wed Oct  2 14:27:32 2019 : Debug: (27)   State = 0x3ee384dc3ce09e4dcc7851e2e427c8b8
Wed Oct  2 14:27:32 2019 : Debug: (27) eap_ttls: Got tunneled Access-Challenge
Wed Oct  2 14:27:32 2019 : Debug: (27) eap: Sending EAP Request (code 1) ID 82 length 99
Wed Oct  2 14:27:32 2019 : Debug: (27) eap: EAP session adding &reply:State = 0xeb6007aaec32127e
Wed Oct  2 14:27:32 2019 : Debug: (27)     modsingle[authenticate]: returned from eap (rlm_eap)
Wed Oct  2 14:27:32 2019 : Debug: (27)     [eap] = handled
Wed Oct  2 14:27:32 2019 : Debug: (27)   } # authenticate = handled
Wed Oct  2 14:27:32 2019 : Debug: (27) Using Post-Auth-Type Challenge
Wed Oct  2 14:27:32 2019 : Debug: (27) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
Wed Oct  2 14:27:32 2019 : Debug: (27)   Challenge { ... } # empty sub-section is ignored
Wed Oct  2 14:27:32 2019 : Debug: (27) session-state: Nothing to cache
Wed Oct  2 14:27:32 2019 : Debug: (27) Sent Access-Challenge Id 72 from 10.16.1.1:1812 to 10.17.15.31:59627 length 0
Wed Oct  2 14:27:32 2019 : Debug: (27)   EAP-Message = 0x015200631580000000591703030054bc81a2d2253c68f4b3c602d823deb5b71b60ef228d0f89118adf0e639cd15f0415c0731cbd4d6a8b5f4612697bdb6f942a28f60acc3587db6b118b127fc7a72df017a8e56ea2438b5194954eaf4d00425221d514
Wed Oct  2 14:27:32 2019 : Debug: (27)   Message-Authenticator = 0x00000000000000000000000000000000
Wed Oct  2 14:27:32 2019 : Debug: (27)   State = 0xeb6007aaec32127e5bc8d5d0acc56213
Wed Oct  2 14:27:32 2019 : Debug: (27) Finished request

Was auffällt ist diese Meldung:
WARNING: (27) Outer and inner identities are the same. User privacy is compromised.

Die steht aber bei beiden Loginversuchen.
Es sind ja auch beide eigentlich erfolgreich.
Ich hab aber jetzt herausgefunden, weswegen Windows nicht ins Internet kommt (siehe anderer Post: derhier ist bei weitem lang genug).

LG

Holger

Hallo,

hier die debugmeldungen beim Login mit Windows:



Wed Oct  2 14:27:32 2019 : Debug: (28) Received Access-Request Id 73 from 10.17.15.31:59627 to 10.16.1.1:1812 length 252
Wed Oct  2 14:27:32 2019 : Debug: (28)   User-Name = "baumho"
Wed Oct  2 14:27:32 2019 : Debug: (28)   NAS-Identifier = "f09fc2fe0e88"
Wed Oct  2 14:27:32 2019 : Debug: (28)   Called-Station-Id = "F0-9F-C2-FE-0E-88:LMGSR"
Wed Oct  2 14:27:32 2019 : Debug: (28)   NAS-Port-Type = Wireless-802.11
Wed Oct  2 14:27:32 2019 : Debug: (28)   Service-Type = Framed-User
Wed Oct  2 14:27:32 2019 : Debug: (28)   Calling-Station-Id = "60-67-20-B5-12-AC"
Wed Oct  2 14:27:32 2019 : Debug: (28)   Connect-Info = "CONNECT 0Mbps 802.11b"
Wed Oct  2 14:27:32 2019 : Debug: (28)   Acct-Session-Id = "B8695F95492C3A28"
Wed Oct  2 14:27:32 2019 : Debug: (28)   WLAN-Pairwise-Cipher = 1027076
Wed Oct  2 14:27:32 2019 : Debug: (28)   WLAN-Group-Cipher = 1027076
Wed Oct  2 14:27:32 2019 : Debug: (28)   WLAN-AKM-Suite = 1027073
Wed Oct  2 14:27:32 2019 : Debug: (28)   Framed-MTU = 1400
Wed Oct  2 14:27:32 2019 : Debug: (28)   EAP-Message = 0x0252003315001703030028f6d056a714123279e09d17408e8256ca2c70d658d309c7a42863dca616071ac0104be60e90ac94f4
Wed Oct  2 14:27:32 2019 : Debug: (28)   State = 0xeb6007aaec32127e5bc8d5d0acc56213
Wed Oct  2 14:27:32 2019 : Debug: (28)   Message-Authenticator = 0xf9658c8e55fdc4ba81ccbd2daaec5c78
Wed Oct  2 14:27:32 2019 : Debug: (28) session-state: No cached attributes
Wed Oct  2 14:27:32 2019 : Debug: (28) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
Wed Oct  2 14:27:32 2019 : Debug: (28)   authorize {
Wed Oct  2 14:27:32 2019 : Debug: (28)     policy filter_username {
Wed Oct  2 14:27:32 2019 : Debug: (28)       if (&User-Name) {
Wed Oct  2 14:27:32 2019 : Debug: (28)       if (&User-Name)  -> TRUE
Wed Oct  2 14:27:32 2019 : Debug: (28)       if (&User-Name)  {
Wed Oct  2 14:27:32 2019 : Debug: (28)         if (&User-Name =~ / /) {
Wed Oct  2 14:27:32 2019 : Debug: (28)         if (&User-Name =~ / /)  -> FALSE
Wed Oct  2 14:27:32 2019 : Debug: (28)         if (&User-Name =~ /@[^@]*@/ ) {
Wed Oct  2 14:27:32 2019 : Debug: (28)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
Wed Oct  2 14:27:32 2019 : Debug: (28)         if (&User-Name =~ /\.\./ ) {
Wed Oct  2 14:27:32 2019 : Debug: (28)         if (&User-Name =~ /\.\./ )  -> FALSE
Wed Oct  2 14:27:32 2019 : Debug: (28)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
Wed Oct  2 14:27:32 2019 : Debug: (28)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
Wed Oct  2 14:27:32 2019 : Debug: (28)         if (&User-Name =~ /\.$/)  {
Wed Oct  2 14:27:32 2019 : Debug: (28)         if (&User-Name =~ /\.$/)   -> FALSE
Wed Oct  2 14:27:32 2019 : Debug: (28)         if (&User-Name =~ /@\./)  {
Wed Oct  2 14:27:32 2019 : Debug: (28)         if (&User-Name =~ /@\./)   -> FALSE
Wed Oct  2 14:27:32 2019 : Debug: (28)       } # if (&User-Name)  = notfound
Wed Oct  2 14:27:32 2019 : Debug: (28)     } # policy filter_username = notfound
Wed Oct  2 14:27:32 2019 : Debug: (28)     modsingle[authorize]: calling preprocess (rlm_preprocess)
Wed Oct  2 14:27:32 2019 : Debug: (28)     modsingle[authorize]: returned from preprocess (rlm_preprocess)
Wed Oct  2 14:27:32 2019 : Debug: (28)     [preprocess] = ok
Wed Oct  2 14:27:32 2019 : Debug: (28)     modsingle[authorize]: calling chap (rlm_chap)
Wed Oct  2 14:27:32 2019 : Debug: (28)     modsingle[authorize]: returned from chap (rlm_chap)
Wed Oct  2 14:27:32 2019 : Debug: (28)     [chap] = noop
Wed Oct  2 14:27:32 2019 : Debug: (28)     modsingle[authorize]: calling mschap (rlm_mschap)
Wed Oct  2 14:27:32 2019 : Debug: (28)     modsingle[authorize]: returned from mschap (rlm_mschap)
Wed Oct  2 14:27:32 2019 : Debug: (28)     [mschap] = noop
Wed Oct  2 14:27:32 2019 : Debug: (28)     modsingle[authorize]: calling digest (rlm_digest)
Wed Oct  2 14:27:32 2019 : Debug: (28)     modsingle[authorize]: returned from digest (rlm_digest)
Wed Oct  2 14:27:32 2019 : Debug: (28)     [digest] = noop
Wed Oct  2 14:27:32 2019 : Debug: (28)     modsingle[authorize]: calling suffix (rlm_realm)
Wed Oct  2 14:27:32 2019 : Debug: (28) suffix: Checking for suffix after "@"
Wed Oct  2 14:27:32 2019 : Debug: (28) suffix: No '@' in User-Name = "baumho", looking up realm NULL
Wed Oct  2 14:27:32 2019 : Debug: (28) suffix: No such realm "NULL"
Wed Oct  2 14:27:32 2019 : Debug: (28)     modsingle[authorize]: returned from suffix (rlm_realm)
Wed Oct  2 14:27:32 2019 : Debug: (28)     [suffix] = noop
Wed Oct  2 14:27:32 2019 : Debug: (28)     modsingle[authorize]: calling eap (rlm_eap)
Wed Oct  2 14:27:32 2019 : Debug: (28) eap: Peer sent EAP Response (code 2) ID 82 length 51
Wed Oct  2 14:27:32 2019 : Debug: (28) eap: Continuing tunnel setup
Wed Oct  2 14:27:32 2019 : Debug: (28)     modsingle[authorize]: returned from eap (rlm_eap)
Wed Oct  2 14:27:32 2019 : Debug: (28)     [eap] = ok
Wed Oct  2 14:27:32 2019 : Debug: (28)   } # authorize = ok
Wed Oct  2 14:27:32 2019 : Debug: (28) Found Auth-Type = eap
Wed Oct  2 14:27:32 2019 : Debug: (28) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
Wed Oct  2 14:27:32 2019 : Debug: (28)   authenticate {
Wed Oct  2 14:27:32 2019 : Debug: (28)     modsingle[authenticate]: calling eap (rlm_eap)
Wed Oct  2 14:27:32 2019 : Debug: (28) eap: Expiring EAP session with state 0x3ee384dc3ce09e4d
Wed Oct  2 14:27:32 2019 : Debug: (28) eap: Finished EAP session with state 0xeb6007aaec32127e
Wed Oct  2 14:27:32 2019 : Debug: (28) eap: Previous EAP request found for state 0xeb6007aaec32127e, released from the list
Wed Oct  2 14:27:32 2019 : Debug: (28) eap: Peer sent packet with method EAP TTLS (21)
Wed Oct  2 14:27:32 2019 : Debug: (28) eap: Calling submodule eap_ttls to process data
Wed Oct  2 14:27:32 2019 : Debug: (28) eap_ttls: Authenticate
Wed Oct  2 14:27:32 2019 : Debug: (28) eap_ttls: Continuing EAP-TLS
Wed Oct  2 14:27:32 2019 : Debug: (28) eap_ttls: Peer sent flags ---
Wed Oct  2 14:27:32 2019 : Debug: (28) eap_ttls: [eaptls verify] = ok
Wed Oct  2 14:27:32 2019 : Debug: (28) eap_ttls: Done initial handshake
Wed Oct  2 14:27:32 2019 : Debug: (28) eap_ttls: [eaptls process] = ok
Wed Oct  2 14:27:32 2019 : Debug: (28) eap_ttls: Session established.  Proceeding to decode tunneled attributes
Wed Oct  2 14:27:32 2019 : Debug: (28) eap_ttls: Got tunneled request
Wed Oct  2 14:27:32 2019 : Debug: (28) eap_ttls:   EAP-Message = 0x020300061a03
Wed Oct  2 14:27:32 2019 : Debug: (28) eap_ttls:   FreeRADIUS-Proxied-To = 127.0.0.1
Wed Oct  2 14:27:32 2019 : Debug: (28) eap_ttls: Sending tunneled request
Wed Oct  2 14:27:32 2019 : Debug: (28) Virtual server inner-tunnel received request
Wed Oct  2 14:27:32 2019 : Debug: (28)   EAP-Message = 0x020300061a03
Wed Oct  2 14:27:32 2019 : Debug: (28)   FreeRADIUS-Proxied-To = 127.0.0.1
Wed Oct  2 14:27:32 2019 : Debug: (28)   User-Name = "baumho"
Wed Oct  2 14:27:32 2019 : Debug: (28)   State = 0x3ee384dc3ce09e4dcc7851e2e427c8b8
Wed Oct  2 14:27:32 2019 : WARNING: (28) Outer and inner identities are the same.  User privacy is compromised.
Wed Oct  2 14:27:32 2019 : Debug: (28) server inner-tunnel {
Wed Oct  2 14:27:32 2019 : Debug: (28)   session-state: No cached attributes
Wed Oct  2 14:27:32 2019 : Debug: (28)   # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
Wed Oct  2 14:27:32 2019 : Debug: (28)     authorize {
Wed Oct  2 14:27:32 2019 : Debug: (28)       policy filter_username {
Wed Oct  2 14:27:32 2019 : Debug: (28)         if (&User-Name) {
Wed Oct  2 14:27:32 2019 : Debug: (28)         if (&User-Name)  -> TRUE
Wed Oct  2 14:27:32 2019 : Debug: (28)         if (&User-Name)  {
Wed Oct  2 14:27:32 2019 : Debug: (28)           if (&User-Name =~ / /) {
Wed Oct  2 14:27:32 2019 : Debug: (28)           if (&User-Name =~ / /)  -> FALSE
Wed Oct  2 14:27:32 2019 : Debug: (28)           if (&User-Name =~ /@[^@]*@/ ) {
Wed Oct  2 14:27:32 2019 : Debug: (28)           if (&User-Name =~ /@[^@]*@/ )  -> FALSE
Wed Oct  2 14:27:32 2019 : Debug: (28)           if (&User-Name =~ /\.\./ ) {
Wed Oct  2 14:27:32 2019 : Debug: (28)           if (&User-Name =~ /\.\./ )  -> FALSE
Wed Oct  2 14:27:32 2019 : Debug: (28)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
Wed Oct  2 14:27:32 2019 : Debug: (28)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
Wed Oct  2 14:27:32 2019 : Debug: (28)           if (&User-Name =~ /\.$/)  {
Wed Oct  2 14:27:32 2019 : Debug: (28)           if (&User-Name =~ /\.$/)   -> FALSE
Wed Oct  2 14:27:32 2019 : Debug: (28)           if (&User-Name =~ /@\./)  {
Wed Oct  2 14:27:32 2019 : Debug: (28)           if (&User-Name =~ /@\./)   -> FALSE
Wed Oct  2 14:27:32 2019 : Debug: (28)         } # if (&User-Name)  = notfound
Wed Oct  2 14:27:32 2019 : Debug: (28)       } # policy filter_username = notfound
Wed Oct  2 14:27:32 2019 : Debug: (28)       modsingle[authorize]: calling chap (rlm_chap)
Wed Oct  2 14:27:32 2019 : Debug: (28)       modsingle[authorize]: returned from chap (rlm_chap)
Wed Oct  2 14:27:32 2019 : Debug: (28)       [chap] = noop
Wed Oct  2 14:27:32 2019 : Debug: (28)       modsingle[authorize]: calling mschap (rlm_mschap)
Wed Oct  2 14:27:32 2019 : Debug: (28)       modsingle[authorize]: returned from mschap (rlm_mschap)
Wed Oct  2 14:27:32 2019 : Debug: (28)       [mschap] = noop
Wed Oct  2 14:27:32 2019 : Debug: (28)       modsingle[authorize]: calling suffix (rlm_realm)
Wed Oct  2 14:27:32 2019 : Debug: (28) suffix: Checking for suffix after "@"
Wed Oct  2 14:27:32 2019 : Debug: (28) suffix: No '@' in User-Name = "baumho", looking up realm NULL
Wed Oct  2 14:27:32 2019 : Debug: (28) suffix: No such realm "NULL"
Wed Oct  2 14:27:32 2019 : Debug: (28)       modsingle[authorize]: returned from suffix (rlm_realm)
Wed Oct  2 14:27:32 2019 : Debug: (28)       [suffix] = noop
Wed Oct  2 14:27:32 2019 : Debug: (28)       update control {
Wed Oct  2 14:27:32 2019 : Debug: (28)         &Proxy-To-Realm := LOCAL
Wed Oct  2 14:27:32 2019 : Debug: (28)       } # update control = noop
Wed Oct  2 14:27:32 2019 : Debug: (28)       modsingle[authorize]: calling eap (rlm_eap)
Wed Oct  2 14:27:32 2019 : Debug: (28) eap: Peer sent EAP Response (code 2) ID 3 length 6
Wed Oct  2 14:27:32 2019 : Debug: (28) eap: No EAP Start, assuming it's an on-going EAP conversation
Wed Oct  2 14:27:32 2019 : Debug: (28)       modsingle[authorize]: returned from eap (rlm_eap)
Wed Oct  2 14:27:32 2019 : Debug: (28)       [eap] = updated
Wed Oct  2 14:27:32 2019 : Debug: (28)       modsingle[authorize]: calling files (rlm_files)
Wed Oct  2 14:27:32 2019 : Debug: (28) files: users: Matched entry DEFAULT at line 175
Wed Oct  2 14:27:32 2019 : Debug: (28)       modsingle[authorize]: returned from files (rlm_files)
Wed Oct  2 14:27:32 2019 : Debug: (28)       [files] = ok
Wed Oct  2 14:27:32 2019 : Debug: (28)       modsingle[authorize]: calling expiration (rlm_expiration)
Wed Oct  2 14:27:32 2019 : Debug: (28)       modsingle[authorize]: returned from expiration (rlm_expiration)
Wed Oct  2 14:27:32 2019 : Debug: (28)       [expiration] = noop
Wed Oct  2 14:27:32 2019 : Debug: (28)       modsingle[authorize]: calling logintime (rlm_logintime)
Wed Oct  2 14:27:32 2019 : Debug: (28)       modsingle[authorize]: returned from logintime (rlm_logintime)
Wed Oct  2 14:27:32 2019 : Debug: (28)       [logintime] = noop
Wed Oct  2 14:27:32 2019 : Debug: (28)       modsingle[authorize]: calling pap (rlm_pap)
Wed Oct  2 14:27:32 2019 : Debug: (28)       modsingle[authorize]: returned from pap (rlm_pap)
Wed Oct  2 14:27:32 2019 : Debug: (28)       [pap] = noop
Wed Oct  2 14:27:32 2019 : Debug: (28)     } # authorize = updated
Wed Oct  2 14:27:32 2019 : Debug: (28)   Found Auth-Type = eap
Wed Oct  2 14:27:32 2019 : Debug: (28)   # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
Wed Oct  2 14:27:32 2019 : Debug: (28)     authenticate {
Wed Oct  2 14:27:32 2019 : Debug: (28)       modsingle[authenticate]: calling eap (rlm_eap)
Wed Oct  2 14:27:32 2019 : Debug: (28) eap: Expiring EAP session with state 0x3ee384dc3ce09e4d
Wed Oct  2 14:27:32 2019 : Debug: (28) eap: Finished EAP session with state 0x3ee384dc3ce09e4d
Wed Oct  2 14:27:32 2019 : Debug: (28) eap: Previous EAP request found for state 0x3ee384dc3ce09e4d, released from the list
Wed Oct  2 14:27:32 2019 : Debug: (28) eap: Peer sent packet with method EAP MSCHAPv2 (26)
Wed Oct  2 14:27:32 2019 : Debug: (28) eap: Calling submodule eap_mschapv2 to process data
Wed Oct  2 14:27:32 2019 : Debug: (28) eap: Sending EAP Success (code 3) ID 3 length 4
Wed Oct  2 14:27:32 2019 : Debug: (28) eap: Freeing handler
Wed Oct  2 14:27:32 2019 : Debug: (28)       modsingle[authenticate]: returned from eap (rlm_eap)
Wed Oct  2 14:27:32 2019 : Debug: (28)       [eap] = ok
Wed Oct  2 14:27:32 2019 : Debug: (28)     } # authenticate = ok
Wed Oct  2 14:27:32 2019 : Debug: (28)   # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
Wed Oct  2 14:27:32 2019 : Debug: (28)     post-auth {
Wed Oct  2 14:27:32 2019 : Debug: (28)       if (0) {
Wed Oct  2 14:27:32 2019 : Debug: (28)       if (0)  -> FALSE
Wed Oct  2 14:27:32 2019 : Debug: (28)     } # post-auth = noop
Wed Oct  2 14:27:32 2019 : Auth: (28)   Login OK: [baumho] (from client unifi2 port 0 via TLS tunnel)
Wed Oct  2 14:27:32 2019 : Debug: (28) } # server inner-tunnel
Wed Oct  2 14:27:32 2019 : Debug: (28) Virtual server sending reply
Wed Oct  2 14:27:32 2019 : Debug: (28)   MS-MPPE-Encryption-Policy = Encryption-Allowed
Wed Oct  2 14:27:32 2019 : Debug: (28)   MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
Wed Oct  2 14:27:32 2019 : Debug: (28)   MS-MPPE-Send-Key = 0x374dc8a3f565fdbcf4c6d30f88d0d002
Wed Oct  2 14:27:32 2019 : Debug: (28)   MS-MPPE-Recv-Key = 0xb0dbe7be19e513ccbb8e1fa5a969f3c2
Wed Oct  2 14:27:32 2019 : Debug: (28)   EAP-Message = 0x03030004
Wed Oct  2 14:27:32 2019 : Debug: (28)   Message-Authenticator = 0x00000000000000000000000000000000
Wed Oct  2 14:27:32 2019 : Debug: (28)   User-Name = "baumho"
Wed Oct  2 14:27:32 2019 : Debug: (28) eap_ttls: Got tunneled Access-Accept
Wed Oct  2 14:27:32 2019 : Debug: (28) eap: Sending EAP Success (code 3) ID 82 length 4
Wed Oct  2 14:27:32 2019 : Debug: (28) eap: Freeing handler
Wed Oct  2 14:27:32 2019 : Debug: (28)     modsingle[authenticate]: returned from eap (rlm_eap)
Wed Oct  2 14:27:32 2019 : Debug: (28)     [eap] = ok
Wed Oct  2 14:27:32 2019 : Debug: (28)   } # authenticate = ok
Wed Oct  2 14:27:32 2019 : Debug: (28) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default
Wed Oct  2 14:27:32 2019 : Debug: (28)   post-auth {
Wed Oct  2 14:27:32 2019 : Debug: (28)     update reply {
Wed Oct  2 14:27:32 2019 : Debug: (28)       Session-Timeout := 5400
Wed Oct  2 14:27:32 2019 : Debug: (28)       Termination-Action := RADIUS-Request
Wed Oct  2 14:27:32 2019 : Debug: (28)     } # update reply = noop
Wed Oct  2 14:27:32 2019 : Debug: (28)     update {
Wed Oct  2 14:27:32 2019 : Debug: (28)       No attributes updated
Wed Oct  2 14:27:32 2019 : Debug: (28)     } # update = noop
Wed Oct  2 14:27:32 2019 : Debug: (28)     modsingle[post-auth]: calling exec (rlm_exec)
Wed Oct  2 14:27:32 2019 : Debug: (28)     modsingle[post-auth]: returned from exec (rlm_exec)
Wed Oct  2 14:27:32 2019 : Debug: (28)     [exec] = noop
Wed Oct  2 14:27:32 2019 : Debug: (28)     policy remove_reply_message_if_eap {
Wed Oct  2 14:27:32 2019 : Debug: (28)       if (&reply:EAP-Message && &reply:Reply-Message) {
Wed Oct  2 14:27:32 2019 : Debug: (28)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
Wed Oct  2 14:27:32 2019 : Debug: (28)       else {
Wed Oct  2 14:27:32 2019 : Debug: (28)         modsingle[post-auth]: calling noop (rlm_always)
Wed Oct  2 14:27:32 2019 : Debug: (28)         modsingle[post-auth]: returned from noop (rlm_always)
Wed Oct  2 14:27:32 2019 : Debug: (28)         [noop] = noop
Wed Oct  2 14:27:32 2019 : Debug: (28)       } # else = noop
Wed Oct  2 14:27:32 2019 : Debug: (28)     } # policy remove_reply_message_if_eap = noop
Wed Oct  2 14:27:32 2019 : Debug: (28)   } # post-auth = noop
Wed Oct  2 14:27:32 2019 : Auth: (28) Login OK: [baumho] (from client unifi2 port 0 cli 60-67-20-B5-12-AC)
Wed Oct  2 14:27:32 2019 : Debug: (28) Sent Access-Accept Id 73 from 10.16.1.1:1812 to 10.17.15.31:59627 length 0
Wed Oct  2 14:27:32 2019 : Debug: (28)   Message-Authenticator = 0x00000000000000000000000000000000
Wed Oct  2 14:27:32 2019 : Debug: (28)   User-Name = "baumho"
Wed Oct  2 14:27:32 2019 : Debug: (28)   MS-MPPE-Recv-Key = 0xe25c9eac3b055c4ab75008610167fdb16d9cb04540c4b8332f7cebdb9d176dd8
Wed Oct  2 14:27:32 2019 : Debug: (28)   MS-MPPE-Send-Key = 0x6675fc74d93708ad7f7ec2d4facdfc84a9d5048828d09b3fe16bebbd8f3aff3b
Wed Oct  2 14:27:32 2019 : Debug: (28)   EAP-Message = 0x03520004
Wed Oct  2 14:27:32 2019 : Debug: (28)   Session-Timeout := 5400
Wed Oct  2 14:27:32 2019 : Debug: (28)   Termination-Action := RADIUS-Request
Wed Oct  2 14:27:32 2019 : Debug: (28) Finished request

LG

Holger

Hallo Christoph,

arbeitet Dein Windows mit den gleichen routing/DNS/Proxy-Gegebenheiten
wie die anderen, erfolgreich verbundenen clients ?
ich meinte, dass dem so ist: aber ich war Heute 2 Stunden in der Schule um Tests zu machen.

Hier das Routing von Windows:

Und hier von Linux:
Kernel-IP-Routentabelle
Ziel Router Genmask Flags Metric Ref Use Iface
default _gateway 0.0.0.0 UG 600 0 0 wlp3s0
link-local 0.0.0.0 255.255.0.0 U 1000 0 0 virbr0
172.16.0.0 0.0.0.0 255.255.0.0 U 600 0 0 wlp3s0
192.168.122.0 0.0.0.0 255.255.255.0 U 0 0 0 virbr0
baumho@Tripmaster:~$ ifconfig -a
wlp3s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.16.222.79 netmask 255.255.0.0 broadcast 172.16.255.255
inet6 fe80::9823:bd2f:ddd:532c prefixlen 64 scopeid 0x20
ether 60:67:20:b5:12:ac txqueuelen 1000 (Ethernet)
RX packets 8843985 bytes 11561542422 (11.5 GB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 3237523 bytes 321348695 (321.3 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

LG

Holger

Hallo zusammen,

meine Tests brachten auch noch etwas Licht in die ganze Sache.
Ich hatte es nach ein wenig hin und her geschafft, dass die opnsense wieder logdateien anlegte: das hatte sie nämlich am 10 Sept aufgehört (warum auch immer).
Die Livelogs waren überraschend langweilig … weil sich ja nix änderte.
Erst nachdem ich die logdateien gelöscht hatte (knopf in den Livelogs) ging wieder was: und siehe da: linux ist grün und Windwos Rot (Blocked)… wait vor it … weil linux über OPT1 (WLAN) kommt und Windows über LAN … (siehe Bilder unten).
Aber warum?
Linux geht durch den inneren Tunnel und Windows nicht?
Aber wie kommt dann Windows ins LAN? Es hat doch vorher schon aus OPT1 eine IP Bekommen (172.16.x.y).
Wer steckt das Windows den nach LAN?
Das kann doch nur der AP machen: der sitzt in beiden Netzwerken.
Warum macht der den sowas?
Das hat er doch früher nicht gemacht?

LG

Holger

hallo holger,
bei uns funzt wlan mit freeradius auch nicht, da kenne ich aber die techn. details nicht. kommen bei dir mobile devices (android, iphone, ipdad) rein? das würde mir vorerst schonmal genügen…
gruß,
hendrik

Hallo Hendrik,

bei uns funzt wlan mit freeradius auch nicht, da kenne ich aber die
techn. details nicht. kommen bei dir mobile devices (android, iphone,
ipdad) rein? das würde mir vorerst schonmal genügen…

ja: ohne Probleme.
Bei Dominik und Rainer kommen auch die Windows Dinger rein: bei mir noch
nicht.

LG

Holger