FreeRADIUS Version 2.1.10, for host x86_64-pc-linux-gnu, built on Feb 24 2014 at 15:16:50 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including configuration file /etc/freeradius/snmp.conf including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/default including configuration file /etc/freeradius/sites-enabled/inner-tunnel main { user = "freerad" group = "freerad" allow_core_dumps = no } including dictionary file /etc/freeradius/dictionary main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/freeradius/freeradius.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 require_message_authenticator = yes zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 irt = 2 mrt = 16 mrc = 5 mrd = 30 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" } client ipcop { ipaddr = 10.16.1.254 require_message_authenticator = no secret = "raothook" } client unifi { ipaddr = 10.20.0.1 require_message_authenticator = no secret = "muster123" } client ap01 { ipaddr = 10.20.50.1 require_message_authenticator = no secret = "muster123" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /etc/freeradius/radiusd.conf exec { wait = yes input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /etc/freeradius/radiusd.conf Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /etc/freeradius/radiusd.conf expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /etc/freeradius/radiusd.conf logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating module "pap" from file /etc/freeradius/radiusd.conf pap { encryption_scheme = "auto" auto_header = yes } Module: Linked to module rlm_chap Module: Instantiating module "chap" from file /etc/freeradius/radiusd.conf Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /etc/freeradius/radiusd.conf mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no } Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /etc/freeradius/radiusd.conf unix { radwtmp = "/var/log/freeradius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /etc/freeradius/eap.conf eap { default_eap_type = "peap" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 CA_path = "/etc/freeradius/certs" pem_file_type = yes private_key_file = "/etc/freeradius/certs/server.key" certificate_file = "/etc/freeradius/certs/server.pem" CA_file = "/etc/freeradius/certs/ca.pem" private_key_password = "muster123" dh_file = "/etc/freeradius/certs/dh" random_file = "/dev/urandom" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/etc/freeradius/certs/bootstrap" cache { enable = no lifetime = 24 max_entries = 255 } verify { } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = yes virtual_server = "inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /etc/freeradius/radiusd.conf realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating module "files" from file /etc/freeradius/radiusd.conf files { usersfile = "/etc/freeradius/users" acctusersfile = "/etc/freeradius/acct_users" preproxy_usersfile = "/etc/freeradius/preproxy_users" compat = "no" } Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /etc/freeradius/radiusd.conf radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.access_reject" from file /etc/freeradius/radiusd.conf attr_filter attr_filter.access_reject { attrsfile = "/etc/freeradius/attrs.access_reject" key = "%{User-Name}" } } # modules } # server server { # from file /etc/freeradius/radiusd.conf modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_ldap Module: Instantiating module "ldap" from file /etc/freeradius/radiusd.conf ldap { server = "localhost" port = 389 password = "aZrj4tRTvibWmx66tO7J1nPe" identity = "cn=admin,dc=linuxmuster,dc=lokal" net_timeout = 1 timeout = 4 timelimit = 3 tls_mode = no start_tls = no tls_require_cert = "allow" tls { start_tls = no require_cert = "allow" } basedn = "ou=accounts,dc=linuxmuster,dc=lokal" filter = "(uid=%u)" base_filter = "(objectclass=radiusprofile)" auto_header = no access_attr_used_for_allow = yes groupname_attribute = "cn" groupmembership_filter = "(&(objectClass=posixGroup)(memberUid=%u))" dictionary_mapping = "/etc/freeradius/ldap.attrmap" ldap_debug = 0 ldap_connections_number = 5 compare_check_items = no do_xlat = yes edir_account_policy_check = no set_auth_type = yes } rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: reading ldap<->radius mappings from file /etc/freeradius/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password rlm_ldap: LDAP userPassword mapped to RADIUS Password-With-Header rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-Id conns: 0x2156b60 Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /etc/freeradius/radiusd.conf preprocess { huntgroups = "/etc/freeradius/huntgroups" hints = "/etc/freeradius/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /etc/freeradius/radiusd.conf acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating module "detail" from file /etc/freeradius/radiusd.conf detail { detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/radiusd.conf attr_filter attr_filter.accounting_response { attrsfile = "/etc/freeradius/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 10.20.50.1 port 45512, id=54, length=153 User-Name = "ba" NAS-Identifier = "802aa8d9cf0a" NAS-Port = 0 Called-Station-Id = "82-2A-A8-DB-CF-0A:Schueler" Calling-Station-Id = "2C-F0-EE-37-B8-F6" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0x02210007016261 Message-Authenticator = 0xf7a3504bf8ac938e3c22457f355c95b3 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "ba", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 33 length 7 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry DEFAULT at line 18 ++[files] returns ok [ldap] performing user authorization for ba [ldap] expand: (uid=%u) -> (uid=ba) [ldap] expand: ou=accounts,dc=linuxmuster,dc=lokal -> ou=accounts,dc=linuxmuster,dc=lokal [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to localhost:389, authentication 0 [ldap] bind as cn=admin,dc=linuxmuster,dc=lokal/aZrj4tRTvibWmx66tO7J1nPe to localhost:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in ou=accounts,dc=linuxmuster,dc=lokal, with filter (uid=ba) [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] userPassword -> Password-With-Header == "{SSHA}k34tVPH7w2Q9PkhPWJYvQQW64fAyTGFvQWhGSWZ1ajZGWG82bndLdzBvNlUzYXdmS3k1Wg==" [ldap] sambaNtPassword -> NT-Password == 0x3230363135433634303636393632354132364537443741463943454132434442 [ldap] sambaLmPassword -> LM-Password == 0x4632453138363245303531433143394641414433423433354235313430344545 [ldap] looking for reply items in directory... [ldap] user ba authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Normalizing NT-Password from hex encoding [pap] Normalizing LM-Password from hex encoding [pap] Normalizing SSHA1-Password from base64 encoding [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 54 to 10.20.50.1 port 45512 EAP-Message = 0x012200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x429aaff442b8b61d8ac49581aa820b97 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.20.50.1 port 45512, id=55, length=291 User-Name = "ba" NAS-Identifier = "802aa8d9cf0a" NAS-Port = 0 Called-Station-Id = "82-2A-A8-DB-CF-0A:Schueler" Calling-Station-Id = "2C-F0-EE-37-B8-F6" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0x0222007f19800000007516030100700100006c030158e63456b42695bf9910ad4782277572556e57a8feff5c5eda53724b713be82300002000ffc024c023c00ac009c008c028c027c014c013c012003d003c0035002f000a01000023000a00080006001700180019000b000201000005000501000000000012000000170000 State = 0x429aaff442b8b61d8ac49581aa820b97 Message-Authenticator = 0x20140d008368b7ed22a63e2aa6b2bec0 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "ba", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 34 length 127 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 117 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0070], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 0031], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 085e], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 55 to 10.20.50.1 port 45512 EAP-Message = 0x0123040019c0000008a216030100310200002d030158e634543c292dd1d388b69f3129df320656a2f95090e2598527a5ba264c0a69000035000005ff01000100160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c65204365727469666963617465204175 EAP-Message = 0x74686f72697479301e170d3137303430343230303435375a170d3237303430323230303435375a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100b306f7ddd3e8d8768da7ae3de552269ad61631d5e9897c506eef2ab57057b9ae52f84f8f8e3f59a3fd7db76649a8c37b46cfb762fda905 EAP-Message = 0xc9a2d716e27d445c78513eddf1f7aadac8cc552abb4470f1769238341d73d9254694d337597441fd463abb175c492f0290de4d6476d7d63bfcfcebe2e368227bb4fa557300981f9ede604b918151c87ce98b1620e6f2c369a702840eeb7665bbfc071e8bd5112b29d7ce9d102c0fac3c8cf87361aa44ca74cc2542f9e8e3554294a4ea5a8f4be84f6485a1a6b7dda2829dec10c0683260f502d707c1302482104a9be14530e0fd213ab1dcd317b37182789fbba04e8613ac0efab15d256541a5a51f0d6fd3ec72df7f0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010405000382010100462d EAP-Message = 0x3fd2d76c5aea7539fe1f2e27d0a85be10eb3fb48fb0efe0d549b9f1c5351b2d68097c65b450327604fc84ba569198abda5d15c2f4a7a54c9037c242d267fcaedc122c40ce95266db74efcc9f7f7eaa8ba6bcc36074cd8dc45710a49bb8cbd7514ea25e12b8e0094b2e7e4d2580d83773e7fb917f3aaa6fa385e8cefc36ee2b5ba826af79fed71596dc9a24539b4a279d3d701d1bd26b688bff218f93ab9af08468a46c225d375be151ed4e27ae8e22ffe29f14b1793b5aba2f2e7c60947ef1ab67a86461635da109310a14455fb71857c373886915b36d3605a13329bae4fc0d798dbb50840d990d13ed5ea0d74737c601c0ed80d76dff546e5c89b32a EAP-Message = 0x460004ab308204a73082038f Message-Authenticator = 0x00000000000000000000000000000000 State = 0x429aaff443b9b61d8ac49581aa820b97 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.20.50.1 port 45512, id=56, length=170 User-Name = "ba" NAS-Identifier = "802aa8d9cf0a" NAS-Port = 0 Called-Station-Id = "82-2A-A8-DB-CF-0A:Schueler" Calling-Station-Id = "2C-F0-EE-37-B8-F6" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0x022300061900 State = 0x429aaff443b9b61d8ac49581aa820b97 Message-Authenticator = 0xb033a489e39a758a9a20f217389c8eb0 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "ba", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 35 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 56 to 10.20.50.1 port 45512 EAP-Message = 0x012403fc1940a003020102020900c93d3cdc6c083a6f300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3137303430343230303435375a170d3237303430323230303435375a308193310b3009060355040613024652310f300d0603550408130652616469757331 EAP-Message = 0x12301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100bb6f03c8e439c80f1100967d5ce94c28eb4a607ac0d030c5fb00a36c9053db4f238f7cbfa5cb1dc3f65786c7cc772b5c8560797c72c2d3f70cba3fd310afc99d2b05a9b37745835f6c81829692880861911a3408331ec0c44bcaef9602ec16498f41ec43d06e484b EAP-Message = 0x9234e23cda5191dc32790fe91c95e7ed9026af3f4f842b5daad1377b4b4caa10d90d53cf7bc3299f3f2f46bfd793921524e9b3282688812df3a82edea4853c91d198ac396cda04731199ca8829b880cb9e4b1fc61ffa9808ba3eabe7317b9299293d059a12c4d89e866585a37062248404ad341a7f4b37fb77dfcfa069771063bc2eaf3262cff611b0d3cbe2ebc5f8fb2648bc4621c648e70203010001a381fb3081f8301d0603551d0e04160414a22c151726ffe1032700c065a31e70ff0621961b3081c80603551d230481c03081bd8014a22c151726ffe1032700c065a31e70ff0621961ba18199a48196308193310b300906035504061302465231 EAP-Message = 0x0f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900c93d3cdc6c083a6f300c0603551d13040530030101ff300d06092a864886f70d010105050003820101003ac6e51328b66a4d0acda0f09cac7d279b95b805b9824e369b3ddf3fa7de5b0e479b4158dff6e83ab15653e223a8e4628be297a6e894bcbbf5e8d564c4f7ba31a964760d2338ca4e45240c EAP-Message = 0x0f97ba8127646ec9 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x429aaff440beb61d8ac49581aa820b97 Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.20.50.1 port 45512, id=57, length=170 User-Name = "ba" NAS-Identifier = "802aa8d9cf0a" NAS-Port = 0 Called-Station-Id = "82-2A-A8-DB-CF-0A:Schueler" Calling-Station-Id = "2C-F0-EE-37-B8-F6" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0x022400061900 State = 0x429aaff440beb61d8ac49581aa820b97 Message-Authenticator = 0x14e7360a657e7e3b84b658c988c32152 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "ba", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 36 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 57 to 10.20.50.1 port 45512 EAP-Message = 0x012500bc1900eecd641e12be2dcc8f04ce1167e7574a21ca0f6b90baa2820445a5c811bccf6b0733f6e146a033df2735818c65709499bc5317f1b45fee44ccd38d8e8c187aead10c3ad7b4560266efbb7190d68cb334bf001263ee9e1356b92448f224a333deff448d3bc5d420ae439fcd6824e81beec72d6c15a20fdf5ce013f1e0664016f16ae70a7b95ed023606db51b9ba57987075688468b9613291eb0c9f20a73a2db4f24e155a180f66df7c3ec80a1b16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x429aaff441bfb61d8ac49581aa820b97 Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.20.50.1 port 45512, id=58, length=502 User-Name = "ba" NAS-Identifier = "802aa8d9cf0a" NAS-Port = 0 Called-Station-Id = "82-2A-A8-DB-CF-0A:Schueler" Calling-Station-Id = "2C-F0-EE-37-B8-F6" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0x0225015019800000014616030101061000010201003a7b57dc0246eddf0fa2cb64a8a70e8b5311e2d06445fdc40bc5a4feefa846aaf8e3e5a3b05ac72b2bc534f65740edcb57a011166168ccb2d82df902d2420b6a20597663c7c3cc16811302109340e2580752da98bbb4c88ba3140354230d5ec9bb100bef12f8a71613e6b585fa89c0e99598eea712272b3598e1b5eeea7447c235d6d13194dc95adff17b6f1772559659cce96c8fc0605b89d4527e9fd6a74775e7de0a140cbedd8bc54b050d3edc9aee0f66be627ac19695f4feef42e0a5e5913254671c244f59f9b6dca5dc34b20949476684b306690afd8467ed4186c6adf8ce713c2a4498dfd EAP-Message = 0xd9fe48cee99cfd800d4d3ccc0997428cffa598367c68770c14030100010116030100301d9cce06b5459b4b908f6ebf8132a7c5b8fce6d56649209dfa0427b08ca1bbdcbddc04d771299dcb1535e35c76885a31 State = 0x429aaff441bfb61d8ac49581aa820b97 Message-Authenticator = 0x114952fd4a44d473e2c6509074c5f884 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "ba", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 37 length 253 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 326 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 58 to 10.20.50.1 port 45512 EAP-Message = 0x0126004119001403010001011603010030679aa5f32693dad30a05c1dcbe088d43e650c53e520b494a9aa097b1dffc52ee1e223be7bb4bb302f59d8200a5bbb7e2 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x429aaff446bcb61d8ac49581aa820b97 Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.20.50.1 port 45512, id=59, length=170 User-Name = "ba" NAS-Identifier = "802aa8d9cf0a" NAS-Port = 0 Called-Station-Id = "82-2A-A8-DB-CF-0A:Schueler" Calling-Station-Id = "2C-F0-EE-37-B8-F6" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0x022600061900 State = 0x429aaff446bcb61d8ac49581aa820b97 Message-Authenticator = 0x8aa33b4b460ed50b0ad7f6bd14dc93af # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "ba", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 38 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS [peap] Session established. Decoding tunneled attributes. [peap] Peap state TUNNEL ESTABLISHED ++[eap] returns handled Sending Access-Challenge of id 59 to 10.20.50.1 port 45512 EAP-Message = 0x0127002b19001703010020018093244510ca0cdce409adffb33c54528482943e6ae5433014bfb91455f1b7 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x429aaff447bdb61d8ac49581aa820b97 Finished request 5. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.20.50.1 port 45512, id=60, length=207 User-Name = "ba" NAS-Identifier = "802aa8d9cf0a" NAS-Port = 0 Called-Station-Id = "82-2A-A8-DB-CF-0A:Schueler" Calling-Station-Id = "2C-F0-EE-37-B8-F6" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0x0227002b190017030100207fc2a5462ee5a570f90e4652986530fb89d1ced40ad1ae7d69a5a3f7798fe15f State = 0x429aaff447bdb61d8ac49581aa820b97 Message-Authenticator = 0x752c34a5236c169863f9462d8835eec3 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "ba", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 39 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - ba [peap] Got inner identity 'ba' [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x02270007016261 server { PEAP: Setting User-Name to ba Sending tunneled request EAP-Message = 0x02270007016261 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "ba" server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "ba", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 39 length 7 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry DEFAULT at line 18 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x0128001c1a0128001710cdf3ea4c14b09e49c8f82c7f458452656261 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x73c4366273ec2c430cd1db819774caec [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x0128001c1a0128001710cdf3ea4c14b09e49c8f82c7f458452656261 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x73c4366273ec2c430cd1db819774caec [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 60 to 10.20.50.1 port 45512 EAP-Message = 0x0128003b190017030100306e734d6febecb162bfeed40f54edf56e969e6e46690a588426570a858dde0f913dd4d49912cf1605dfdbb06ea399eaf3 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x429aaff444b2b61d8ac49581aa820b97 Finished request 6. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.20.50.1 port 45512, id=61, length=255 User-Name = "ba" NAS-Identifier = "802aa8d9cf0a" NAS-Port = 0 Called-Station-Id = "82-2A-A8-DB-CF-0A:Schueler" Calling-Station-Id = "2C-F0-EE-37-B8-F6" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0x0228005b19001703010050996e7c2b4f1bb5e4260add9b2a41f43326413d12752a6b6afa76ad2f7c22e28dd44ac799023d11cc7086055845c097265ff340abbb7d25eb45969db38e8781f3206bab4f48ca49d84c040da9835515ad State = 0x429aaff444b2b61d8ac49581aa820b97 Message-Authenticator = 0x5ef354062b6211e8ec3d7deac4f5c667 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "ba", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 40 length 91 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x0228003d1a02280038314ca57953a67951ab2eea27b3eb3d6d7900000000000000005c5add330e9f35c199e0d3816b539d187890b79251f7454f006261 server { PEAP: Setting User-Name to ba Sending tunneled request EAP-Message = 0x0228003d1a02280038314ca57953a67951ab2eea27b3eb3d6d7900000000000000005c5add330e9f35c199e0d3816b539d187890b79251f7454f006261 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "ba" State = 0x73c4366273ec2c430cd1db819774caec server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "ba", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 40 length 61 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry DEFAULT at line 18 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Creating challenge hash with username: ba [mschap] Told to do MS-CHAPv2 for ba with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. } # server inner-tunnel [peap] Got tunneled reply code 3 MS-CHAP-Error = "(E=691 R=1" EAP-Message = 0x04280004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Got tunneled reply RADIUS code 3 MS-CHAP-Error = "(E=691 R=1" EAP-Message = 0x04280004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] returns handled Sending Access-Challenge of id 61 to 10.20.50.1 port 45512 EAP-Message = 0x0129002b19001703010020a438701c52e703ea368210776da5289a9e31ac8b765cdadda14e58fef0c3c6f3 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x429aaff445b3b61d8ac49581aa820b97 Finished request 7. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.20.50.1 port 45512, id=62, length=207 User-Name = "ba" NAS-Identifier = "802aa8d9cf0a" NAS-Port = 0 Called-Station-Id = "82-2A-A8-DB-CF-0A:Schueler" Calling-Station-Id = "2C-F0-EE-37-B8-F6" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0x0229002b19001703010020014a0ac7c0fd1024a63a452958bb904f0b68948d4f0803ef0dcdb541264c9ccb State = 0x429aaff445b3b61d8ac49581aa820b97 Message-Authenticator = 0x7e343ca57b9256ac84474072a1c13754 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "ba", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 41 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv failure [peap] Received EAP-TLV response. [peap] The users session was previously rejected: returning reject (again.) [peap] *** This means you need to read the PREVIOUS messages in the debug output [peap] *** to find out the reason why the user was rejected. [peap] *** Look for "reject" or "fail". Those earlier messages will tell you. [peap] *** what went wrong, and how to fix the problem. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> ba attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 8 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 8 Sending Access-Reject of id 62 to 10.20.50.1 port 45512 EAP-Message = 0x04290004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.8 seconds. rad_recv: Access-Request packet from host 10.20.50.1 port 45512, id=63, length=153 User-Name = "ba" NAS-Identifier = "802aa8d9cf0a" NAS-Port = 0 Called-Station-Id = "82-2A-A8-DB-CF-0A:Schueler" Calling-Station-Id = "2C-F0-EE-37-B8-F6" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0x02fc0007016261 Message-Authenticator = 0x49f3b79c184660b269c1632d94d9421f # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "ba", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 252 length 7 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry DEFAULT at line 18 ++[files] returns ok [ldap] performing user authorization for ba [ldap] expand: (uid=%u) -> (uid=ba) [ldap] expand: ou=accounts,dc=linuxmuster,dc=lokal -> ou=accounts,dc=linuxmuster,dc=lokal [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in ou=accounts,dc=linuxmuster,dc=lokal, with filter (uid=ba) [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] userPassword -> Password-With-Header == "{SSHA}k34tVPH7w2Q9PkhPWJYvQQW64fAyTGFvQWhGSWZ1ajZGWG82bndLdzBvNlUzYXdmS3k1Wg==" [ldap] sambaNtPassword -> NT-Password == 0x3230363135433634303636393632354132364537443741463943454132434442 [ldap] sambaLmPassword -> LM-Password == 0x4632453138363245303531433143394641414433423433354235313430344545 [ldap] looking for reply items in directory... [ldap] user ba authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Normalizing NT-Password from hex encoding [pap] Normalizing LM-Password from hex encoding [pap] Normalizing SSHA1-Password from base64 encoding [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 63 to 10.20.50.1 port 45512 EAP-Message = 0x01fd00061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xbd49148bbdb40d48a854b2335fd951bb Finished request 9. Going to the next request Waking up in 3.5 seconds. rad_recv: Access-Request packet from host 10.20.50.1 port 45512, id=64, length=291 User-Name = "ba" NAS-Identifier = "802aa8d9cf0a" NAS-Port = 0 Called-Station-Id = "82-2A-A8-DB-CF-0A:Schueler" Calling-Station-Id = "2C-F0-EE-37-B8-F6" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0x02fd007f19800000007516030100700100006c030158e634571b3590d225a9162c39dd9f60856d3ebaa4c948edb8a82ea5a150b84700002000ffc024c023c00ac009c008c028c027c014c013c012003d003c0035002f000a01000023000a00080006001700180019000b000201000005000501000000000012000000170000 State = 0xbd49148bbdb40d48a854b2335fd951bb Message-Authenticator = 0x2a183bfea8cb9bae0a6b1db80da1c028 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "ba", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 253 length 127 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 117 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0070], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 0031], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 085e], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 64 to 10.20.50.1 port 45512 EAP-Message = 0x01fe040019c0000008a216030100310200002d030158e63456cfd6626f9cc31b9a19e21898d796acb40e15cd9e0e2e63a39d51abe3000035000005ff01000100160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c65204365727469666963617465204175 EAP-Message = 0x74686f72697479301e170d3137303430343230303435375a170d3237303430323230303435375a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100b306f7ddd3e8d8768da7ae3de552269ad61631d5e9897c506eef2ab57057b9ae52f84f8f8e3f59a3fd7db76649a8c37b46cfb762fda905 EAP-Message = 0xc9a2d716e27d445c78513eddf1f7aadac8cc552abb4470f1769238341d73d9254694d337597441fd463abb175c492f0290de4d6476d7d63bfcfcebe2e368227bb4fa557300981f9ede604b918151c87ce98b1620e6f2c369a702840eeb7665bbfc071e8bd5112b29d7ce9d102c0fac3c8cf87361aa44ca74cc2542f9e8e3554294a4ea5a8f4be84f6485a1a6b7dda2829dec10c0683260f502d707c1302482104a9be14530e0fd213ab1dcd317b37182789fbba04e8613ac0efab15d256541a5a51f0d6fd3ec72df7f0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010405000382010100462d EAP-Message = 0x3fd2d76c5aea7539fe1f2e27d0a85be10eb3fb48fb0efe0d549b9f1c5351b2d68097c65b450327604fc84ba569198abda5d15c2f4a7a54c9037c242d267fcaedc122c40ce95266db74efcc9f7f7eaa8ba6bcc36074cd8dc45710a49bb8cbd7514ea25e12b8e0094b2e7e4d2580d83773e7fb917f3aaa6fa385e8cefc36ee2b5ba826af79fed71596dc9a24539b4a279d3d701d1bd26b688bff218f93ab9af08468a46c225d375be151ed4e27ae8e22ffe29f14b1793b5aba2f2e7c60947ef1ab67a86461635da109310a14455fb71857c373886915b36d3605a13329bae4fc0d798dbb50840d990d13ed5ea0d74737c601c0ed80d76dff546e5c89b32a EAP-Message = 0x460004ab308204a73082038f Message-Authenticator = 0x00000000000000000000000000000000 State = 0xbd49148bbcb70d48a854b2335fd951bb Finished request 10. Going to the next request Waking up in 3.5 seconds. rad_recv: Access-Request packet from host 10.20.50.1 port 45512, id=65, length=170 User-Name = "ba" NAS-Identifier = "802aa8d9cf0a" NAS-Port = 0 Called-Station-Id = "82-2A-A8-DB-CF-0A:Schueler" Calling-Station-Id = "2C-F0-EE-37-B8-F6" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0x02fe00061900 State = 0xbd49148bbcb70d48a854b2335fd951bb Message-Authenticator = 0x7e88ef84b8421116788c75754bc00ee5 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "ba", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 254 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 65 to 10.20.50.1 port 45512 EAP-Message = 0x01ff03fc1940a003020102020900c93d3cdc6c083a6f300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3137303430343230303435375a170d3237303430323230303435375a308193310b3009060355040613024652310f300d0603550408130652616469757331 EAP-Message = 0x12301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100bb6f03c8e439c80f1100967d5ce94c28eb4a607ac0d030c5fb00a36c9053db4f238f7cbfa5cb1dc3f65786c7cc772b5c8560797c72c2d3f70cba3fd310afc99d2b05a9b37745835f6c81829692880861911a3408331ec0c44bcaef9602ec16498f41ec43d06e484b EAP-Message = 0x9234e23cda5191dc32790fe91c95e7ed9026af3f4f842b5daad1377b4b4caa10d90d53cf7bc3299f3f2f46bfd793921524e9b3282688812df3a82edea4853c91d198ac396cda04731199ca8829b880cb9e4b1fc61ffa9808ba3eabe7317b9299293d059a12c4d89e866585a37062248404ad341a7f4b37fb77dfcfa069771063bc2eaf3262cff611b0d3cbe2ebc5f8fb2648bc4621c648e70203010001a381fb3081f8301d0603551d0e04160414a22c151726ffe1032700c065a31e70ff0621961b3081c80603551d230481c03081bd8014a22c151726ffe1032700c065a31e70ff0621961ba18199a48196308193310b300906035504061302465231 EAP-Message = 0x0f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900c93d3cdc6c083a6f300c0603551d13040530030101ff300d06092a864886f70d010105050003820101003ac6e51328b66a4d0acda0f09cac7d279b95b805b9824e369b3ddf3fa7de5b0e479b4158dff6e83ab15653e223a8e4628be297a6e894bcbbf5e8d564c4f7ba31a964760d2338ca4e45240c EAP-Message = 0x0f97ba8127646ec9 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xbd49148bbfb60d48a854b2335fd951bb Finished request 11. Going to the next request Waking up in 3.5 seconds. rad_recv: Access-Request packet from host 10.20.50.1 port 45512, id=66, length=170 User-Name = "ba" NAS-Identifier = "802aa8d9cf0a" NAS-Port = 0 Called-Station-Id = "82-2A-A8-DB-CF-0A:Schueler" Calling-Station-Id = "2C-F0-EE-37-B8-F6" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0x02ff00061900 State = 0xbd49148bbfb60d48a854b2335fd951bb Message-Authenticator = 0x0018989c56648eed8a9f862320ae8844 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "ba", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 255 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 66 to 10.20.50.1 port 45512 EAP-Message = 0x010000bc1900eecd641e12be2dcc8f04ce1167e7574a21ca0f6b90baa2820445a5c811bccf6b0733f6e146a033df2735818c65709499bc5317f1b45fee44ccd38d8e8c187aead10c3ad7b4560266efbb7190d68cb334bf001263ee9e1356b92448f224a333deff448d3bc5d420ae439fcd6824e81beec72d6c15a20fdf5ce013f1e0664016f16ae70a7b95ed023606db51b9ba57987075688468b9613291eb0c9f20a73a2db4f24e155a180f66df7c3ec80a1b16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xbd49148bbe490d48a854b2335fd951bb Finished request 12. Going to the next request Waking up in 3.5 seconds. rad_recv: Access-Request packet from host 10.20.50.1 port 45512, id=67, length=502 User-Name = "ba" NAS-Identifier = "802aa8d9cf0a" NAS-Port = 0 Called-Station-Id = "82-2A-A8-DB-CF-0A:Schueler" Calling-Station-Id = "2C-F0-EE-37-B8-F6" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0x0200015019800000014616030101061000010201002bced6c5d5ff7376a29da5bd94679a40906ba166d75363dc2415dd46b7bc712b054ab5bdad830dda3fec9f48f9447c297c02b4e05506532a76cc2bb45195e18a3650a4ef61695efeff2a193731314e687e68b56fe8b12144a54c7fd9f668f4c2159f849379bb46206bb33c931f4c07dd8b772a569c96c7dded5b7f41f1419a6577668f06c0d9fce09226827ed103bb61e942e656ec93ebf517acf0634ffb01ea9fd76508838f2cbf6618fd63a4e7926277d07204ecd157016518067feffd2543a0820ad59055709bebd53acb7b6b83b8aed95dc147b3e82e6c5b3a538593439803fcf108aa5a58dd EAP-Message = 0x9382525173dab24e9b93387e740e7789855b3691791ab13014030100010116030100306a622d05ce60bbd57ff3179bda66a995a53c5cc05d3772c289df6134d5008d59b7bbf63cfbb6deeb125ffe893a9d569e State = 0xbd49148bbe490d48a854b2335fd951bb Message-Authenticator = 0xa45278c1d6a1756d070c41270e8a5ba4 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "ba", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 0 length 253 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 326 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 67 to 10.20.50.1 port 45512 EAP-Message = 0x010100411900140301000101160301003083a7373065acb4f61e6c9d13f88b4a2747ee7b011c50bea29c1f9cba73b408bfab2d5b2575025dba5b962131ea4ec2d0 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xbd49148bb9480d48a854b2335fd951bb Finished request 13. Going to the next request Waking up in 3.5 seconds. rad_recv: Access-Request packet from host 10.20.50.1 port 45512, id=68, length=170 User-Name = "ba" NAS-Identifier = "802aa8d9cf0a" NAS-Port = 0 Called-Station-Id = "82-2A-A8-DB-CF-0A:Schueler" Calling-Station-Id = "2C-F0-EE-37-B8-F6" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0x020100061900 State = 0xbd49148bb9480d48a854b2335fd951bb Message-Authenticator = 0x643e2b4bc137baf39da8bca7dc2c2d25 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "ba", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS [peap] Session established. Decoding tunneled attributes. [peap] Peap state TUNNEL ESTABLISHED ++[eap] returns handled Sending Access-Challenge of id 68 to 10.20.50.1 port 45512 EAP-Message = 0x0102002b19001703010020469aa76fcf50cf07831ff7b8bb4722d72bd720c0e7154a56a0ea7dfa8fc0c618 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xbd49148bb84b0d48a854b2335fd951bb Finished request 14. Going to the next request Waking up in 3.5 seconds. rad_recv: Access-Request packet from host 10.20.50.1 port 45512, id=69, length=207 User-Name = "ba" NAS-Identifier = "802aa8d9cf0a" NAS-Port = 0 Called-Station-Id = "82-2A-A8-DB-CF-0A:Schueler" Calling-Station-Id = "2C-F0-EE-37-B8-F6" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0x0202002b190017030100207357b1e3d39b0a684e3d323cf3109e2efad66bdaf764f1ddd2a01ac6d0fd8d1e State = 0xbd49148bb84b0d48a854b2335fd951bb Message-Authenticator = 0xe5fab31329d5831e2bfb54f2bc3a36af # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "ba", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - ba [peap] Got inner identity 'ba' [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x02020007016261 server { PEAP: Setting User-Name to ba Sending tunneled request EAP-Message = 0x02020007016261 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "ba" server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "ba", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 2 length 7 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry DEFAULT at line 18 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x0103001c1a0103001710422b5fba5eb04812787d17f6f9346ba46261 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6e51a0096e52ba50d153c09f61210ff3 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x0103001c1a0103001710422b5fba5eb04812787d17f6f9346ba46261 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6e51a0096e52ba50d153c09f61210ff3 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 69 to 10.20.50.1 port 45512 EAP-Message = 0x0103003b190017030100309c2c7df5e2ad3a768034c88f09f9f6e51f06a5084ae1c4117847216918f5a49eb5be6285c2df928ca1dab97f415939b3 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xbd49148bbb4a0d48a854b2335fd951bb Finished request 15. Going to the next request Waking up in 3.5 seconds. rad_recv: Access-Request packet from host 10.20.50.1 port 45512, id=70, length=255 User-Name = "ba" NAS-Identifier = "802aa8d9cf0a" NAS-Port = 0 Called-Station-Id = "82-2A-A8-DB-CF-0A:Schueler" Calling-Station-Id = "2C-F0-EE-37-B8-F6" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0x0203005b1900170301005031a8889f8cedc5bb12212da0c821c7a1f557ae5498a72f08a3dc504e19fa61089a72c556d7ed4e4815e48ddaaad716d52b75bd9a5a89969a05da7c269de6c4483c9f35b1436c942d798c32d480b08501 State = 0xbd49148bbb4a0d48a854b2335fd951bb Message-Authenticator = 0xf836940b85a7d42fce2ad3f2c4745cd8 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "ba", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 91 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x0203003d1a0203003831353ff38a76e84a7bdfcc8fc46de3eec500000000000000003402ad13675036ca6de311f33f5217a71e12e14f2835c3d4006261 server { PEAP: Setting User-Name to ba Sending tunneled request EAP-Message = 0x0203003d1a0203003831353ff38a76e84a7bdfcc8fc46de3eec500000000000000003402ad13675036ca6de311f33f5217a71e12e14f2835c3d4006261 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "ba" State = 0x6e51a0096e52ba50d153c09f61210ff3 server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "ba", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 3 length 61 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry DEFAULT at line 18 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Creating challenge hash with username: ba [mschap] Told to do MS-CHAPv2 for ba with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. } # server inner-tunnel [peap] Got tunneled reply code 3 MS-CHAP-Error = "\003E=691 R=1" EAP-Message = 0x04030004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Got tunneled reply RADIUS code 3 MS-CHAP-Error = "\003E=691 R=1" EAP-Message = 0x04030004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] returns handled Sending Access-Challenge of id 70 to 10.20.50.1 port 45512 EAP-Message = 0x0104002b19001703010020b1335b9fb7a7b6ae16e996281f0d65f0697e001eb758ad0dbcc4917bd2b6c8ab Message-Authenticator = 0x00000000000000000000000000000000 State = 0xbd49148bba4d0d48a854b2335fd951bb Finished request 16. Going to the next request Waking up in 3.5 seconds. rad_recv: Access-Request packet from host 10.20.50.1 port 45512, id=71, length=207 User-Name = "ba" NAS-Identifier = "802aa8d9cf0a" NAS-Port = 0 Called-Station-Id = "82-2A-A8-DB-CF-0A:Schueler" Calling-Station-Id = "2C-F0-EE-37-B8-F6" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0x0204002b190017030100204300595c1e26cd6a41971ae74821d011ff073ebae0b61c65d8380391db5be554 State = 0xbd49148bba4d0d48a854b2335fd951bb Message-Authenticator = 0x37ab3fea2cc403e9f36f54f3375890db # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "ba", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv failure [peap] Received EAP-TLV response. [peap] The users session was previously rejected: returning reject (again.) [peap] *** This means you need to read the PREVIOUS messages in the debug output [peap] *** to find out the reason why the user was rejected. [peap] *** Look for "reject" or "fail". Those earlier messages will tell you. [peap] *** what went wrong, and how to fix the problem. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> ba attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 17 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 17 Sending Access-Reject of id 71 to 10.20.50.1 port 45512 EAP-Message = 0x04040004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 2.5 seconds. rad_recv: Access-Request packet from host 10.20.50.1 port 45512, id=72, length=153 User-Name = "ba" NAS-Identifier = "802aa8d9cf0a" NAS-Port = 0 Called-Station-Id = "82-2A-A8-DB-CF-0A:Schueler" Calling-Station-Id = "2C-F0-EE-37-B8-F6" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0x028f0007016261 Message-Authenticator = 0x3333eaac8af9e4373056dc2d0eb7656b # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "ba", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 143 length 7 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry DEFAULT at line 18 ++[files] returns ok [ldap] performing user authorization for ba [ldap] expand: (uid=%u) -> (uid=ba) [ldap] expand: ou=accounts,dc=linuxmuster,dc=lokal -> ou=accounts,dc=linuxmuster,dc=lokal [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in ou=accounts,dc=linuxmuster,dc=lokal, with filter (uid=ba) [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] userPassword -> Password-With-Header == "{SSHA}k34tVPH7w2Q9PkhPWJYvQQW64fAyTGFvQWhGSWZ1ajZGWG82bndLdzBvNlUzYXdmS3k1Wg==" [ldap] sambaNtPassword -> NT-Password == 0x3230363135433634303636393632354132364537443741463943454132434442 [ldap] sambaLmPassword -> LM-Password == 0x4632453138363245303531433143394641414433423433354235313430344545 [ldap] looking for reply items in directory... [ldap] user ba authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Normalizing NT-Password from hex encoding [pap] Normalizing LM-Password from hex encoding [pap] Normalizing SSHA1-Password from base64 encoding [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 72 to 10.20.50.1 port 45512 EAP-Message = 0x019000061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1f4915e01fd90cea4f1323ce47e86b42 Finished request 18. Going to the next request Waking up in 2.1 seconds. rad_recv: Access-Request packet from host 10.20.50.1 port 45512, id=73, length=291 User-Name = "ba" NAS-Identifier = "802aa8d9cf0a" NAS-Port = 0 Called-Station-Id = "82-2A-A8-DB-CF-0A:Schueler" Calling-Station-Id = "2C-F0-EE-37-B8-F6" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0x0290007f19800000007516030100700100006c030158e634593bc5a5501300fdd0bc3c47755ceee753b3a2c60f5d0484b5092ed38400002000ffc024c023c00ac009c008c028c027c014c013c012003d003c0035002f000a01000023000a00080006001700180019000b000201000005000501000000000012000000170000 State = 0x1f4915e01fd90cea4f1323ce47e86b42 Message-Authenticator = 0x23fc7913b45f67c5caa861108a49e3d9 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "ba", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 144 length 127 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 117 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0070], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 0031], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 085e], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 73 to 10.20.50.1 port 45512 EAP-Message = 0x0191040019c0000008a216030100310200002d030158e6345745b7622085c212a12275ad0d686f162cf72924ae1c8b765808632338000035000005ff01000100160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c65204365727469666963617465204175 EAP-Message = 0x74686f72697479301e170d3137303430343230303435375a170d3237303430323230303435375a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100b306f7ddd3e8d8768da7ae3de552269ad61631d5e9897c506eef2ab57057b9ae52f84f8f8e3f59a3fd7db76649a8c37b46cfb762fda905 EAP-Message = 0xc9a2d716e27d445c78513eddf1f7aadac8cc552abb4470f1769238341d73d9254694d337597441fd463abb175c492f0290de4d6476d7d63bfcfcebe2e368227bb4fa557300981f9ede604b918151c87ce98b1620e6f2c369a702840eeb7665bbfc071e8bd5112b29d7ce9d102c0fac3c8cf87361aa44ca74cc2542f9e8e3554294a4ea5a8f4be84f6485a1a6b7dda2829dec10c0683260f502d707c1302482104a9be14530e0fd213ab1dcd317b37182789fbba04e8613ac0efab15d256541a5a51f0d6fd3ec72df7f0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010405000382010100462d EAP-Message = 0x3fd2d76c5aea7539fe1f2e27d0a85be10eb3fb48fb0efe0d549b9f1c5351b2d68097c65b450327604fc84ba569198abda5d15c2f4a7a54c9037c242d267fcaedc122c40ce95266db74efcc9f7f7eaa8ba6bcc36074cd8dc45710a49bb8cbd7514ea25e12b8e0094b2e7e4d2580d83773e7fb917f3aaa6fa385e8cefc36ee2b5ba826af79fed71596dc9a24539b4a279d3d701d1bd26b688bff218f93ab9af08468a46c225d375be151ed4e27ae8e22ffe29f14b1793b5aba2f2e7c60947ef1ab67a86461635da109310a14455fb71857c373886915b36d3605a13329bae4fc0d798dbb50840d990d13ed5ea0d74737c601c0ed80d76dff546e5c89b32a EAP-Message = 0x460004ab308204a73082038f Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1f4915e01ed80cea4f1323ce47e86b42 Finished request 19. Going to the next request Waking up in 2.1 seconds. rad_recv: Access-Request packet from host 10.20.50.1 port 45512, id=74, length=170 User-Name = "ba" NAS-Identifier = "802aa8d9cf0a" NAS-Port = 0 Called-Station-Id = "82-2A-A8-DB-CF-0A:Schueler" Calling-Station-Id = "2C-F0-EE-37-B8-F6" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0x029100061900 State = 0x1f4915e01ed80cea4f1323ce47e86b42 Message-Authenticator = 0xe58c406296107716e3fde299b2d6d208 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "ba", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 145 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 74 to 10.20.50.1 port 45512 EAP-Message = 0x019203fc1940a003020102020900c93d3cdc6c083a6f300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3137303430343230303435375a170d3237303430323230303435375a308193310b3009060355040613024652310f300d0603550408130652616469757331 EAP-Message = 0x12301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100bb6f03c8e439c80f1100967d5ce94c28eb4a607ac0d030c5fb00a36c9053db4f238f7cbfa5cb1dc3f65786c7cc772b5c8560797c72c2d3f70cba3fd310afc99d2b05a9b37745835f6c81829692880861911a3408331ec0c44bcaef9602ec16498f41ec43d06e484b EAP-Message = 0x9234e23cda5191dc32790fe91c95e7ed9026af3f4f842b5daad1377b4b4caa10d90d53cf7bc3299f3f2f46bfd793921524e9b3282688812df3a82edea4853c91d198ac396cda04731199ca8829b880cb9e4b1fc61ffa9808ba3eabe7317b9299293d059a12c4d89e866585a37062248404ad341a7f4b37fb77dfcfa069771063bc2eaf3262cff611b0d3cbe2ebc5f8fb2648bc4621c648e70203010001a381fb3081f8301d0603551d0e04160414a22c151726ffe1032700c065a31e70ff0621961b3081c80603551d230481c03081bd8014a22c151726ffe1032700c065a31e70ff0621961ba18199a48196308193310b300906035504061302465231 EAP-Message = 0x0f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900c93d3cdc6c083a6f300c0603551d13040530030101ff300d06092a864886f70d010105050003820101003ac6e51328b66a4d0acda0f09cac7d279b95b805b9824e369b3ddf3fa7de5b0e479b4158dff6e83ab15653e223a8e4628be297a6e894bcbbf5e8d564c4f7ba31a964760d2338ca4e45240c EAP-Message = 0x0f97ba8127646ec9 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1f4915e01ddb0cea4f1323ce47e86b42 Finished request 20. Going to the next request Waking up in 2.1 seconds. rad_recv: Access-Request packet from host 10.20.50.1 port 45512, id=75, length=170 User-Name = "ba" NAS-Identifier = "802aa8d9cf0a" NAS-Port = 0 Called-Station-Id = "82-2A-A8-DB-CF-0A:Schueler" Calling-Station-Id = "2C-F0-EE-37-B8-F6" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0x029200061900 State = 0x1f4915e01ddb0cea4f1323ce47e86b42 Message-Authenticator = 0xb71b7e1e5d9ce170293ddad1d98761f7 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "ba", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 146 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 75 to 10.20.50.1 port 45512 EAP-Message = 0x019300bc1900eecd641e12be2dcc8f04ce1167e7574a21ca0f6b90baa2820445a5c811bccf6b0733f6e146a033df2735818c65709499bc5317f1b45fee44ccd38d8e8c187aead10c3ad7b4560266efbb7190d68cb334bf001263ee9e1356b92448f224a333deff448d3bc5d420ae439fcd6824e81beec72d6c15a20fdf5ce013f1e0664016f16ae70a7b95ed023606db51b9ba57987075688468b9613291eb0c9f20a73a2db4f24e155a180f66df7c3ec80a1b16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1f4915e01cda0cea4f1323ce47e86b42 Finished request 21. Going to the next request Waking up in 2.1 seconds. rad_recv: Access-Request packet from host 10.20.50.1 port 45512, id=76, length=502 User-Name = "ba" NAS-Identifier = "802aa8d9cf0a" NAS-Port = 0 Called-Station-Id = "82-2A-A8-DB-CF-0A:Schueler" Calling-Station-Id = "2C-F0-EE-37-B8-F6" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0x029301501980000001461603010106100001020100049082da20b8fb3184efec59436ea4ec89054a76a207e2137acb58d90e053caf8534ee176dcc0964a931bd1250215ff3aca7480404735369e465fe3c8cfe51ac773f3787cb56c30f7afcac07e7f801fb668a91d6da2380ce15a7673902857976f18a7f9fb700d54ae5b47396c69efe1a27c7f12cf66b1e83ba50bd7d8c2c62513e510aec183c12e98d282d1fd857fa1b65dfb8db3cb9ee4088dc4a73109d138e0b3efc1d443d10732d1bde54445497fd5dc5fec286064d100bfc97bc643a453e1fb5104fc853a7602219b798c6c77c5f4534a6c66a8031589caf8455fdeed119c58f50f6c0b9aeb0 EAP-Message = 0x56a3e331f1fa8a473c20c584da400410334616e2896ea97b1403010001011603010030f9bb4be570fd8a446615f209e4e679fa3ea47e8ce0c239ada11839a3331d8bf9d63271a90d0f00bb71d2cf2fcc7ff267 State = 0x1f4915e01cda0cea4f1323ce47e86b42 Message-Authenticator = 0x610f3af47e9339e791b9c918483dfa54 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "ba", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 147 length 253 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 326 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 76 to 10.20.50.1 port 45512 EAP-Message = 0x0194004119001403010001011603010030a24c3c515228b5aa5a829ef9309812fa67e92039c77cea0ef02322c50c8ee81eb98f403cca65e9d65c360920cc673114 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1f4915e01bdd0cea4f1323ce47e86b42 Finished request 22. Going to the next request Waking up in 2.1 seconds. rad_recv: Access-Request packet from host 10.20.50.1 port 45512, id=77, length=170 User-Name = "ba" NAS-Identifier = "802aa8d9cf0a" NAS-Port = 0 Called-Station-Id = "82-2A-A8-DB-CF-0A:Schueler" Calling-Station-Id = "2C-F0-EE-37-B8-F6" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0x029400061900 State = 0x1f4915e01bdd0cea4f1323ce47e86b42 Message-Authenticator = 0xf8e717903e317c320d9e4208b0321a7a # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "ba", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 148 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS [peap] Session established. Decoding tunneled attributes. [peap] Peap state TUNNEL ESTABLISHED ++[eap] returns handled Sending Access-Challenge of id 77 to 10.20.50.1 port 45512 EAP-Message = 0x0195002b19001703010020251c8fe2f18891c3799b83e236ec70ec4aa64937eff846c3d71c047af2adfe22 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1f4915e01adc0cea4f1323ce47e86b42 Finished request 23. Going to the next request Waking up in 2.1 seconds. rad_recv: Access-Request packet from host 10.20.50.1 port 45512, id=78, length=207 User-Name = "ba" NAS-Identifier = "802aa8d9cf0a" NAS-Port = 0 Called-Station-Id = "82-2A-A8-DB-CF-0A:Schueler" Calling-Station-Id = "2C-F0-EE-37-B8-F6" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0x0295002b1900170301002027610df4672daee4fcf42a48f1141383d439d867f9b6f2b0e932f7cdd3846fbe State = 0x1f4915e01adc0cea4f1323ce47e86b42 Message-Authenticator = 0x5d7f51e66a63d958096bc0ce9cf3e0d3 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "ba", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 149 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - ba [peap] Got inner identity 'ba' [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x02950007016261 server { PEAP: Setting User-Name to ba Sending tunneled request EAP-Message = 0x02950007016261 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "ba" server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "ba", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 149 length 7 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry DEFAULT at line 18 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x0196001c1a01960017105b5bb1f68bc481a67adbcb137e07f9ac6261 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe9208b05e9b691373050b498739c66f1 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x0196001c1a01960017105b5bb1f68bc481a67adbcb137e07f9ac6261 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe9208b05e9b691373050b498739c66f1 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 78 to 10.20.50.1 port 45512 EAP-Message = 0x0196003b19001703010030d6a62ee0875dc8f4314bb6c05ae528cb700cceafca5422a5d0ca5ce7a6a1c6fb73505fd853ed9d8dca8897124fdd47bf Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1f4915e019df0cea4f1323ce47e86b42 Finished request 24. Going to the next request Waking up in 2.0 seconds. rad_recv: Access-Request packet from host 10.20.50.1 port 45512, id=79, length=255 User-Name = "ba" NAS-Identifier = "802aa8d9cf0a" NAS-Port = 0 Called-Station-Id = "82-2A-A8-DB-CF-0A:Schueler" Calling-Station-Id = "2C-F0-EE-37-B8-F6" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0x0296005b19001703010050767b4bbe7eaa039ac473414cef763bc2792eeaaab4c154246bdefd3cdc44dcc87d9eec63dc92046cb3af62cb26706df143fca35e2120c2ac5ccc6fd7cd192c817bfad76e0ca7bb6e80f0e8aae3a2a010 State = 0x1f4915e019df0cea4f1323ce47e86b42 Message-Authenticator = 0x08b34e13bd1ce2c3714b8af66fe1effc # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "ba", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 150 length 91 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x0296003d1a0296003831592bb88bd791c47c687cb562171a2b0c0000000000000000bcc2ddd81e62147e40cc5970c3652b50b81ba0387a38fb86006261 server { PEAP: Setting User-Name to ba Sending tunneled request EAP-Message = 0x0296003d1a0296003831592bb88bd791c47c687cb562171a2b0c0000000000000000bcc2ddd81e62147e40cc5970c3652b50b81ba0387a38fb86006261 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "ba" State = 0xe9208b05e9b691373050b498739c66f1 server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "ba", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 150 length 61 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry DEFAULT at line 18 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Creating challenge hash with username: ba [mschap] Told to do MS-CHAPv2 for ba with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. } # server inner-tunnel [peap] Got tunneled reply code 3 MS-CHAP-Error = "\226E=691 R=1" EAP-Message = 0x04960004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Got tunneled reply RADIUS code 3 MS-CHAP-Error = "\226E=691 R=1" EAP-Message = 0x04960004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] returns handled Sending Access-Challenge of id 79 to 10.20.50.1 port 45512 EAP-Message = 0x0197002b19001703010020e9c69d45affcf8ffc2aae86bebf44e8d003276d75fcfe0f364ab4db1888efd02 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1f4915e018de0cea4f1323ce47e86b42 Finished request 25. Going to the next request Waking up in 2.0 seconds. rad_recv: Access-Request packet from host 10.20.50.1 port 45512, id=80, length=207 User-Name = "ba" NAS-Identifier = "802aa8d9cf0a" NAS-Port = 0 Called-Station-Id = "82-2A-A8-DB-CF-0A:Schueler" Calling-Station-Id = "2C-F0-EE-37-B8-F6" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0x0297002b1900170301002080883035d38914bc0587316badadfd4a32957575da9a1d7da6c05d99d536dc9e State = 0x1f4915e018de0cea4f1323ce47e86b42 Message-Authenticator = 0xf8da4954715a15ff772a764833365ebf # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "ba", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 151 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv failure [peap] Received EAP-TLV response. [peap] The users session was previously rejected: returning reject (again.) [peap] *** This means you need to read the PREVIOUS messages in the debug output [peap] *** to find out the reason why the user was rejected. [peap] *** Look for "reject" or "fail". Those earlier messages will tell you. [peap] *** what went wrong, and how to fix the problem. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> ba attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 26 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 26 Sending Access-Reject of id 80 to 10.20.50.1 port 45512 EAP-Message = 0x04970004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 1.0 seconds. Cleaning up request 0 ID 54 with timestamp +44 Cleaning up request 1 ID 55 with timestamp +44 Cleaning up request 2 ID 56 with timestamp +44 Cleaning up request 3 ID 57 with timestamp +44 Cleaning up request 4 ID 58 with timestamp +44 Cleaning up request 5 ID 59 with timestamp +44 Cleaning up request 6 ID 60 with timestamp +44 Cleaning up request 7 ID 61 with timestamp +44 Waking up in 1.0 seconds. Cleaning up request 8 ID 62 with timestamp +44 Waking up in 0.2 seconds. Cleaning up request 9 ID 63 with timestamp +46 Cleaning up request 10 ID 64 with timestamp +46 Cleaning up request 11 ID 65 with timestamp +46 Cleaning up request 12 ID 66 with timestamp +46 Cleaning up request 13 ID 67 with timestamp +46 Cleaning up request 14 ID 68 with timestamp +46 Cleaning up request 15 ID 69 with timestamp +46 Cleaning up request 16 ID 70 with timestamp +46 Waking up in 1.0 seconds. Cleaning up request 17 ID 71 with timestamp +46 Waking up in 0.3 seconds. Cleaning up request 18 ID 72 with timestamp +47 Cleaning up request 19 ID 73 with timestamp +47 Cleaning up request 20 ID 74 with timestamp +47 Cleaning up request 21 ID 75 with timestamp +47 Cleaning up request 22 ID 76 with timestamp +47 Cleaning up request 23 ID 77 with timestamp +47 Cleaning up request 24 ID 78 with timestamp +47 Cleaning up request 25 ID 79 with timestamp +47 Waking up in 1.0 seconds. Cleaning up request 26 ID 80 with timestamp +47 Ready to process requests.