API tools faq
paste
Advertisement
Guest User

Untitled

a guest
May 13th, 2017
857
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 77.96 KB | None | 0 0
raw download clone embed print report
  1. radiusd: FreeRADIUS Version 3.0.4, for host x86_64-redhat-linux-gnu, built on Jan 17 2017 at 18:49:55
  2. Copyright (C) 1999-2014 The FreeRADIUS server project and contributors
  3. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
  4. PARTICULAR PURPOSE
  5. You may redistribute copies of FreeRADIUS under the terms of the
  6. GNU General Public License
  7. For more information about these matters, see the file named COPYRIGHT
  8. Starting - reading configuration files ...
  9. including dictionary file /usr/share/freeradius/dictionary
  10. including dictionary file /usr/share/freeradius/dictionary.dhcp
  11. including dictionary file /usr/share/freeradius/dictionary.vqp
  12. including dictionary file /etc/raddb/dictionary
  13. including configuration file /etc/raddb/radiusd.conf
  14. including configuration file /etc/raddb/proxy.conf
  15. including configuration file /etc/raddb/clients.conf
  16. including files in directory /etc/raddb/mods-enabled/
  17. including configuration file /etc/raddb/mods-enabled/always
  18. including configuration file /etc/raddb/mods-enabled/attr_filter
  19. including configuration file /etc/raddb/mods-enabled/cache_eap
  20. including configuration file /etc/raddb/mods-enabled/chap
  21. including configuration file /etc/raddb/mods-enabled/detail
  22. including configuration file /etc/raddb/mods-enabled/detail.log
  23. including configuration file /etc/raddb/mods-enabled/dhcp
  24. including configuration file /etc/raddb/mods-enabled/digest
  25. including configuration file /etc/raddb/mods-enabled/dynamic_clients
  26. including configuration file /etc/raddb/mods-enabled/eap
  27. including configuration file /etc/raddb/mods-enabled/echo
  28. including configuration file /etc/raddb/mods-enabled/exec
  29. including configuration file /etc/raddb/mods-enabled/expiration
  30. including configuration file /etc/raddb/mods-enabled/expr
  31. including configuration file /etc/raddb/mods-enabled/files
  32. including configuration file /etc/raddb/mods-enabled/linelog
  33. including configuration file /etc/raddb/mods-enabled/logintime
  34. including configuration file /etc/raddb/mods-enabled/mschap
  35. including configuration file /etc/raddb/mods-enabled/ntlm_auth
  36. including configuration file /etc/raddb/mods-enabled/pap
  37. including configuration file /etc/raddb/mods-enabled/passwd
  38. including configuration file /etc/raddb/mods-enabled/preprocess
  39. including configuration file /etc/raddb/mods-enabled/radutmp
  40. including configuration file /etc/raddb/mods-enabled/realm
  41. including configuration file /etc/raddb/mods-enabled/replicate
  42. including configuration file /etc/raddb/mods-enabled/soh
  43. including configuration file /etc/raddb/mods-enabled/sradutmp
  44. including configuration file /etc/raddb/mods-enabled/unix
  45. including configuration file /etc/raddb/mods-enabled/unpack
  46. including configuration file /etc/raddb/mods-enabled/utf8
  47. including configuration file /etc/raddb/mods-enabled/ldap
  48. including files in directory /etc/raddb/policy.d/
  49. including configuration file /etc/raddb/policy.d/accounting
  50. including configuration file /etc/raddb/policy.d/canonicalization
  51. including configuration file /etc/raddb/policy.d/control
  52. including configuration file /etc/raddb/policy.d/cui
  53. including configuration file /etc/raddb/policy.d/debug
  54. including configuration file /etc/raddb/policy.d/dhcp
  55. including configuration file /etc/raddb/policy.d/eap
  56. including configuration file /etc/raddb/policy.d/filter
  57. including configuration file /etc/raddb/policy.d/operator-name
  58. including files in directory /etc/raddb/sites-enabled/
  59. including configuration file /etc/raddb/sites-enabled/default
  60. including configuration file /etc/raddb/sites-enabled/inner-tunnel
  61. main {
  62. security {
  63. user = "radiusd"
  64. group = "radiusd"
  65. allow_core_dumps = no
  66. }
  67. }
  68. main {
  69. name = "radiusd"
  70. prefix = "/usr"
  71. localstatedir = "/var"
  72. sbindir = "/usr/sbin"
  73. logdir = "/var/log/radius"
  74. run_dir = "/var/run/radiusd"
  75. libdir = "/usr/lib64/freeradius"
  76. radacctdir = "/var/log/radius/radacct"
  77. hostname_lookups = no
  78. max_request_time = 30
  79. cleanup_delay = 5
  80. max_requests = 1024
  81. pidfile = "/var/run/radiusd/radiusd.pid"
  82. checkrad = "/usr/sbin/checkrad"
  83. debug_level = 0
  84. proxy_requests = yes
  85. log {
  86. stripped_names = no
  87. auth = no
  88. auth_badpass = no
  89. auth_goodpass = no
  90. colourise = yes
  91. msg_denied = "You are already logged in - access denied"
  92. }
  93. security {
  94. max_attributes = 200
  95. reject_delay = 1
  96. status_server = yes
  97. }
  98. }
  99. radiusd: #### Loading Realms and Home Servers ####
  100. proxy server {
  101. retry_delay = 5
  102. retry_count = 3
  103. default_fallback = no
  104. dead_time = 120
  105. wake_all_if_all_dead = no
  106. }
  107. home_server localhost {
  108. ipaddr = 127.0.0.1
  109. port = 1812
  110. type = "auth"
  111. secret = <<< secret >>>
  112. response_window = 20.000000
  113. response_timeouts = 1
  114. max_outstanding = 65536
  115. zombie_period = 40
  116. status_check = "status-server"
  117. ping_interval = 30
  118. check_interval = 30
  119. check_timeout = 4
  120. num_answers_to_alive = 3
  121. revive_interval = 120
  122. coa {
  123. irt = 2
  124. mrt = 16
  125. mrc = 5
  126. mrd = 30
  127. }
  128. limit {
  129. max_connections = 16
  130. max_requests = 0
  131. lifetime = 0
  132. idle_timeout = 0
  133. }
  134. }
  135. home_server_pool my_auth_failover {
  136. type = fail-over
  137. home_server = localhost
  138. }
  139. realm example.com {
  140. auth_pool = my_auth_failover
  141. }
  142. realm LOCAL {
  143. }
  144. radiusd: #### Loading Clients ####
  145. client asus {
  146. ipaddr = 10.0.0.2
  147. require_message_authenticator = no
  148. secret = <<< secret >>>
  149. nas_type = "other<------>#"
  150. proto = "*"
  151. limit {
  152. max_connections = 16
  153. lifetime = 0
  154. idle_timeout = 30
  155. }
  156. }
  157. client localhost {
  158. ipaddr = 127.0.0.1
  159. require_message_authenticator = no
  160. secret = <<< secret >>>
  161. nas_type = "other"
  162. proto = "*"
  163. limit {
  164. max_connections = 16
  165. lifetime = 0
  166. idle_timeout = 30
  167. }
  168. }
  169. client localhost_ipv6 {
  170. ipv6addr = ::1
  171. require_message_authenticator = no
  172. secret = <<< secret >>>
  173. limit {
  174. max_connections = 16
  175. lifetime = 0
  176. idle_timeout = 30
  177. }
  178. }
  179. radiusd: #### Instantiating modules ####
  180. instantiate {
  181. }
  182. modules {
  183. # Loaded module rlm_always
  184. # Instantiating module "reject" from file /etc/raddb/mods-enabled/always
  185. always reject {
  186. rcode = "reject"
  187. simulcount = 0
  188. mpp = no
  189. }
  190. # Instantiating module "fail" from file /etc/raddb/mods-enabled/always
  191. always fail {
  192. rcode = "fail"
  193. simulcount = 0
  194. mpp = no
  195. }
  196. # Instantiating module "ok" from file /etc/raddb/mods-enabled/always
  197. always ok {
  198. rcode = "ok"
  199. simulcount = 0
  200. mpp = no
  201. }
  202. # Instantiating module "handled" from file /etc/raddb/mods-enabled/always
  203. always handled {
  204. rcode = "handled"
  205. simulcount = 0
  206. mpp = no
  207. }
  208. # Instantiating module "invalid" from file /etc/raddb/mods-enabled/always
  209. always invalid {
  210. rcode = "invalid"
  211. simulcount = 0
  212. mpp = no
  213. }
  214. # Instantiating module "userlock" from file /etc/raddb/mods-enabled/always
  215. always userlock {
  216. rcode = "userlock"
  217. simulcount = 0
  218. mpp = no
  219. }
  220. # Instantiating module "notfound" from file /etc/raddb/mods-enabled/always
  221. always notfound {
  222. rcode = "notfound"
  223. simulcount = 0
  224. mpp = no
  225. }
  226. # Instantiating module "noop" from file /etc/raddb/mods-enabled/always
  227. always noop {
  228. rcode = "noop"
  229. simulcount = 0
  230. mpp = no
  231. }
  232. # Instantiating module "updated" from file /etc/raddb/mods-enabled/always
  233. always updated {
  234. rcode = "updated"
  235. simulcount = 0
  236. mpp = no
  237. }
  238. # Loaded module rlm_attr_filter
  239. # Instantiating module "attr_filter.post-proxy" from file /etc/raddb/mods-enabled/attr_filter
  240. attr_filter attr_filter.post-proxy {
  241. filename = "/etc/raddb/mods-config/attr_filter/post-proxy"
  242. key = "%{Realm}"
  243. relaxed = no
  244. }
  245. reading pairlist file /etc/raddb/mods-config/attr_filter/post-proxy
  246. # Instantiating module "attr_filter.pre-proxy" from file /etc/raddb/mods-enabled/attr_filter
  247. attr_filter attr_filter.pre-proxy {
  248. filename = "/etc/raddb/mods-config/attr_filter/pre-proxy"
  249. key = "%{Realm}"
  250. relaxed = no
  251. }
  252. reading pairlist file /etc/raddb/mods-config/attr_filter/pre-proxy
  253. # Instantiating module "attr_filter.access_reject" from file /etc/raddb/mods-enabled/attr_filter
  254. attr_filter attr_filter.access_reject {
  255. filename = "/etc/raddb/mods-config/attr_filter/access_reject"
  256. key = "%{User-Name}"
  257. relaxed = no
  258. }
  259. reading pairlist file /etc/raddb/mods-config/attr_filter/access_reject
  260. # Instantiating module "attr_filter.access_challenge" from file /etc/raddb/mods-enabled/attr_filter
  261. attr_filter attr_filter.access_challenge {
  262. filename = "/etc/raddb/mods-config/attr_filter/access_challenge"
  263. key = "%{User-Name}"
  264. relaxed = no
  265. }
  266. reading pairlist file /etc/raddb/mods-config/attr_filter/access_challenge
  267. # Instantiating module "attr_filter.accounting_response" from file /etc/raddb/mods-enabled/attr_filter
  268. attr_filter attr_filter.accounting_response {
  269. filename = "/etc/raddb/mods-config/attr_filter/accounting_response"
  270. key = "%{User-Name}"
  271. relaxed = no
  272. }
  273. reading pairlist file /etc/raddb/mods-config/attr_filter/accounting_response
  274. # Loaded module rlm_cache
  275. # Instantiating module "cache_eap" from file /etc/raddb/mods-enabled/cache_eap
  276. cache cache_eap {
  277. key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
  278. ttl = 15
  279. max_entries = 16384
  280. epoch = 0
  281. add_stats = no
  282. }
  283. # Loaded module rlm_chap
  284. # Instantiating module "chap" from file /etc/raddb/mods-enabled/chap
  285. # Loaded module rlm_detail
  286. # Instantiating module "detail" from file /etc/raddb/mods-enabled/detail
  287. detail {
  288. filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
  289. header = "%t"
  290. permissions = 384
  291. locking = no
  292. log_packet_header = no
  293. }
  294. # Instantiating module "auth_log" from file /etc/raddb/mods-enabled/detail.log
  295. detail auth_log {
  296. filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
  297. header = "%t"
  298. permissions = 384
  299. locking = no
  300. log_packet_header = no
  301. }
  302. rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output
  303. # Instantiating module "reply_log" from file /etc/raddb/mods-enabled/detail.log
  304. detail reply_log {
  305. filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
  306. header = "%t"
  307. permissions = 384
  308. locking = no
  309. log_packet_header = no
  310. }
  311. # Instantiating module "pre_proxy_log" from file /etc/raddb/mods-enabled/detail.log
  312. detail pre_proxy_log {
  313. filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
  314. header = "%t"
  315. permissions = 384
  316. locking = no
  317. log_packet_header = no
  318. }
  319. # Instantiating module "post_proxy_log" from file /etc/raddb/mods-enabled/detail.log
  320. detail post_proxy_log {
  321. filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
  322. header = "%t"
  323. permissions = 384
  324. locking = no
  325. log_packet_header = no
  326. }
  327. # Loaded module rlm_dhcp
  328. # Instantiating module "dhcp" from file /etc/raddb/mods-enabled/dhcp
  329. # Loaded module rlm_digest
  330. # Instantiating module "digest" from file /etc/raddb/mods-enabled/digest
  331. # Loaded module rlm_dynamic_clients
  332. # Instantiating module "dynamic_clients" from file /etc/raddb/mods-enabled/dynamic_clients
  333. # Loaded module rlm_eap
  334. # Instantiating module "eap" from file /etc/raddb/mods-enabled/eap
  335. eap {
  336. default_eap_type = "md5"
  337. timer_expire = 60
  338. ignore_unknown_eap_types = no
  339. mod_accounting_username_bug = no
  340. max_sessions = 1024
  341. }
  342. # Linked to sub-module rlm_eap_md5
  343. # Linked to sub-module rlm_eap_leap
  344. # Linked to sub-module rlm_eap_gtc
  345. gtc {
  346. challenge = "Password: "
  347. auth_type = "PAP"
  348. }
  349. # Linked to sub-module rlm_eap_tls
  350. tls {
  351. tls = "tls-common"
  352. }
  353. tls-config tls-common {
  354. rsa_key_exchange = no
  355. dh_key_exchange = yes
  356. rsa_key_length = 512
  357. dh_key_length = 512
  358. verify_depth = 0
  359. ca_path = "/etc/raddb/certs"
  360. pem_file_type = yes
  361. private_key_file = "/etc/raddb/certs/server.pem"
  362. certificate_file = "/etc/raddb/certs/server.pem"
  363. ca_file = "/etc/raddb/certs/ca.pem"
  364. private_key_password = <<< secret >>>
  365. dh_file = "/etc/raddb/certs/dh"
  366. fragment_size = 1024
  367. include_length = yes
  368. check_crl = no
  369. cipher_list = "DEFAULT"
  370. ecdh_curve = "prime256v1"
  371. cache {
  372. enable = yes
  373. lifetime = 24
  374. max_entries = 255
  375. }
  376. verify {
  377. }
  378. ocsp {
  379. enable = no
  380. override_cert_url = yes
  381. url = "http://127.0.0.1/ocsp/"
  382. use_nonce = yes
  383. timeout = 0
  384. softfail = yes
  385. }
  386. }
  387. # Linked to sub-module rlm_eap_ttls
  388. ttls {
  389. tls = "tls-common"
  390. default_eap_type = "md5"
  391. copy_request_to_tunnel = no
  392. use_tunneled_reply = no
  393. virtual_server = "inner-tunnel"
  394. include_length = yes
  395. require_client_cert = no
  396. }
  397. Using cached TLS configuration from previous invocation
  398. # Linked to sub-module rlm_eap_peap
  399. peap {
  400. tls = "tls-common"
  401. default_method = "mschapv2"
  402. copy_request_to_tunnel = no
  403. use_tunneled_reply = no
  404. proxy_tunneled_request_as_eap = yes
  405. virtual_server = "inner-tunnel"
  406. soh = no
  407. require_client_cert = no
  408. }
  409. Using cached TLS configuration from previous invocation
  410. # Linked to sub-module rlm_eap_mschapv2
  411. mschapv2 {
  412. with_ntdomain_hack = no
  413. send_error = no
  414. }
  415. # Loaded module rlm_exec
  416. # Instantiating module "echo" from file /etc/raddb/mods-enabled/echo
  417. exec echo {
  418. wait = yes
  419. program = "/bin/echo %{User-Name}"
  420. input_pairs = "request"
  421. output_pairs = "reply"
  422. shell_escape = yes
  423. }
  424. # Instantiating module "exec" from file /etc/raddb/mods-enabled/exec
  425. exec {
  426. wait = no
  427. input_pairs = "request"
  428. shell_escape = yes
  429. timeout = 10
  430. }
  431. # Loaded module rlm_expiration
  432. # Instantiating module "expiration" from file /etc/raddb/mods-enabled/expiration
  433. # Loaded module rlm_expr
  434. # Instantiating module "expr" from file /etc/raddb/mods-enabled/expr
  435. expr {
  436. safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
  437. }
  438. # Loaded module rlm_files
  439. # Instantiating module "files" from file /etc/raddb/mods-enabled/files
  440. files {
  441. filename = "/etc/raddb/mods-config/files/authorize"
  442. usersfile = "/etc/raddb/mods-config/files/authorize"
  443. acctusersfile = "/etc/raddb/mods-config/files/accounting"
  444. preproxy_usersfile = "/etc/raddb/mods-config/files/pre-proxy"
  445. compat = "cistron"
  446. }
  447. reading pairlist file /etc/raddb/mods-config/files/authorize
  448. [/etc/raddb/mods-config/files/authorize]:181 Cistron compatibility checks for entry DEFAULT ...
  449. [/etc/raddb/mods-config/files/authorize]:188 Cistron compatibility checks for entry DEFAULT ...
  450. [/etc/raddb/mods-config/files/authorize]:195 Cistron compatibility checks for entry DEFAULT ...
  451. reading pairlist file /etc/raddb/mods-config/files/authorize
  452. [/etc/raddb/mods-config/files/authorize]:181 Cistron compatibility checks for entry DEFAULT ...
  453. [/etc/raddb/mods-config/files/authorize]:188 Cistron compatibility checks for entry DEFAULT ...
  454. [/etc/raddb/mods-config/files/authorize]:195 Cistron compatibility checks for entry DEFAULT ...
  455. reading pairlist file /etc/raddb/mods-config/files/accounting
  456. reading pairlist file /etc/raddb/mods-config/files/pre-proxy
  457. # Loaded module rlm_linelog
  458. # Instantiating module "linelog" from file /etc/raddb/mods-enabled/linelog
  459. linelog {
  460. filename = "/var/log/radius/linelog"
  461. permissions = 384
  462. format = "This is a log message for %{User-Name}"
  463. reference = "messages.%{%{Packet-Type}:-default}"
  464. }
  465. # Instantiating module "log_accounting" from file /etc/raddb/mods-enabled/linelog
  466. linelog log_accounting {
  467. filename = "/var/log/radius/linelog-accounting"
  468. permissions = 384
  469. format = ""
  470. reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
  471. }
  472. # Loaded module rlm_logintime
  473. # Instantiating module "logintime" from file /etc/raddb/mods-enabled/logintime
  474. logintime {
  475. minimum_timeout = 60
  476. }
  477. # Loaded module rlm_mschap
  478. # Instantiating module "mschap" from file /etc/raddb/mods-enabled/mschap
  479. mschap {
  480. use_mppe = yes
  481. require_encryption = no
  482. require_strong = no
  483. with_ntdomain_hack = yes
  484. passchange {
  485. }
  486. allow_retry = yes
  487. }
  488. # Instantiating module "ntlm_auth" from file /etc/raddb/mods-enabled/ntlm_auth
  489. exec ntlm_auth {
  490. wait = yes
  491. program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
  492. shell_escape = yes
  493. }
  494. # Loaded module rlm_pap
  495. # Instantiating module "pap" from file /etc/raddb/mods-enabled/pap
  496. pap {
  497. normalise = yes
  498. }
  499. # Loaded module rlm_passwd
  500. # Instantiating module "etc_passwd" from file /etc/raddb/mods-enabled/passwd
  501. passwd etc_passwd {
  502. filename = "/etc/passwd"
  503. format = "*User-Name:Crypt-Password:"
  504. delimiter = ":"
  505. ignore_nislike = no
  506. ignore_empty = yes
  507. allow_multiple_keys = no
  508. hash_size = 100
  509. }
  510. rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
  511. # Loaded module rlm_preprocess
  512. # Instantiating module "preprocess" from file /etc/raddb/mods-enabled/preprocess
  513. preprocess {
  514. huntgroups = "/etc/raddb/mods-config/preprocess/huntgroups"
  515. hints = "/etc/raddb/mods-config/preprocess/hints"
  516. with_ascend_hack = no
  517. ascend_channels_per_line = 23
  518. with_ntdomain_hack = no
  519. with_specialix_jetstream_hack = no
  520. with_cisco_vsa_hack = no
  521. with_alvarion_vsa_hack = no
  522. }
  523. reading pairlist file /etc/raddb/mods-config/preprocess/huntgroups
  524. reading pairlist file /etc/raddb/mods-config/preprocess/hints
  525. # Loaded module rlm_radutmp
  526. # Instantiating module "radutmp" from file /etc/raddb/mods-enabled/radutmp
  527. radutmp {
  528. filename = "/var/log/radius/radutmp"
  529. username = "%{User-Name}"
  530. case_sensitive = yes
  531. check_with_nas = yes
  532. permissions = 384
  533. caller_id = yes
  534. }
  535. # Loaded module rlm_realm
  536. # Instantiating module "IPASS" from file /etc/raddb/mods-enabled/realm
  537. realm IPASS {
  538. format = "prefix"
  539. delimiter = "/"
  540. ignore_default = no
  541. ignore_null = no
  542. }
  543. # Instantiating module "suffix" from file /etc/raddb/mods-enabled/realm
  544. realm suffix {
  545. format = "suffix"
  546. delimiter = "@"
  547. ignore_default = no
  548. ignore_null = no
  549. }
  550. # Instantiating module "realmpercent" from file /etc/raddb/mods-enabled/realm
  551. realm realmpercent {
  552. format = "suffix"
  553. delimiter = "%"
  554. ignore_default = no
  555. ignore_null = no
  556. }
  557. # Instantiating module "ntdomain" from file /etc/raddb/mods-enabled/realm
  558. realm ntdomain {
  559. format = "prefix"
  560. delimiter = "\"
  561. ignore_default = no
  562. ignore_null = no
  563. }
  564. # Loaded module rlm_replicate
  565. # Instantiating module "replicate" from file /etc/raddb/mods-enabled/replicate
  566. # Loaded module rlm_soh
  567. # Instantiating module "soh" from file /etc/raddb/mods-enabled/soh
  568. soh {
  569. dhcp = yes
  570. }
  571. # Instantiating module "sradutmp" from file /etc/raddb/mods-enabled/sradutmp
  572. radutmp sradutmp {
  573. filename = "/var/log/radius/sradutmp"
  574. username = "%{User-Name}"
  575. case_sensitive = yes
  576. check_with_nas = yes
  577. permissions = 420
  578. caller_id = no
  579. }
  580. # Loaded module rlm_unix
  581. # Instantiating module "unix" from file /etc/raddb/mods-enabled/unix
  582. unix {
  583. radwtmp = "/var/log/radius/radwtmp"
  584. }
  585. # Loaded module rlm_unpack
  586. # Instantiating module "unpack" from file /etc/raddb/mods-enabled/unpack
  587. # Loaded module rlm_utf8
  588. # Instantiating module "utf8" from file /etc/raddb/mods-enabled/utf8
  589. # Loaded module rlm_ldap
  590. # Instantiating module "ldap" from file /etc/raddb/mods-enabled/ldap
  591. ldap {
  592. server = "ipa.home.stegard.nu"
  593. port = 389
  594. password = <<< secret >>>
  595. identity = ""
  596. user {
  597. filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
  598. scope = "sub"
  599. base_dn = "dc=home,dc=stegard,dc=nu"
  600. access_positive = yes
  601. }
  602. group {
  603. filter = "(objectClass=posixGroup)"
  604. scope = "sub"
  605. base_dn = "dc=home,dc=stegard,dc=nu"
  606. name_attribute = "cn"
  607. membership_attribute = "memberOf"
  608. cacheable_name = no
  609. cacheable_dn = no
  610. }
  611. client {
  612. filter = "(objectClass=frClient)"
  613. scope = "sub"
  614. base_dn = "dc=home,dc=stegard,dc=nu"
  615. attribute {
  616. identifier = "radiusClientIdentifier"
  617. shortname = "cn"
  618. secret = "radiusClientSecret"
  619. }
  620. }
  621. profile {
  622. filter = "(&)"
  623. }
  624. options {
  625. ldap_debug = 40
  626. chase_referrals = yes
  627. rebind = yes
  628. net_timeout = 1
  629. res_timeout = 20
  630. srv_timelimit = 20
  631. idle = 60
  632. probes = 3
  633. interval = 3
  634. }
  635. tls {
  636. start_tls = no
  637. }
  638. }
  639. rlm_ldap: Falling back to build time libldap version info. Query for LDAP_OPT_API_INFO returned: -1
  640. rlm_ldap: libldap vendor: OpenLDAP version: 20440
  641. accounting {
  642. reference = "%{tolower:type.%{Acct-Status-Type}}"
  643. }
  644. post-auth {
  645. reference = "."
  646. }
  647. rlm_ldap (ldap): Initialising connection pool
  648. pool {
  649. start = 5
  650. min = 4
  651. max = 32
  652. spare = 3
  653. uses = 0
  654. lifetime = 0
  655. cleanup_interval = 30
  656. idle_timeout = 60
  657. retry_delay = 1
  658. spread = no
  659. }
  660. rlm_ldap (ldap): Opening additional connection (0)
  661. rlm_ldap (ldap): Connecting to ipa.home.stegard.nu:389
  662. rlm_ldap (ldap): Waiting for bind result...
  663. rlm_ldap (ldap): Bind successful
  664. rlm_ldap (ldap): Opening additional connection (1)
  665. rlm_ldap (ldap): Connecting to ipa.home.stegard.nu:389
  666. rlm_ldap (ldap): Waiting for bind result...
  667. rlm_ldap (ldap): Bind successful
  668. rlm_ldap (ldap): Opening additional connection (2)
  669. rlm_ldap (ldap): Connecting to ipa.home.stegard.nu:389
  670. rlm_ldap (ldap): Waiting for bind result...
  671. rlm_ldap (ldap): Bind successful
  672. rlm_ldap (ldap): Opening additional connection (3)
  673. rlm_ldap (ldap): Connecting to ipa.home.stegard.nu:389
  674. rlm_ldap (ldap): Waiting for bind result...
  675. rlm_ldap (ldap): Bind successful
  676. rlm_ldap (ldap): Opening additional connection (4)
  677. rlm_ldap (ldap): Connecting to ipa.home.stegard.nu:389
  678. rlm_ldap (ldap): Waiting for bind result...
  679. rlm_ldap (ldap): Bind successful
  680. } # modules
  681. radiusd: #### Loading Virtual Servers ####
  682. server { # from file /etc/raddb/radiusd.conf
  683. } # server
  684. server default { # from file /etc/raddb/sites-enabled/default
  685. # Creating Auth-Type = digest
  686. # Creating Auth-Type = LDAP
  687. # Loading authenticate {...}
  688. # Loading authorize {...}
  689. Ignoring "sql" (see raddb/mods-available/README.rst)
  690. # Loading preacct {...}
  691. # Loading accounting {...}
  692. # Loading post-proxy {...}
  693. # Loading post-auth {...}
  694. } # server default
  695. server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel
  696. # Loading authenticate {...}
  697. # Loading authorize {...}
  698. # Loading session {...}
  699. # Loading post-proxy {...}
  700. # Loading post-auth {...}
  701. } # server inner-tunnel
  702. radiusd: #### Opening IP addresses and Ports ####
  703. listen {
  704. type = "auth"
  705. ipaddr = *
  706. port = 0
  707. limit {
  708. max_connections = 16
  709. lifetime = 0
  710. idle_timeout = 30
  711. }
  712. }
  713. listen {
  714. type = "acct"
  715. ipaddr = *
  716. port = 0
  717. limit {
  718. max_connections = 16
  719. lifetime = 0
  720. idle_timeout = 30
  721. }
  722. }
  723. listen {
  724. type = "auth"
  725. ipv6addr = ::
  726. port = 0
  727. limit {
  728. max_connections = 16
  729. lifetime = 0
  730. idle_timeout = 30
  731. }
  732. }
  733. listen {
  734. type = "acct"
  735. ipv6addr = ::
  736. port = 0
  737. limit {
  738. max_connections = 16
  739. lifetime = 0
  740. idle_timeout = 30
  741. }
  742. }
  743. listen {
  744. type = "auth"
  745. ipaddr = 127.0.0.1
  746. port = 18120
  747. }
  748. Listening on auth address * port 1812 as server default
  749. Listening on acct address * port 1813 as server default
  750. Listening on auth address :: port 1812 as server default
  751. Listening on acct address :: port 1813 as server default
  752. Listening on auth address 127.0.0.1 port 18120 as server inner-tunnel
  753. Opening new proxy socket 'proxy address * port 0'
  754. Listening on proxy address * port 33835
  755. Ready to process requests
  756. Received Access-Request Id 202 from 10.0.0.2:57819 to 10.0.0.30:1812 length 130
  757. User-Name = 'admin'
  758. NAS-IP-Address = 10.0.0.2
  759. NAS-Identifier = 'RalinkAP0'
  760. NAS-Port = 0
  761. Called-Station-Id = '38-2C-4A-A3-67-E0'
  762. Calling-Station-Id = '88-79-7E-99-D4-47'
  763. Framed-MTU = 1400
  764. NAS-Port-Type = Wireless-802.11
  765. EAP-Message = 0x0201000a0161646d696e
  766. Message-Authenticator = 0x8b1a867d79ea27d8575f243474b3b903
  767. (0) Received Access-Request packet from host 10.0.0.2 port 57819, id=202, length=130
  768. (0) User-Name = 'admin'
  769. (0) NAS-IP-Address = 10.0.0.2
  770. (0) NAS-Identifier = 'RalinkAP0'
  771. (0) NAS-Port = 0
  772. (0) Called-Station-Id = '38-2C-4A-A3-67-E0'
  773. (0) Calling-Station-Id = '88-79-7E-99-D4-47'
  774. (0) Framed-MTU = 1400
  775. (0) NAS-Port-Type = Wireless-802.11
  776. (0) EAP-Message = 0x0201000a0161646d696e
  777. (0) Message-Authenticator = 0x8b1a867d79ea27d8575f243474b3b903
  778. (0) # Executing section authorize from file /etc/raddb/sites-enabled/default
  779. (0) authorize {
  780. (0) filter_username filter_username {
  781. (0) if (!&User-Name)
  782. (0) if (!&User-Name) -> FALSE
  783. (0) if (&User-Name =~ / /)
  784. (0) if (&User-Name =~ / /) -> FALSE
  785. (0) if (&User-Name =~ /@.*@/ )
  786. (0) if (&User-Name =~ /@.*@/ ) -> FALSE
  787. (0) if (&User-Name =~ /\\.\\./ )
  788. (0) if (&User-Name =~ /\\.\\./ ) -> FALSE
  789. (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
  790. (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE
  791. (0) if (&User-Name =~ /\\.$/)
  792. (0) if (&User-Name =~ /\\.$/) -> FALSE
  793. (0) if (&User-Name =~ /@\\./)
  794. (0) if (&User-Name =~ /@\\./) -> FALSE
  795. (0) } # filter_username filter_username = notfound
  796. (0) [preprocess] = ok
  797. (0) [chap] = noop
  798. (0) [mschap] = noop
  799. (0) [digest] = noop
  800. (0) suffix : Checking for suffix after "@"
  801. (0) suffix : No '@' in User-Name = "admin", looking up realm NULL
  802. (0) suffix : No such realm "NULL"
  803. (0) [suffix] = noop
  804. (0) eap : Peer sent code Response (2) ID 1 length 10
  805. (0) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
  806. (0) [eap] = ok
  807. (0) } # authorize = ok
  808. (0) Found Auth-Type = EAP
  809. (0) # Executing group from file /etc/raddb/sites-enabled/default
  810. (0) authenticate {
  811. (0) eap : Peer sent method Identity (1)
  812. (0) eap : Calling eap_md5 to process EAP data
  813. (0) eap_md5 : Issuing MD5 Challenge
  814. (0) eap : New EAP session, adding 'State' attribute to reply 0x61f2e62461f0e2bc
  815. (0) [eap] = handled
  816. (0) } # authenticate = handled
  817. (0) Sending Access-Challenge packet to host 10.0.0.2 port 57819, id=202, length=0
  818. (0) EAP-Message = 0x01020016041038b2b21facb5920d51585072cd01e2e2
  819. (0) Message-Authenticator = 0x00000000000000000000000000000000
  820. (0) State = 0x61f2e62461f0e2bc47493858800a8868
  821. Sending Access-Challenge Id 202 from 10.0.0.30:1812 to 10.0.0.2:57819
  822. EAP-Message = 0x01020016041038b2b21facb5920d51585072cd01e2e2
  823. Message-Authenticator = 0x00000000000000000000000000000000
  824. State = 0x61f2e62461f0e2bc47493858800a8868
  825. (0) Finished request
  826. Waking up in 0.3 seconds.
  827. Received Access-Request Id 203 from 10.0.0.2:57819 to 10.0.0.30:1812 length 144
  828. User-Name = 'admin'
  829. NAS-IP-Address = 10.0.0.2
  830. NAS-Identifier = 'RalinkAP0'
  831. NAS-Port = 0
  832. Called-Station-Id = '38-2C-4A-A3-67-E0'
  833. Calling-Station-Id = '88-79-7E-99-D4-47'
  834. Framed-MTU = 1400
  835. NAS-Port-Type = Wireless-802.11
  836. EAP-Message = 0x020200060319
  837. State = 0x61f2e62461f0e2bc47493858800a8868
  838. Message-Authenticator = 0x9b8c5f6ad614a7897edc36da438735ef
  839. (1) Received Access-Request packet from host 10.0.0.2 port 57819, id=203, length=144
  840. (1) User-Name = 'admin'
  841. (1) NAS-IP-Address = 10.0.0.2
  842. (1) NAS-Identifier = 'RalinkAP0'
  843. (1) NAS-Port = 0
  844. (1) Called-Station-Id = '38-2C-4A-A3-67-E0'
  845. (1) Calling-Station-Id = '88-79-7E-99-D4-47'
  846. (1) Framed-MTU = 1400
  847. (1) NAS-Port-Type = Wireless-802.11
  848. (1) EAP-Message = 0x020200060319
  849. (1) State = 0x61f2e62461f0e2bc47493858800a8868
  850. (1) Message-Authenticator = 0x9b8c5f6ad614a7897edc36da438735ef
  851. (1) # Executing section authorize from file /etc/raddb/sites-enabled/default
  852. (1) authorize {
  853. (1) filter_username filter_username {
  854. (1) if (!&User-Name)
  855. (1) if (!&User-Name) -> FALSE
  856. (1) if (&User-Name =~ / /)
  857. (1) if (&User-Name =~ / /) -> FALSE
  858. (1) if (&User-Name =~ /@.*@/ )
  859. (1) if (&User-Name =~ /@.*@/ ) -> FALSE
  860. (1) if (&User-Name =~ /\\.\\./ )
  861. (1) if (&User-Name =~ /\\.\\./ ) -> FALSE
  862. (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
  863. (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE
  864. (1) if (&User-Name =~ /\\.$/)
  865. (1) if (&User-Name =~ /\\.$/) -> FALSE
  866. (1) if (&User-Name =~ /@\\./)
  867. (1) if (&User-Name =~ /@\\./) -> FALSE
  868. (1) } # filter_username filter_username = notfound
  869. (1) [preprocess] = ok
  870. (1) [chap] = noop
  871. (1) [mschap] = noop
  872. (1) [digest] = noop
  873. (1) suffix : Checking for suffix after "@"
  874. (1) suffix : No '@' in User-Name = "admin", looking up realm NULL
  875. (1) suffix : No such realm "NULL"
  876. (1) [suffix] = noop
  877. (1) eap : Peer sent code Response (2) ID 2 length 6
  878. (1) eap : No EAP Start, assuming it's an on-going EAP conversation
  879. (1) [eap] = updated
  880. (1) [files] = noop
  881. rlm_ldap (ldap): Reserved connection (4)
  882. (1) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
  883. (1) ldap : --> (uid=admin)
  884. (1) ldap : EXPAND dc=home,dc=stegard,dc=nu
  885. (1) ldap : --> dc=home,dc=stegard,dc=nu
  886. (1) ldap : Performing search in 'dc=home,dc=stegard,dc=nu' with filter '(uid=admin)', scope 'sub'
  887. (1) ldap : Waiting for search result...
  888. (1) ldap : User object found at DN "uid=admin,cn=users,cn=compat,dc=home,dc=stegard,dc=nu"
  889. (1) ldap : Processing user attributes
  890. (1) WARNING: ldap : No "known good" password added. Ensure the admin user has permission to read the password attribute
  891. (1) WARNING: ldap : PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)
  892. rlm_ldap (ldap): Released connection (4)
  893. (1) [ldap] = ok
  894. (1) if ((ok || updated) && User-Password)
  895. (1) if ((ok || updated) && User-Password) -> FALSE
  896. (1) [expiration] = noop
  897. (1) [logintime] = noop
  898. (1) WARNING: pap : No "known good" password found for the user. Not setting Auth-Type
  899. (1) WARNING: pap : Authentication will fail unless a "known good" password is available
  900. (1) [pap] = noop
  901. (1) } # authorize = updated
  902. (1) Found Auth-Type = EAP
  903. (1) # Executing group from file /etc/raddb/sites-enabled/default
  904. (1) authenticate {
  905. (1) eap : Expiring EAP session with state 0x61f2e62461f0e2bc
  906. (1) eap : Finished EAP session with state 0x61f2e62461f0e2bc
  907. (1) eap : Previous EAP request found for state 0x61f2e62461f0e2bc, released from the list
  908. (1) eap : Peer sent method NAK (3)
  909. (1) eap : Found mutually acceptable type PEAP (25)
  910. (1) eap : Calling eap_peap to process EAP data
  911. (1) eap_peap : Flushing SSL sessions (of #0)
  912. (1) eap_peap : Initiate
  913. (1) eap_peap : Start returned 1
  914. (1) eap : New EAP session, adding 'State' attribute to reply 0x61f2e62460f1ffbc
  915. (1) [eap] = handled
  916. (1) } # authenticate = handled
  917. (1) Sending Access-Challenge packet to host 10.0.0.2 port 57819, id=203, length=0
  918. (1) EAP-Message = 0x010300061920
  919. (1) Message-Authenticator = 0x00000000000000000000000000000000
  920. (1) State = 0x61f2e62460f1ffbc47493858800a8868
  921. Sending Access-Challenge Id 203 from 10.0.0.30:1812 to 10.0.0.2:57819
  922. EAP-Message = 0x010300061920
  923. Message-Authenticator = 0x00000000000000000000000000000000
  924. State = 0x61f2e62460f1ffbc47493858800a8868
  925. (1) Finished request
  926. Waking up in 0.3 seconds.
  927. Received Access-Request Id 204 from 10.0.0.2:57819 to 10.0.0.30:1812 length 313
  928. User-Name = 'admin'
  929. NAS-IP-Address = 10.0.0.2
  930. NAS-Identifier = 'RalinkAP0'
  931. NAS-Port = 0
  932. Called-Station-Id = '38-2C-4A-A3-67-E0'
  933. Calling-Station-Id = '88-79-7E-99-D4-47'
  934. Framed-MTU = 1400
  935. NAS-Port-Type = Wireless-802.11
  936. EAP-Message = 0x020300af1980000000a516030100a00100009c0303ec8f5638b349f7a3a3ba33d06dfef4abb4adb21059c37a550379de35789651dd00003ecca9cca8c02cc030009fc02bc02f009ec00ac024c014c0280039006bc009c023c013c02700330067c007c011009d009c0035003d002f003c00050004000a01000035ff0100010000170000000d001600140601060305010503040104030301030302010203000b00020100000a00080006001700180019
  937. State = 0x61f2e62460f1ffbc47493858800a8868
  938. Message-Authenticator = 0x0b2ecc615cef876c72ab6f864af9bb2d
  939. (2) Received Access-Request packet from host 10.0.0.2 port 57819, id=204, length=313
  940. (2) User-Name = 'admin'
  941. (2) NAS-IP-Address = 10.0.0.2
  942. (2) NAS-Identifier = 'RalinkAP0'
  943. (2) NAS-Port = 0
  944. (2) Called-Station-Id = '38-2C-4A-A3-67-E0'
  945. (2) Calling-Station-Id = '88-79-7E-99-D4-47'
  946. (2) Framed-MTU = 1400
  947. (2) NAS-Port-Type = Wireless-802.11
  948. (2) EAP-Message = 0x020300af1980000000a516030100a00100009c0303ec8f5638b349f7a3a3ba33d06dfef4abb4adb21059c37a550379de35789651dd00003ecca9cca8c02cc030009fc02bc02f009ec00ac024c014c0280039006bc009c023c013c02700330067c007c011009d009c0035003d002f003c00050004000a01000035ff0100010000170000000d001600140601060305010503040104030301030302010203000b00020100000a00080006001700180019
  949. (2) State = 0x61f2e62460f1ffbc47493858800a8868
  950. (2) Message-Authenticator = 0x0b2ecc615cef876c72ab6f864af9bb2d
  951. (2) # Executing section authorize from file /etc/raddb/sites-enabled/default
  952. (2) authorize {
  953. (2) filter_username filter_username {
  954. (2) if (!&User-Name)
  955. (2) if (!&User-Name) -> FALSE
  956. (2) if (&User-Name =~ / /)
  957. (2) if (&User-Name =~ / /) -> FALSE
  958. (2) if (&User-Name =~ /@.*@/ )
  959. (2) if (&User-Name =~ /@.*@/ ) -> FALSE
  960. (2) if (&User-Name =~ /\\.\\./ )
  961. (2) if (&User-Name =~ /\\.\\./ ) -> FALSE
  962. (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
  963. (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE
  964. (2) if (&User-Name =~ /\\.$/)
  965. (2) if (&User-Name =~ /\\.$/) -> FALSE
  966. (2) if (&User-Name =~ /@\\./)
  967. (2) if (&User-Name =~ /@\\./) -> FALSE
  968. (2) } # filter_username filter_username = notfound
  969. (2) [preprocess] = ok
  970. (2) [chap] = noop
  971. (2) [mschap] = noop
  972. (2) [digest] = noop
  973. (2) suffix : Checking for suffix after "@"
  974. (2) suffix : No '@' in User-Name = "admin", looking up realm NULL
  975. (2) suffix : No such realm "NULL"
  976. (2) [suffix] = noop
  977. (2) eap : Peer sent code Response (2) ID 3 length 175
  978. (2) eap : Continuing tunnel setup
  979. (2) [eap] = ok
  980. (2) } # authorize = ok
  981. (2) Found Auth-Type = EAP
  982. (2) # Executing group from file /etc/raddb/sites-enabled/default
  983. (2) authenticate {
  984. (2) eap : Expiring EAP session with state 0x61f2e62460f1ffbc
  985. (2) eap : Finished EAP session with state 0x61f2e62460f1ffbc
  986. (2) eap : Previous EAP request found for state 0x61f2e62460f1ffbc, released from the list
  987. (2) eap : Peer sent method PEAP (25)
  988. (2) eap : EAP PEAP (25)
  989. (2) eap : Calling eap_peap to process EAP data
  990. (2) eap_peap : processing EAP-TLS
  991. TLS Length 165
  992. (2) eap_peap : Length Included
  993. (2) eap_peap : eaptls_verify returned 11
  994. (2) eap_peap : (other): before/accept initialization
  995. (2) eap_peap : TLS_accept: before/accept initialization
  996. (2) eap_peap : <<< TLS 1.0 Handshake [length 00a0], ClientHello
  997. (2) eap_peap : TLS_accept: SSLv3 read client hello A
  998. (2) eap_peap : >>> TLS 1.0 Handshake [length 0059], ServerHello
  999. (2) eap_peap : TLS_accept: SSLv3 write server hello A
  1000. (2) eap_peap : >>> TLS 1.0 Handshake [length 08d0], Certificate
  1001. (2) eap_peap : TLS_accept: SSLv3 write certificate A
  1002. (2) eap_peap : >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange
  1003. (2) eap_peap : TLS_accept: SSLv3 write key exchange A
  1004. (2) eap_peap : >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
  1005. (2) eap_peap : TLS_accept: SSLv3 write server done A
  1006. (2) eap_peap : TLS_accept: SSLv3 flush data
  1007. (2) eap_peap : TLS_accept: Need to read more data: SSLv3 read client certificate A
  1008. In SSL Handshake Phase
  1009. In SSL Accept mode
  1010. (2) eap_peap : eaptls_process returned 13
  1011. (2) eap_peap : FR_TLS_HANDLED
  1012. (2) eap : New EAP session, adding 'State' attribute to reply 0x61f2e62463f6ffbc
  1013. (2) [eap] = handled
  1014. (2) } # authenticate = handled
  1015. (2) Sending Access-Challenge packet to host 10.0.0.2 port 57819, id=204, length=0
  1016. (2) EAP-Message = 0x010403ec19c000000a8c160301005902000055030159176813cb589f8f065ca853bff34f0b7e9cbb82fdbfa1513e2ba6ee42ca8ca820b8aa8379aecf7b1117f556ecb78c601fd19a0b81437e91f268515cf956c3ee82c01400000dff01000100000b00040300010216030108d00b0008cc0008c90003de308203da308202c2a003020102020101300d06092a864886f70d01010b0500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3137303531333132343634355a170d3137303731323132343634355a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100919ad7364a9035e9ae860915
  1017. (2) Message-Authenticator = 0x00000000000000000000000000000000
  1018. (2) State = 0x61f2e62463f6ffbc47493858800a8868
  1019. Sending Access-Challenge Id 204 from 10.0.0.30:1812 to 10.0.0.2:57819
  1020. EAP-Message = 0x010403ec19c000000a8c160301005902000055030159176813cb589f8f065ca853bff34f0b7e9cbb82fdbfa1513e2ba6ee42ca8ca820b8aa8379aecf7b1117f556ecb78c601fd19a0b81437e91f268515cf956c3ee82c01400000dff01000100000b00040300010216030108d00b0008cc0008c90003de308203da308202c2a003020102020101300d06092a864886f70d01010b0500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3137303531333132343634355a170d3137303731323132343634355a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100919ad7364a9035e9ae86091
  1021. Message-Authenticator = 0x00000000000000000000000000000000
  1022. State = 0x61f2e62463f6ffbc47493858800a8868
  1023. (2) Finished request
  1024. Waking up in 0.3 seconds.
  1025. Received Access-Request Id 205 from 10.0.0.2:57819 to 10.0.0.30:1812 length 144
  1026. User-Name = 'admin'
  1027. NAS-IP-Address = 10.0.0.2
  1028. NAS-Identifier = 'RalinkAP0'
  1029. NAS-Port = 0
  1030. Called-Station-Id = '38-2C-4A-A3-67-E0'
  1031. Calling-Station-Id = '88-79-7E-99-D4-47'
  1032. Framed-MTU = 1400
  1033. NAS-Port-Type = Wireless-802.11
  1034. EAP-Message = 0x020400061900
  1035. State = 0x61f2e62463f6ffbc47493858800a8868
  1036. Message-Authenticator = 0xf25f1e39be03338fb45d0386219a5802
  1037. (3) Received Access-Request packet from host 10.0.0.2 port 57819, id=205, length=144
  1038. (3) User-Name = 'admin'
  1039. (3) NAS-IP-Address = 10.0.0.2
  1040. (3) NAS-Identifier = 'RalinkAP0'
  1041. (3) NAS-Port = 0
  1042. (3) Called-Station-Id = '38-2C-4A-A3-67-E0'
  1043. (3) Calling-Station-Id = '88-79-7E-99-D4-47'
  1044. (3) Framed-MTU = 1400
  1045. (3) NAS-Port-Type = Wireless-802.11
  1046. (3) EAP-Message = 0x020400061900
  1047. (3) State = 0x61f2e62463f6ffbc47493858800a8868
  1048. (3) Message-Authenticator = 0xf25f1e39be03338fb45d0386219a5802
  1049. (3) # Executing section authorize from file /etc/raddb/sites-enabled/default
  1050. (3) authorize {
  1051. (3) filter_username filter_username {
  1052. (3) if (!&User-Name)
  1053. (3) if (!&User-Name) -> FALSE
  1054. (3) if (&User-Name =~ / /)
  1055. (3) if (&User-Name =~ / /) -> FALSE
  1056. (3) if (&User-Name =~ /@.*@/ )
  1057. (3) if (&User-Name =~ /@.*@/ ) -> FALSE
  1058. (3) if (&User-Name =~ /\\.\\./ )
  1059. (3) if (&User-Name =~ /\\.\\./ ) -> FALSE
  1060. (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
  1061. (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE
  1062. (3) if (&User-Name =~ /\\.$/)
  1063. (3) if (&User-Name =~ /\\.$/) -> FALSE
  1064. (3) if (&User-Name =~ /@\\./)
  1065. (3) if (&User-Name =~ /@\\./) -> FALSE
  1066. (3) } # filter_username filter_username = notfound
  1067. (3) [preprocess] = ok
  1068. (3) [chap] = noop
  1069. (3) [mschap] = noop
  1070. (3) [digest] = noop
  1071. (3) suffix : Checking for suffix after "@"
  1072. (3) suffix : No '@' in User-Name = "admin", looking up realm NULL
  1073. (3) suffix : No such realm "NULL"
  1074. (3) [suffix] = noop
  1075. (3) eap : Peer sent code Response (2) ID 4 length 6
  1076. (3) eap : Continuing tunnel setup
  1077. (3) [eap] = ok
  1078. (3) } # authorize = ok
  1079. (3) Found Auth-Type = EAP
  1080. (3) # Executing group from file /etc/raddb/sites-enabled/default
  1081. (3) authenticate {
  1082. (3) eap : Expiring EAP session with state 0x61f2e62463f6ffbc
  1083. (3) eap : Finished EAP session with state 0x61f2e62463f6ffbc
  1084. (3) eap : Previous EAP request found for state 0x61f2e62463f6ffbc, released from the list
  1085. (3) eap : Peer sent method PEAP (25)
  1086. (3) eap : EAP PEAP (25)
  1087. (3) eap : Calling eap_peap to process EAP data
  1088. (3) eap_peap : processing EAP-TLS
  1089. (3) eap_peap : Received TLS ACK
  1090. (3) eap_peap : Received TLS ACK
  1091. (3) eap_peap : ACK handshake fragment handler
  1092. (3) eap_peap : eaptls_verify returned 1
  1093. (3) eap_peap : eaptls_process returned 13
  1094. (3) eap_peap : FR_TLS_HANDLED
  1095. (3) eap : New EAP session, adding 'State' attribute to reply 0x61f2e62462f7ffbc
  1096. (3) [eap] = handled
  1097. (3) } # authenticate = handled
  1098. (3) Sending Access-Challenge packet to host 10.0.0.2 port 57819, id=205, length=0
  1099. (3) EAP-Message = 0x010503e81940164f7b5b8d5ebf1aa9e05728ec44fbda1ac4256a30691853bd36a96bfc23f6ce77e8b340a2ed64990b214be45c0b68acd2773de7c228031560661f82f00b4fcce894b131b15fdb1c5b71ab67bfc22335adcfbf29019b35ad4f41c1c2ef14808cfd999a68814e9b03130004e5308204e1308203c9a003020102020900898eeca177633531300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3137303531333132343634355a170d3137303731323132343634355a308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105
  1100. (3) Message-Authenticator = 0x00000000000000000000000000000000
  1101. (3) State = 0x61f2e62462f7ffbc47493858800a8868
  1102. Sending Access-Challenge Id 205 from 10.0.0.30:1812 to 10.0.0.2:57819
  1103. EAP-Message = 0x010503e81940164f7b5b8d5ebf1aa9e05728ec44fbda1ac4256a30691853bd36a96bfc23f6ce77e8b340a2ed64990b214be45c0b68acd2773de7c228031560661f82f00b4fcce894b131b15fdb1c5b71ab67bfc22335adcfbf29019b35ad4f41c1c2ef14808cfd999a68814e9b03130004e5308204e1308203c9a003020102020900898eeca177633531300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3137303531333132343634355a170d3137303731323132343634355a308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d0101010
  1104. Message-Authenticator = 0x00000000000000000000000000000000
  1105. State = 0x61f2e62462f7ffbc47493858800a8868
  1106. (3) Finished request
  1107. Waking up in 0.2 seconds.
  1108. Received Access-Request Id 206 from 10.0.0.2:57819 to 10.0.0.30:1812 length 144
  1109. User-Name = 'admin'
  1110. NAS-IP-Address = 10.0.0.2
  1111. NAS-Identifier = 'RalinkAP0'
  1112. NAS-Port = 0
  1113. Called-Station-Id = '38-2C-4A-A3-67-E0'
  1114. Calling-Station-Id = '88-79-7E-99-D4-47'
  1115. Framed-MTU = 1400
  1116. NAS-Port-Type = Wireless-802.11
  1117. EAP-Message = 0x020500061900
  1118. State = 0x61f2e62462f7ffbc47493858800a8868
  1119. Message-Authenticator = 0x9425043b049ba944652870e36b14c373
  1120. (4) Received Access-Request packet from host 10.0.0.2 port 57819, id=206, length=144
  1121. (4) User-Name = 'admin'
  1122. (4) NAS-IP-Address = 10.0.0.2
  1123. (4) NAS-Identifier = 'RalinkAP0'
  1124. (4) NAS-Port = 0
  1125. (4) Called-Station-Id = '38-2C-4A-A3-67-E0'
  1126. (4) Calling-Station-Id = '88-79-7E-99-D4-47'
  1127. (4) Framed-MTU = 1400
  1128. (4) NAS-Port-Type = Wireless-802.11
  1129. (4) EAP-Message = 0x020500061900
  1130. (4) State = 0x61f2e62462f7ffbc47493858800a8868
  1131. (4) Message-Authenticator = 0x9425043b049ba944652870e36b14c373
  1132. (4) # Executing section authorize from file /etc/raddb/sites-enabled/default
  1133. (4) authorize {
  1134. (4) filter_username filter_username {
  1135. (4) if (!&User-Name)
  1136. (4) if (!&User-Name) -> FALSE
  1137. (4) if (&User-Name =~ / /)
  1138. (4) if (&User-Name =~ / /) -> FALSE
  1139. (4) if (&User-Name =~ /@.*@/ )
  1140. (4) if (&User-Name =~ /@.*@/ ) -> FALSE
  1141. (4) if (&User-Name =~ /\\.\\./ )
  1142. (4) if (&User-Name =~ /\\.\\./ ) -> FALSE
  1143. (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
  1144. (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE
  1145. (4) if (&User-Name =~ /\\.$/)
  1146. (4) if (&User-Name =~ /\\.$/) -> FALSE
  1147. (4) if (&User-Name =~ /@\\./)
  1148. (4) if (&User-Name =~ /@\\./) -> FALSE
  1149. (4) } # filter_username filter_username = notfound
  1150. (4) [preprocess] = ok
  1151. (4) [chap] = noop
  1152. (4) [mschap] = noop
  1153. (4) [digest] = noop
  1154. (4) suffix : Checking for suffix after "@"
  1155. (4) suffix : No '@' in User-Name = "admin", looking up realm NULL
  1156. (4) suffix : No such realm "NULL"
  1157. (4) [suffix] = noop
  1158. (4) eap : Peer sent code Response (2) ID 5 length 6
  1159. (4) eap : Continuing tunnel setup
  1160. (4) [eap] = ok
  1161. (4) } # authorize = ok
  1162. (4) Found Auth-Type = EAP
  1163. (4) # Executing group from file /etc/raddb/sites-enabled/default
  1164. (4) authenticate {
  1165. (4) eap : Expiring EAP session with state 0x61f2e62462f7ffbc
  1166. (4) eap : Finished EAP session with state 0x61f2e62462f7ffbc
  1167. (4) eap : Previous EAP request found for state 0x61f2e62462f7ffbc, released from the list
  1168. (4) eap : Peer sent method PEAP (25)
  1169. (4) eap : EAP PEAP (25)
  1170. (4) eap : Calling eap_peap to process EAP data
  1171. (4) eap_peap : processing EAP-TLS
  1172. (4) eap_peap : Received TLS ACK
  1173. (4) eap_peap : Received TLS ACK
  1174. (4) eap_peap : ACK handshake fragment handler
  1175. (4) eap_peap : eaptls_verify returned 1
  1176. (4) eap_peap : eaptls_process returned 13
  1177. (4) eap_peap : FR_TLS_HANDLED
  1178. (4) eap : New EAP session, adding 'State' attribute to reply 0x61f2e62465f4ffbc
  1179. (4) [eap] = handled
  1180. (4) } # authenticate = handled
  1181. (4) Sending Access-Challenge packet to host 10.0.0.2 port 57819, id=206, length=0
  1182. (4) EAP-Message = 0x010602ce190020417574686f72697479820900898eeca177633531300c0603551d13040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e636f6d2f6578616d706c655f63612e63726c300d06092a864886f70d010105050003820101003e6dc4de0916ac40d33ca25ded5000888a112ecab8451c4ab79a0d39d713164169c9425fce37c4a94534c58b990bc544cb704eff290df17e5662b5a0c65db22593e28c5b7d59dce63b2502b8d82ccdab4cfaafaec3cf1f36d1eef20a0cb908012f366c7433198c7f4c37c6464cfa15c64affbe83ddb2a42e2b50e3a3d31fa022fc48415faac341074539ae2d39b0ed62e3582cd12ae39cdc7eefda27da5eaec2e402ef307b188f92915888c44faa3e64949a538b241defb1c588467d9548f026786d7c2080c47c6f6ef9199fbaed464ad0b6134843eebe2dc3343b844592c55430419a96a320854a1333f4e3fe6bbc44c0688ff2ce2e9d6d9ecf61be39d1c2c4160301014b0c0001470300174104b9a7b00d278a09ae90fca4abb99287e82bb09d8b0c41b647af8256503125dd461804e724c1a55d0787c412a2e55a3431140e61886063b1bd82b0738c79c34dd70100215bfe38197b2f8a2011fdcf80968d385eff349c4a319ee8caee5ce201e3dccc84025c5ba3012d1b48f69cd37ce47e6a6d3e
  1183. (4) Message-Authenticator = 0x00000000000000000000000000000000
  1184. (4) State = 0x61f2e62465f4ffbc47493858800a8868
  1185. Sending Access-Challenge Id 206 from 10.0.0.30:1812 to 10.0.0.2:57819
  1186. EAP-Message = 0x010602ce190020417574686f72697479820900898eeca177633531300c0603551d13040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e636f6d2f6578616d706c655f63612e63726c300d06092a864886f70d010105050003820101003e6dc4de0916ac40d33ca25ded5000888a112ecab8451c4ab79a0d39d713164169c9425fce37c4a94534c58b990bc544cb704eff290df17e5662b5a0c65db22593e28c5b7d59dce63b2502b8d82ccdab4cfaafaec3cf1f36d1eef20a0cb908012f366c7433198c7f4c37c6464cfa15c64affbe83ddb2a42e2b50e3a3d31fa022fc48415faac341074539ae2d39b0ed62e3582cd12ae39cdc7eefda27da5eaec2e402ef307b188f92915888c44faa3e64949a538b241defb1c588467d9548f026786d7c2080c47c6f6ef9199fbaed464ad0b6134843eebe2dc3343b844592c55430419a96a320854a1333f4e3fe6bbc44c0688ff2ce2e9d6d9ecf61be39d1c2c4160301014b0c0001470300174104b9a7b00d278a09ae90fca4abb99287e82bb09d8b0c41b647af8256503125dd461804e724c1a55d0787c412a2e55a3431140e61886063b1bd82b0738c79c34dd70100215bfe38197b2f8a2011fdcf80968d385eff349c4a319ee8caee5ce201e3dccc84025c5ba3012d1b48f69cd37ce47e6a6d3
  1187. Message-Authenticator = 0x00000000000000000000000000000000
  1188. State = 0x61f2e62465f4ffbc47493858800a8868
  1189. (4) Finished request
  1190. Waking up in 0.2 seconds.
  1191. Received Access-Request Id 207 from 10.0.0.2:57819 to 10.0.0.30:1812 length 282
  1192. User-Name = 'admin'
  1193. NAS-IP-Address = 10.0.0.2
  1194. NAS-Identifier = 'RalinkAP0'
  1195. NAS-Port = 0
  1196. Called-Station-Id = '38-2C-4A-A3-67-E0'
  1197. Calling-Station-Id = '88-79-7E-99-D4-47'
  1198. Framed-MTU = 1400
  1199. NAS-Port-Type = Wireless-802.11
  1200. EAP-Message = 0x0206009019800000008616030100461000004241048479772e29267a11acb2551ab15f4c0e83d791a3669c3893fad95fda05ad81f8a6933c286ce7a3113c18e21bae51acea34b7917925bb7ccf35615382ca08f9b21403010001011603010030a4a9ea18655ee51eb778602fbe42cab139a21245d9d8b609d6f5341af3dcf907832cc5d2551f41538920fe0613a9b1ae
  1201. State = 0x61f2e62465f4ffbc47493858800a8868
  1202. Message-Authenticator = 0xbf506b6dca95dc4d9447c6fb0e31a6eb
  1203. (5) Received Access-Request packet from host 10.0.0.2 port 57819, id=207, length=282
  1204. (5) User-Name = 'admin'
  1205. (5) NAS-IP-Address = 10.0.0.2
  1206. (5) NAS-Identifier = 'RalinkAP0'
  1207. (5) NAS-Port = 0
  1208. (5) Called-Station-Id = '38-2C-4A-A3-67-E0'
  1209. (5) Calling-Station-Id = '88-79-7E-99-D4-47'
  1210. (5) Framed-MTU = 1400
  1211. (5) NAS-Port-Type = Wireless-802.11
  1212. (5) EAP-Message = 0x0206009019800000008616030100461000004241048479772e29267a11acb2551ab15f4c0e83d791a3669c3893fad95fda05ad81f8a6933c286ce7a3113c18e21bae51acea34b7917925bb7ccf35615382ca08f9b21403010001011603010030a4a9ea18655ee51eb778602fbe42cab139a21245d9d8b609d6f5341af3dcf907832cc5d2551f41538920fe0613a9b1ae
  1213. (5) State = 0x61f2e62465f4ffbc47493858800a8868
  1214. (5) Message-Authenticator = 0xbf506b6dca95dc4d9447c6fb0e31a6eb
  1215. (5) # Executing section authorize from file /etc/raddb/sites-enabled/default
  1216. (5) authorize {
  1217. (5) filter_username filter_username {
  1218. (5) if (!&User-Name)
  1219. (5) if (!&User-Name) -> FALSE
  1220. (5) if (&User-Name =~ / /)
  1221. (5) if (&User-Name =~ / /) -> FALSE
  1222. (5) if (&User-Name =~ /@.*@/ )
  1223. (5) if (&User-Name =~ /@.*@/ ) -> FALSE
  1224. (5) if (&User-Name =~ /\\.\\./ )
  1225. (5) if (&User-Name =~ /\\.\\./ ) -> FALSE
  1226. (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
  1227. (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE
  1228. (5) if (&User-Name =~ /\\.$/)
  1229. (5) if (&User-Name =~ /\\.$/) -> FALSE
  1230. (5) if (&User-Name =~ /@\\./)
  1231. (5) if (&User-Name =~ /@\\./) -> FALSE
  1232. (5) } # filter_username filter_username = notfound
  1233. (5) [preprocess] = ok
  1234. (5) [chap] = noop
  1235. (5) [mschap] = noop
  1236. (5) [digest] = noop
  1237. (5) suffix : Checking for suffix after "@"
  1238. (5) suffix : No '@' in User-Name = "admin", looking up realm NULL
  1239. (5) suffix : No such realm "NULL"
  1240. (5) [suffix] = noop
  1241. (5) eap : Peer sent code Response (2) ID 6 length 144
  1242. (5) eap : Continuing tunnel setup
  1243. (5) [eap] = ok
  1244. (5) } # authorize = ok
  1245. (5) Found Auth-Type = EAP
  1246. (5) # Executing group from file /etc/raddb/sites-enabled/default
  1247. (5) authenticate {
  1248. (5) eap : Expiring EAP session with state 0x61f2e62465f4ffbc
  1249. (5) eap : Finished EAP session with state 0x61f2e62465f4ffbc
  1250. (5) eap : Previous EAP request found for state 0x61f2e62465f4ffbc, released from the list
  1251. (5) eap : Peer sent method PEAP (25)
  1252. (5) eap : EAP PEAP (25)
  1253. (5) eap : Calling eap_peap to process EAP data
  1254. (5) eap_peap : processing EAP-TLS
  1255. TLS Length 134
  1256. (5) eap_peap : Length Included
  1257. (5) eap_peap : eaptls_verify returned 11
  1258. (5) eap_peap : <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange
  1259. (5) eap_peap : TLS_accept: SSLv3 read client key exchange A
  1260. (5) eap_peap : <<< TLS 1.0 ChangeCipherSpec [length 0001]
  1261. (5) eap_peap : <<< TLS 1.0 Handshake [length 0010], Finished
  1262. (5) eap_peap : TLS_accept: SSLv3 read finished A
  1263. (5) eap_peap : >>> TLS 1.0 ChangeCipherSpec [length 0001]
  1264. (5) eap_peap : TLS_accept: SSLv3 write change cipher spec A
  1265. (5) eap_peap : >>> TLS 1.0 Handshake [length 0010], Finished
  1266. (5) eap_peap : TLS_accept: SSLv3 write finished A
  1267. (5) eap_peap : TLS_accept: SSLv3 flush data
  1268. SSL: adding session b8aa8379aecf7b1117f556ecb78c601fd19a0b81437e91f268515cf956c3ee82 to cache
  1269. (5) eap_peap : (other): SSL negotiation finished successfully
  1270. SSL Connection Established
  1271. (5) eap_peap : eaptls_process returned 13
  1272. (5) eap_peap : FR_TLS_HANDLED
  1273. (5) eap : New EAP session, adding 'State' attribute to reply 0x61f2e62464f5ffbc
  1274. (5) [eap] = handled
  1275. (5) } # authenticate = handled
  1276. (5) Sending Access-Challenge packet to host 10.0.0.2 port 57819, id=207, length=0
  1277. (5) EAP-Message = 0x010700411900140301000101160301003018651a5834dfcd8d6fc7467b6c9456cba8826614b32ecbdb9f15241592af1ecde6c5d608f70be18e322b7dc584b8687f
  1278. (5) Message-Authenticator = 0x00000000000000000000000000000000
  1279. (5) State = 0x61f2e62464f5ffbc47493858800a8868
  1280. Sending Access-Challenge Id 207 from 10.0.0.30:1812 to 10.0.0.2:57819
  1281. EAP-Message = 0x010700411900140301000101160301003018651a5834dfcd8d6fc7467b6c9456cba8826614b32ecbdb9f15241592af1ecde6c5d608f70be18e322b7dc584b8687f
  1282. Message-Authenticator = 0x00000000000000000000000000000000
  1283. State = 0x61f2e62464f5ffbc47493858800a8868
  1284. (5) Finished request
  1285. Waking up in 0.2 seconds.
  1286. Received Access-Request Id 208 from 10.0.0.2:57819 to 10.0.0.30:1812 length 144
  1287. User-Name = 'admin'
  1288. NAS-IP-Address = 10.0.0.2
  1289. NAS-Identifier = 'RalinkAP0'
  1290. NAS-Port = 0
  1291. Called-Station-Id = '38-2C-4A-A3-67-E0'
  1292. Calling-Station-Id = '88-79-7E-99-D4-47'
  1293. Framed-MTU = 1400
  1294. NAS-Port-Type = Wireless-802.11
  1295. EAP-Message = 0x020700061900
  1296. State = 0x61f2e62464f5ffbc47493858800a8868
  1297. Message-Authenticator = 0x684db5e9c7d0aa2e7f94b32e2a866f55
  1298. (6) Received Access-Request packet from host 10.0.0.2 port 57819, id=208, length=144
  1299. (6) User-Name = 'admin'
  1300. (6) NAS-IP-Address = 10.0.0.2
  1301. (6) NAS-Identifier = 'RalinkAP0'
  1302. (6) NAS-Port = 0
  1303. (6) Called-Station-Id = '38-2C-4A-A3-67-E0'
  1304. (6) Calling-Station-Id = '88-79-7E-99-D4-47'
  1305. (6) Framed-MTU = 1400
  1306. (6) NAS-Port-Type = Wireless-802.11
  1307. (6) EAP-Message = 0x020700061900
  1308. (6) State = 0x61f2e62464f5ffbc47493858800a8868
  1309. (6) Message-Authenticator = 0x684db5e9c7d0aa2e7f94b32e2a866f55
  1310. (6) # Executing section authorize from file /etc/raddb/sites-enabled/default
  1311. (6) authorize {
  1312. (6) filter_username filter_username {
  1313. (6) if (!&User-Name)
  1314. (6) if (!&User-Name) -> FALSE
  1315. (6) if (&User-Name =~ / /)
  1316. (6) if (&User-Name =~ / /) -> FALSE
  1317. (6) if (&User-Name =~ /@.*@/ )
  1318. (6) if (&User-Name =~ /@.*@/ ) -> FALSE
  1319. (6) if (&User-Name =~ /\\.\\./ )
  1320. (6) if (&User-Name =~ /\\.\\./ ) -> FALSE
  1321. (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
  1322. (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE
  1323. (6) if (&User-Name =~ /\\.$/)
  1324. (6) if (&User-Name =~ /\\.$/) -> FALSE
  1325. (6) if (&User-Name =~ /@\\./)
  1326. (6) if (&User-Name =~ /@\\./) -> FALSE
  1327. (6) } # filter_username filter_username = notfound
  1328. (6) [preprocess] = ok
  1329. (6) [chap] = noop
  1330. (6) [mschap] = noop
  1331. (6) [digest] = noop
  1332. (6) suffix : Checking for suffix after "@"
  1333. (6) suffix : No '@' in User-Name = "admin", looking up realm NULL
  1334. (6) suffix : No such realm "NULL"
  1335. (6) [suffix] = noop
  1336. (6) eap : Peer sent code Response (2) ID 7 length 6
  1337. (6) eap : Continuing tunnel setup
  1338. (6) [eap] = ok
  1339. (6) } # authorize = ok
  1340. (6) Found Auth-Type = EAP
  1341. (6) # Executing group from file /etc/raddb/sites-enabled/default
  1342. (6) authenticate {
  1343. (6) eap : Expiring EAP session with state 0x61f2e62464f5ffbc
  1344. (6) eap : Finished EAP session with state 0x61f2e62464f5ffbc
  1345. (6) eap : Previous EAP request found for state 0x61f2e62464f5ffbc, released from the list
  1346. (6) eap : Peer sent method PEAP (25)
  1347. (6) eap : EAP PEAP (25)
  1348. (6) eap : Calling eap_peap to process EAP data
  1349. (6) eap_peap : processing EAP-TLS
  1350. (6) eap_peap : Received TLS ACK
  1351. (6) eap_peap : Received TLS ACK
  1352. (6) eap_peap : ACK handshake is finished
  1353. (6) eap_peap : eaptls_verify returned 3
  1354. (6) eap_peap : eaptls_process returned 3
  1355. (6) eap_peap : FR_TLS_SUCCESS
  1356. (6) eap_peap : Session established. Decoding tunneled attributes
  1357. (6) eap_peap : Peap state TUNNEL ESTABLISHED
  1358. (6) eap : New EAP session, adding 'State' attribute to reply 0x61f2e62467faffbc
  1359. (6) [eap] = handled
  1360. (6) } # authenticate = handled
  1361. (6) Sending Access-Challenge packet to host 10.0.0.2 port 57819, id=208, length=0
  1362. (6) EAP-Message = 0x0108002b19001703010020d28a3c186b28055077d250e9d48b8707cca6956825db05b45435b61b6e999f22
  1363. (6) Message-Authenticator = 0x00000000000000000000000000000000
  1364. (6) State = 0x61f2e62467faffbc47493858800a8868
  1365. Sending Access-Challenge Id 208 from 10.0.0.30:1812 to 10.0.0.2:57819
  1366. EAP-Message = 0x0108002b19001703010020d28a3c186b28055077d250e9d48b8707cca6956825db05b45435b61b6e999f22
  1367. Message-Authenticator = 0x00000000000000000000000000000000
  1368. State = 0x61f2e62467faffbc47493858800a8868
  1369. (6) Finished request
  1370. Waking up in 0.2 seconds.
  1371. Received Access-Request Id 209 from 10.0.0.2:57819 to 10.0.0.30:1812 length 181
  1372. User-Name = 'admin'
  1373. NAS-IP-Address = 10.0.0.2
  1374. NAS-Identifier = 'RalinkAP0'
  1375. NAS-Port = 0
  1376. Called-Station-Id = '38-2C-4A-A3-67-E0'
  1377. Calling-Station-Id = '88-79-7E-99-D4-47'
  1378. Framed-MTU = 1400
  1379. NAS-Port-Type = Wireless-802.11
  1380. EAP-Message = 0x0208002b19001703010020457c1c89986291b719e55bf4dca9a1e8cd2892074948cc2efb96d64f38df9710
  1381. State = 0x61f2e62467faffbc47493858800a8868
  1382. Message-Authenticator = 0x8692ab56a5083d567a446410fe3e8ac7
  1383. (7) Received Access-Request packet from host 10.0.0.2 port 57819, id=209, length=181
  1384. (7) User-Name = 'admin'
  1385. (7) NAS-IP-Address = 10.0.0.2
  1386. (7) NAS-Identifier = 'RalinkAP0'
  1387. (7) NAS-Port = 0
  1388. (7) Called-Station-Id = '38-2C-4A-A3-67-E0'
  1389. (7) Calling-Station-Id = '88-79-7E-99-D4-47'
  1390. (7) Framed-MTU = 1400
  1391. (7) NAS-Port-Type = Wireless-802.11
  1392. (7) EAP-Message = 0x0208002b19001703010020457c1c89986291b719e55bf4dca9a1e8cd2892074948cc2efb96d64f38df9710
  1393. (7) State = 0x61f2e62467faffbc47493858800a8868
  1394. (7) Message-Authenticator = 0x8692ab56a5083d567a446410fe3e8ac7
  1395. (7) # Executing section authorize from file /etc/raddb/sites-enabled/default
  1396. (7) authorize {
  1397. (7) filter_username filter_username {
  1398. (7) if (!&User-Name)
  1399. (7) if (!&User-Name) -> FALSE
  1400. (7) if (&User-Name =~ / /)
  1401. (7) if (&User-Name =~ / /) -> FALSE
  1402. (7) if (&User-Name =~ /@.*@/ )
  1403. (7) if (&User-Name =~ /@.*@/ ) -> FALSE
  1404. (7) if (&User-Name =~ /\\.\\./ )
  1405. (7) if (&User-Name =~ /\\.\\./ ) -> FALSE
  1406. (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
  1407. (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE
  1408. (7) if (&User-Name =~ /\\.$/)
  1409. (7) if (&User-Name =~ /\\.$/) -> FALSE
  1410. (7) if (&User-Name =~ /@\\./)
  1411. (7) if (&User-Name =~ /@\\./) -> FALSE
  1412. (7) } # filter_username filter_username = notfound
  1413. (7) [preprocess] = ok
  1414. (7) [chap] = noop
  1415. (7) [mschap] = noop
  1416. (7) [digest] = noop
  1417. (7) suffix : Checking for suffix after "@"
  1418. (7) suffix : No '@' in User-Name = "admin", looking up realm NULL
  1419. (7) suffix : No such realm "NULL"
  1420. (7) [suffix] = noop
  1421. (7) eap : Peer sent code Response (2) ID 8 length 43
  1422. (7) eap : Continuing tunnel setup
  1423. (7) [eap] = ok
  1424. (7) } # authorize = ok
  1425. (7) Found Auth-Type = EAP
  1426. (7) # Executing group from file /etc/raddb/sites-enabled/default
  1427. (7) authenticate {
  1428. (7) eap : Expiring EAP session with state 0x61f2e62467faffbc
  1429. (7) eap : Finished EAP session with state 0x61f2e62467faffbc
  1430. (7) eap : Previous EAP request found for state 0x61f2e62467faffbc, released from the list
  1431. (7) eap : Peer sent method PEAP (25)
  1432. (7) eap : EAP PEAP (25)
  1433. (7) eap : Calling eap_peap to process EAP data
  1434. (7) eap_peap : processing EAP-TLS
  1435. (7) eap_peap : eaptls_verify returned 7
  1436. (7) eap_peap : Done initial handshake
  1437. (7) eap_peap : eaptls_process returned 7
  1438. (7) eap_peap : FR_TLS_OK
  1439. (7) eap_peap : Session established. Decoding tunneled attributes
  1440. (7) eap_peap : Peap state WAITING FOR INNER IDENTITY
  1441. (7) eap_peap : Identity - admin
  1442. (7) eap_peap : Got inner identity 'admin'
  1443. (7) eap_peap : Setting default EAP type for tunneled EAP session
  1444. (7) eap_peap : Got tunneled request
  1445. EAP-Message = 0x0208000a0161646d696e
  1446. server default {
  1447. (7) eap_peap : Setting User-Name to admin
  1448. Sending tunneled request
  1449. EAP-Message = 0x0208000a0161646d696e
  1450. FreeRADIUS-Proxied-To = 127.0.0.1
  1451. User-Name = 'admin'
  1452. server inner-tunnel {
  1453. (7) server inner-tunnel {
  1454. (7) Request:
  1455. EAP-Message = 0x0208000a0161646d696e
  1456. FreeRADIUS-Proxied-To = 127.0.0.1
  1457. User-Name = 'admin'
  1458. (7) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
  1459. (7) authorize {
  1460. (7) [chap] = noop
  1461. (7) [mschap] = noop
  1462. (7) suffix : Checking for suffix after "@"
  1463. (7) suffix : No '@' in User-Name = "admin", looking up realm NULL
  1464. (7) suffix : No such realm "NULL"
  1465. (7) [suffix] = noop
  1466. (7) update control {
  1467. (7) Proxy-To-Realm := 'LOCAL'
  1468. (7) } # update control = noop
  1469. (7) eap : Peer sent code Response (2) ID 8 length 10
  1470. (7) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
  1471. (7) [eap] = ok
  1472. (7) } # authorize = ok
  1473. (7) Found Auth-Type = EAP
  1474. (7) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
  1475. (7) authenticate {
  1476. (7) eap : Peer sent method Identity (1)
  1477. (7) eap : Calling eap_mschapv2 to process EAP data
  1478. (7) eap_mschapv2 : Issuing Challenge
  1479. (7) eap : New EAP session, adding 'State' attribute to reply 0x4c8dda924c84c039
  1480. (7) [eap] = handled
  1481. (7) } # authenticate = handled
  1482. (7) Reply:
  1483. EAP-Message = 0x0109001f1a0109001a10686ef184a486c83987794b19281c7f6361646d696e
  1484. Message-Authenticator = 0x00000000000000000000000000000000
  1485. State = 0x4c8dda924c84c039ee81a9294737f384
  1486. (7) } # server inner-tunnel
  1487. } # server inner-tunnel
  1488. (7) eap_peap : Got tunneled reply code 11
  1489. EAP-Message = 0x0109001f1a0109001a10686ef184a486c83987794b19281c7f6361646d696e
  1490. Message-Authenticator = 0x00000000000000000000000000000000
  1491. State = 0x4c8dda924c84c039ee81a9294737f384
  1492. (7) eap_peap : Got tunneled reply RADIUS code 11
  1493. EAP-Message = 0x0109001f1a0109001a10686ef184a486c83987794b19281c7f6361646d696e
  1494. Message-Authenticator = 0x00000000000000000000000000000000
  1495. State = 0x4c8dda924c84c039ee81a9294737f384
  1496. (7) eap_peap : Got tunneled Access-Challenge
  1497. (7) eap : New EAP session, adding 'State' attribute to reply 0x61f2e62466fbffbc
  1498. (7) [eap] = handled
  1499. (7) } # authenticate = handled
  1500. (7) Sending Access-Challenge packet to host 10.0.0.2 port 57819, id=209, length=0
  1501. (7) EAP-Message = 0x0109003b19001703010030120139fe4cd66f873c20d159e93874392c450eb16a9c093e23cd43123b20fc3b2a1edb0f3dd6fce26905b49efdfdf867
  1502. (7) Message-Authenticator = 0x00000000000000000000000000000000
  1503. (7) State = 0x61f2e62466fbffbc47493858800a8868
  1504. Sending Access-Challenge Id 209 from 10.0.0.30:1812 to 10.0.0.2:57819
  1505. EAP-Message = 0x0109003b19001703010030120139fe4cd66f873c20d159e93874392c450eb16a9c093e23cd43123b20fc3b2a1edb0f3dd6fce26905b49efdfdf867
  1506. Message-Authenticator = 0x00000000000000000000000000000000
  1507. State = 0x61f2e62466fbffbc47493858800a8868
  1508. (7) Finished request
  1509. Waking up in 0.2 seconds.
  1510. Received Access-Request Id 210 from 10.0.0.2:57819 to 10.0.0.30:1812 length 245
  1511. User-Name = 'admin'
  1512. NAS-IP-Address = 10.0.0.2
  1513. NAS-Identifier = 'RalinkAP0'
  1514. NAS-Port = 0
  1515. Called-Station-Id = '38-2C-4A-A3-67-E0'
  1516. Calling-Station-Id = '88-79-7E-99-D4-47'
  1517. Framed-MTU = 1400
  1518. NAS-Port-Type = Wireless-802.11
  1519. EAP-Message = 0x0209006b19001703010060c067d830fe9b589370f79feff736d3b5a51d7489132d3b7c236b499259633dabfc914c8e2d0fe74a39c56b19cfed4fd4099e80aa97a9526bedfa68a55e283982bab1b42e1636bfb9fa4aacc02189c60bf46579ce01cef1060c209b548529f0c9
  1520. State = 0x61f2e62466fbffbc47493858800a8868
  1521. Message-Authenticator = 0x58c536ef01b0d345c17571d7fb936c90
  1522. (8) Received Access-Request packet from host 10.0.0.2 port 57819, id=210, length=245
  1523. (8) User-Name = 'admin'
  1524. (8) NAS-IP-Address = 10.0.0.2
  1525. (8) NAS-Identifier = 'RalinkAP0'
  1526. (8) NAS-Port = 0
  1527. (8) Called-Station-Id = '38-2C-4A-A3-67-E0'
  1528. (8) Calling-Station-Id = '88-79-7E-99-D4-47'
  1529. (8) Framed-MTU = 1400
  1530. (8) NAS-Port-Type = Wireless-802.11
  1531. (8) EAP-Message = 0x0209006b19001703010060c067d830fe9b589370f79feff736d3b5a51d7489132d3b7c236b499259633dabfc914c8e2d0fe74a39c56b19cfed4fd4099e80aa97a9526bedfa68a55e283982bab1b42e1636bfb9fa4aacc02189c60bf46579ce01cef1060c209b548529f0c9
  1532. (8) State = 0x61f2e62466fbffbc47493858800a8868
  1533. (8) Message-Authenticator = 0x58c536ef01b0d345c17571d7fb936c90
  1534. (8) # Executing section authorize from file /etc/raddb/sites-enabled/default
  1535. (8) authorize {
  1536. (8) filter_username filter_username {
  1537. (8) if (!&User-Name)
  1538. (8) if (!&User-Name) -> FALSE
  1539. (8) if (&User-Name =~ / /)
  1540. (8) if (&User-Name =~ / /) -> FALSE
  1541. (8) if (&User-Name =~ /@.*@/ )
  1542. (8) if (&User-Name =~ /@.*@/ ) -> FALSE
  1543. (8) if (&User-Name =~ /\\.\\./ )
  1544. (8) if (&User-Name =~ /\\.\\./ ) -> FALSE
  1545. (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
  1546. (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE
  1547. (8) if (&User-Name =~ /\\.$/)
  1548. (8) if (&User-Name =~ /\\.$/) -> FALSE
  1549. (8) if (&User-Name =~ /@\\./)
  1550. (8) if (&User-Name =~ /@\\./) -> FALSE
  1551. (8) } # filter_username filter_username = notfound
  1552. (8) [preprocess] = ok
  1553. (8) [chap] = noop
  1554. (8) [mschap] = noop
  1555. (8) [digest] = noop
  1556. (8) suffix : Checking for suffix after "@"
  1557. (8) suffix : No '@' in User-Name = "admin", looking up realm NULL
  1558. (8) suffix : No such realm "NULL"
  1559. (8) [suffix] = noop
  1560. (8) eap : Peer sent code Response (2) ID 9 length 107
  1561. (8) eap : Continuing tunnel setup
  1562. (8) [eap] = ok
  1563. (8) } # authorize = ok
  1564. (8) Found Auth-Type = EAP
  1565. (8) # Executing group from file /etc/raddb/sites-enabled/default
  1566. (8) authenticate {
  1567. (8) eap : Expiring EAP session with state 0x4c8dda924c84c039
  1568. (8) eap : Finished EAP session with state 0x61f2e62466fbffbc
  1569. (8) eap : Previous EAP request found for state 0x61f2e62466fbffbc, released from the list
  1570. (8) eap : Peer sent method PEAP (25)
  1571. (8) eap : EAP PEAP (25)
  1572. (8) eap : Calling eap_peap to process EAP data
  1573. (8) eap_peap : processing EAP-TLS
  1574. (8) eap_peap : eaptls_verify returned 7
  1575. (8) eap_peap : Done initial handshake
  1576. (8) eap_peap : eaptls_process returned 7
  1577. (8) eap_peap : FR_TLS_OK
  1578. (8) eap_peap : Session established. Decoding tunneled attributes
  1579. (8) eap_peap : Peap state phase2
  1580. (8) eap_peap : EAP type MSCHAPv2 (26)
  1581. (8) eap_peap : Got tunneled request
  1582. EAP-Message = 0x020900401a0209003b317285b5427bc062c3b1a6cb2437abacea0000000000000000af2bda22c854b980953166152081003ef3c0b2c9a08601840061646d696e
  1583. server default {
  1584. (8) eap_peap : Setting User-Name to admin
  1585. Sending tunneled request
  1586. EAP-Message = 0x020900401a0209003b317285b5427bc062c3b1a6cb2437abacea0000000000000000af2bda22c854b980953166152081003ef3c0b2c9a08601840061646d696e
  1587. FreeRADIUS-Proxied-To = 127.0.0.1
  1588. User-Name = 'admin'
  1589. State = 0x4c8dda924c84c039ee81a9294737f384
  1590. server inner-tunnel {
  1591. (8) server inner-tunnel {
  1592. (8) Request:
  1593. EAP-Message = 0x020900401a0209003b317285b5427bc062c3b1a6cb2437abacea0000000000000000af2bda22c854b980953166152081003ef3c0b2c9a08601840061646d696e
  1594. FreeRADIUS-Proxied-To = 127.0.0.1
  1595. User-Name = 'admin'
  1596. State = 0x4c8dda924c84c039ee81a9294737f384
  1597. (8) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
  1598. (8) authorize {
  1599. (8) [chap] = noop
  1600. (8) [mschap] = noop
  1601. (8) suffix : Checking for suffix after "@"
  1602. (8) suffix : No '@' in User-Name = "admin", looking up realm NULL
  1603. (8) suffix : No such realm "NULL"
  1604. (8) [suffix] = noop
  1605. (8) update control {
  1606. (8) Proxy-To-Realm := 'LOCAL'
  1607. (8) } # update control = noop
  1608. (8) eap : Peer sent code Response (2) ID 9 length 64
  1609. (8) eap : No EAP Start, assuming it's an on-going EAP conversation
  1610. (8) [eap] = updated
  1611. (8) [files] = noop
  1612. rlm_ldap (ldap): Reserved connection (4)
  1613. (8) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
  1614. (8) ldap : --> (uid=admin)
  1615. (8) ldap : EXPAND dc=home,dc=stegard,dc=nu
  1616. (8) ldap : --> dc=home,dc=stegard,dc=nu
  1617. (8) ldap : Performing search in 'dc=home,dc=stegard,dc=nu' with filter '(uid=admin)', scope 'sub'
  1618. (8) ldap : Waiting for search result...
  1619. (8) ldap : User object found at DN "uid=admin,cn=users,cn=compat,dc=home,dc=stegard,dc=nu"
  1620. (8) ldap : Processing user attributes
  1621. (8) WARNING: ldap : No "known good" password added. Ensure the admin user has permission to read the password attribute
  1622. (8) WARNING: ldap : PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)
  1623. rlm_ldap (ldap): Released connection (4)
  1624. (8) [ldap] = ok
  1625. (8) [expiration] = noop
  1626. (8) [logintime] = noop
  1627. (8) [pap] = noop
  1628. (8) } # authorize = updated
  1629. (8) Found Auth-Type = EAP
  1630. (8) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
  1631. (8) authenticate {
  1632. (8) eap : Expiring EAP session with state 0x4c8dda924c84c039
  1633. (8) eap : Finished EAP session with state 0x4c8dda924c84c039
  1634. (8) eap : Previous EAP request found for state 0x4c8dda924c84c039, released from the list
  1635. (8) eap : Peer sent method MSCHAPv2 (26)
  1636. (8) eap : EAP MSCHAPv2 (26)
  1637. (8) eap : Calling eap_mschapv2 to process EAP data
  1638. (8) eap_mschapv2 : # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
  1639. (8) eap_mschapv2 : Auth-Type MS-CHAP {
  1640. (8) WARNING: mschap : No Cleartext-Password configured. Cannot create LM-Password
  1641. (8) WARNING: mschap : No Cleartext-Password configured. Cannot create NT-Password
  1642. (8) mschap : Creating challenge hash with username: admin
  1643. (8) mschap : Client is using MS-CHAPv2
  1644. (8) ERROR: mschap : FAILED: No NT/LM-Password. Cannot perform authentication
  1645. (8) ERROR: mschap : MS-CHAP2-Response is incorrect
  1646. (8) [mschap] = reject
  1647. (8) } # Auth-Type MS-CHAP = reject
  1648. (8) eap : Freeing handler
  1649. (8) [eap] = reject
  1650. (8) } # authenticate = reject
  1651. (8) Failed to authenticate the user
  1652. (8) Using Post-Auth-Type Reject
  1653. (8) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
  1654. (8) Post-Auth-Type REJECT {
  1655. (8) attr_filter.access_reject : EXPAND %{User-Name}
  1656. (8) attr_filter.access_reject : --> admin
  1657. (8) attr_filter.access_reject : Matched entry DEFAULT at line 11
  1658. (8) [attr_filter.access_reject] = updated
  1659. (8) } # Post-Auth-Type REJECT = updated
  1660. (8) Reply:
  1661. MS-CHAP-Error = '\tE=691 R=1'
  1662. EAP-Message = 0x04090004
  1663. Message-Authenticator = 0x00000000000000000000000000000000
  1664. (8) } # server inner-tunnel
  1665. } # server inner-tunnel
  1666. (8) eap_peap : Got tunneled reply code 3
  1667. MS-CHAP-Error = '\tE=691 R=1'
  1668. EAP-Message = 0x04090004
  1669. Message-Authenticator = 0x00000000000000000000000000000000
  1670. (8) eap_peap : Got tunneled reply RADIUS code 3
  1671. MS-CHAP-Error = '\tE=691 R=1'
  1672. EAP-Message = 0x04090004
  1673. Message-Authenticator = 0x00000000000000000000000000000000
  1674. (8) eap_peap : Tunneled authentication was rejected
  1675. (8) eap_peap : FAILURE
  1676. (8) eap : New EAP session, adding 'State' attribute to reply 0x61f2e62469f8ffbc
  1677. (8) [eap] = handled
  1678. (8) } # authenticate = handled
  1679. (8) Sending Access-Challenge packet to host 10.0.0.2 port 57819, id=210, length=0
  1680. (8) EAP-Message = 0x010a002b190017030100203f4c85e8f4ec609fb6014a96bfdbf4e9499099a99f2f909f42f66c856d7a2523
  1681. (8) Message-Authenticator = 0x00000000000000000000000000000000
  1682. (8) State = 0x61f2e62469f8ffbc47493858800a8868
  1683. Sending Access-Challenge Id 210 from 10.0.0.30:1812 to 10.0.0.2:57819
  1684. EAP-Message = 0x010a002b190017030100203f4c85e8f4ec609fb6014a96bfdbf4e9499099a99f2f909f42f66c856d7a2523
  1685. Message-Authenticator = 0x00000000000000000000000000000000
  1686. State = 0x61f2e62469f8ffbc47493858800a8868
  1687. (8) Finished request
  1688. Waking up in 0.2 seconds.
  1689. Received Access-Request Id 211 from 10.0.0.2:57819 to 10.0.0.30:1812 length 181
  1690. User-Name = 'admin'
  1691. NAS-IP-Address = 10.0.0.2
  1692. NAS-Identifier = 'RalinkAP0'
  1693. NAS-Port = 0
  1694. Called-Station-Id = '38-2C-4A-A3-67-E0'
  1695. Calling-Station-Id = '88-79-7E-99-D4-47'
  1696. Framed-MTU = 1400
  1697. NAS-Port-Type = Wireless-802.11
  1698. EAP-Message = 0x020a002b19001703010020a770eaed6f8fe6fc9edb7564e17c355ae6375abf90775bf47194e13fb96036d2
  1699. State = 0x61f2e62469f8ffbc47493858800a8868
  1700. Message-Authenticator = 0x46792c7873544d5187e489d15a561d17
  1701. (9) Received Access-Request packet from host 10.0.0.2 port 57819, id=211, length=181
  1702. (9) User-Name = 'admin'
  1703. (9) NAS-IP-Address = 10.0.0.2
  1704. (9) NAS-Identifier = 'RalinkAP0'
  1705. (9) NAS-Port = 0
  1706. (9) Called-Station-Id = '38-2C-4A-A3-67-E0'
  1707. (9) Calling-Station-Id = '88-79-7E-99-D4-47'
  1708. (9) Framed-MTU = 1400
  1709. (9) NAS-Port-Type = Wireless-802.11
  1710. (9) EAP-Message = 0x020a002b19001703010020a770eaed6f8fe6fc9edb7564e17c355ae6375abf90775bf47194e13fb96036d2
  1711. (9) State = 0x61f2e62469f8ffbc47493858800a8868
  1712. (9) Message-Authenticator = 0x46792c7873544d5187e489d15a561d17
  1713. (9) # Executing section authorize from file /etc/raddb/sites-enabled/default
  1714. (9) authorize {
  1715. (9) filter_username filter_username {
  1716. (9) if (!&User-Name)
  1717. (9) if (!&User-Name) -> FALSE
  1718. (9) if (&User-Name =~ / /)
  1719. (9) if (&User-Name =~ / /) -> FALSE
  1720. (9) if (&User-Name =~ /@.*@/ )
  1721. (9) if (&User-Name =~ /@.*@/ ) -> FALSE
  1722. (9) if (&User-Name =~ /\\.\\./ )
  1723. (9) if (&User-Name =~ /\\.\\./ ) -> FALSE
  1724. (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
  1725. (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE
  1726. (9) if (&User-Name =~ /\\.$/)
  1727. (9) if (&User-Name =~ /\\.$/) -> FALSE
  1728. (9) if (&User-Name =~ /@\\./)
  1729. (9) if (&User-Name =~ /@\\./) -> FALSE
  1730. (9) } # filter_username filter_username = notfound
  1731. (9) [preprocess] = ok
  1732. (9) [chap] = noop
  1733. (9) [mschap] = noop
  1734. (9) [digest] = noop
  1735. (9) suffix : Checking for suffix after "@"
  1736. (9) suffix : No '@' in User-Name = "admin", looking up realm NULL
  1737. (9) suffix : No such realm "NULL"
  1738. (9) [suffix] = noop
  1739. (9) eap : Peer sent code Response (2) ID 10 length 43
  1740. (9) eap : Continuing tunnel setup
  1741. (9) [eap] = ok
  1742. (9) } # authorize = ok
  1743. (9) Found Auth-Type = EAP
  1744. (9) # Executing group from file /etc/raddb/sites-enabled/default
  1745. (9) authenticate {
  1746. (9) eap : Expiring EAP session with state 0x61f2e62469f8ffbc
  1747. (9) eap : Finished EAP session with state 0x61f2e62469f8ffbc
  1748. (9) eap : Previous EAP request found for state 0x61f2e62469f8ffbc, released from the list
  1749. (9) eap : Peer sent method PEAP (25)
  1750. (9) eap : EAP PEAP (25)
  1751. (9) eap : Calling eap_peap to process EAP data
  1752. (9) eap_peap : processing EAP-TLS
  1753. (9) eap_peap : eaptls_verify returned 7
  1754. (9) eap_peap : Done initial handshake
  1755. (9) eap_peap : eaptls_process returned 7
  1756. (9) eap_peap : FR_TLS_OK
  1757. (9) eap_peap : Session established. Decoding tunneled attributes
  1758. (9) eap_peap : Peap state send tlv failure
  1759. (9) eap_peap : Received EAP-TLV response
  1760. (9) eap_peap : The users session was previously rejected: returning reject (again.)
  1761. (9) eap_peap : *** This means you need to read the PREVIOUS messages in the debug output
  1762. (9) eap_peap : *** to find out the reason why the user was rejected
  1763. (9) eap_peap : *** Look for "reject" or "fail". Those earlier messages will tell you
  1764. (9) eap_peap : *** what went wrong, and how to fix the problem
  1765. SSL: Removing session b8aa8379aecf7b1117f556ecb78c601fd19a0b81437e91f268515cf956c3ee82 from the cache
  1766. (9) ERROR: eap : Failed continuing EAP PEAP (25) session. EAP sub-module failed
  1767. (9) eap : Failed in EAP select
  1768. (9) [eap] = invalid
  1769. (9) } # authenticate = invalid
  1770. (9) Failed to authenticate the user
  1771. (9) Using Post-Auth-Type Reject
  1772. (9) # Executing group from file /etc/raddb/sites-enabled/default
  1773. (9) Post-Auth-Type REJECT {
  1774. (9) attr_filter.access_reject : EXPAND %{User-Name}
  1775. (9) attr_filter.access_reject : --> admin
  1776. (9) attr_filter.access_reject : Matched entry DEFAULT at line 11
  1777. (9) [attr_filter.access_reject] = updated
  1778. (9) eap : Reply already contained an EAP-Message, not inserting EAP-Failure
  1779. (9) [eap] = noop
  1780. (9) remove_reply_message_if_eap remove_reply_message_if_eap {
  1781. (9) if (&reply:EAP-Message && &reply:Reply-Message)
  1782. (9) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
  1783. (9) else else {
  1784. (9) [noop] = noop
  1785. (9) } # else else = noop
  1786. (9) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
  1787. (9) } # Post-Auth-Type REJECT = updated
  1788. (9) Delaying response for 1 seconds
  1789. Waking up in 0.2 seconds.
  1790. Waking up in 0.6 seconds.
  1791. Received Access-Request Id 211 from 10.0.0.2:57819 to 10.0.0.30:1812 length 181
  1792. (9) Discarding duplicate request from client asus port 57819 - ID: 211 due to delayed response
  1793. Waking up in 0.1 seconds.
  1794. (9) Sending delayed response
  1795. (9) Sending Access-Reject packet to host 10.0.0.2 port 57819, id=211, length=0
  1796. (9) EAP-Message = 0x040a0004
  1797. (9) Message-Authenticator = 0x00000000000000000000000000000000
  1798. Sending Access-Reject Id 211 from 10.0.0.30:1812 to 10.0.0.2:57819
  1799. EAP-Message = 0x040a0004
  1800. Message-Authenticator = 0x00000000000000000000000000000000
  1801. Waking up in 3.8 seconds.
  1802. (0) Cleaning up request packet ID 202 with timestamp +13
  1803. (1) Cleaning up request packet ID 203 with timestamp +13
  1804. (2) Cleaning up request packet ID 204 with timestamp +13
  1805. (3) Cleaning up request packet ID 205 with timestamp +13
  1806. (4) Cleaning up request packet ID 206 with timestamp +13
  1807. (5) Cleaning up request packet ID 207 with timestamp +13
  1808. (6) Cleaning up request packet ID 208 with timestamp +13
  1809. (7) Cleaning up request packet ID 209 with timestamp +13
  1810. (8) Cleaning up request packet ID 210 with timestamp +13
  1811. (9) Cleaning up request packet ID 211 with timestamp +13
  1812. Ready to process requests
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!