Dear all,
I'm a newbie to FR so please bear with me.
I'm doing TTLS for wireless access. The wireless
client is Alfa-Ariss SecureW2 with Netscape LDAP as
backend (passwords are SHA encrypted). FR is CVS
snapshot-20040308 running on RH9.
I planned to retrieve the encrypted password from
LDAP. During the final stage of the TTLS
authentication use PAP module to encrypt the cleartext
password from SecureW2 into SHA hash and compare with
the retrieved one.
But what actually happen is that FR indicate it found
'Auth-Type LDAP' during the final stage (request 5 in
my debug) and proceed to use LDAP for user password
authentication, since I didn't enable LDAP for
authentication, it failed.
If I enable LDAP for authentication, it works. A
success bind to LDAP will authenticate the user. But
cleartext password is used and I would rather avoid
it.
So how can I use PAP for password authentication or is
it not possible?
Below are the debug output, users file and
radiusd.conf.
Any input greatly appreciated.
-------------------
Debug output
-------------------------------------------
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file:
/usr/local/etc/raddb/clients.conf
Config: including file:
/usr/local/etc/raddb/snmp.conf
main: prefix = "/usr/local"
main: localstatedir = "/usr/local/var"
main: logdir = "/usr/local/var/log/radius"
main: libdir = "/usr/local/lib"
main: radacctdir =
"/usr/local/var/log/radius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file =
"/usr/local/var/log/radius/radius.log"
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile =
"/usr/local/var/run/radiusd/radiusd.pid"
main: user = "(null)"
main: group = "(null)"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/local/sbin/checkrad"
main: proxy_requests = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will
go away soon.
read_config_files: reading clients
Using deprecated clients file. Support for this will
go away soon.
read_config_files: reading realms
Using deprecated realms file. Support for this will
go away soon.
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean
output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = "sha1"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = "(null)"
mschap: authtype = "MS-CHAP"
Module: Instantiated mschap (mschap)
Module: Loaded eap
eap: default_eap_type = "tls"
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = "(null)"
tls: pem_file_type = yes
tls: private_key_file =
"/usr/local/etc/raddb/certs/cert-srv.pem"
tls: certificate_file =
"/usr/local/etc/raddb/certs/cert-srv.pem"
tls: CA_file =
"/usr/local/etc/raddb/certs/demoCA/cacert.pem"
tls: private_key_password = "whatever"
tls: dh_file = "/usr/local/etc/raddb/certs/dh"
tls: random_file =
"/usr/local/etc/raddb/certs/random"
tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = no
rlm_eap: Loaded and initialized type tls
ttls: default_eap_type = "md5"
ttls: copy_request_to_tunnel = yes
ttls: use_tunneled_reply = no
rlm_eap: Loaded and initialized type ttls
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups =
"/usr/local/etc/raddb/huntgroups"
preprocess: hints = "/usr/local/etc/raddb/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = "suffix"
realm: delimiter = "@"
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = "/usr/local/etc/raddb/users"
files: acctusersfile =
"/usr/local/etc/raddb/acct_users"
files: preproxy_usersfile =
"/usr/local/etc/raddb/preproxy_users"
files: compat = "no"
Module: Instantiated files (files)
Module: Loaded LDAP
ldap: server = "ldapserver"
ldap: port = 389
ldap: net_timeout = 1
ldap: timeout = 4
ldap: timelimit = 3
ldap: identity = "uid=user,o=users,o=network"
ldap: start_tls = no
ldap: tls_cacertfile = "(null)"
ldap: tls_cacertdir = "(null)"
ldap: tls_certfile = "(null)"
ldap: tls_keyfile = "(null)"
ldap: tls_randfile = "(null)"
ldap: tls_require_cert = "allow"
ldap: password = "password"
ldap: basedn = "o=network"
ldap: filter =
"(uid=%{Stripped-User-Name:-%{User-Name}})"
ldap: base_filter = "(objectclass=radiusprofile)"
ldap: default_profile = "(null)"
ldap: profile_attribute = "(null)"
ldap: password_header = "{SHA}"
ldap: password_attribute = "userPassword"
ldap: access_attr = "(null)"
ldap: groupname_attribute = "cn"
ldap: groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
ldap: groupmembership_attribute = "(null)"
ldap: dictionary_mapping =
"/usr/local/etc/raddb/ldap.attrmap"
ldap: ldap_debug = 0
ldap: ldap_connections_number = 5
ldap: compare_check_items = no
ldap: access_attr_used_for_allow = yes
ldap: do_xlat = yes
conns: (nil)
rlm_ldap: reading ldap<->radius mappings from file
/usr/local/etc/raddb/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS
$GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS
$GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS
Auth-Type
conns: 0x818fe00
Module: Instantiated ldap (ldap)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = "User-Name, Acct-Session-Id,
NAS-IP-Address, Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile =
"/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename =
"/usr/local/var/log/radius/radutmp"
radutmp: username = "%{User-Name}"
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on IP address *, ports 1812/udp and
1813/udp.
Ready to process requests.
rad_recv: Access-Request packet from host
10.1.14.23:1112, id=88, length=150
User-Name = "user1"
Cisco-AVPair = "ssid=wireless"
NAS-IP-Address = 10.1.14.23
Called-Station-Id = "004096"
Calling-Station-Id = "004096"
NAS-Identifier = "AP01"
NAS-Port = 37
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Service-Type = Authenticate-Only
EAP-Message = 0x0229000901776d616e
Message-Authenticator =
0xa6ec1d6fd980fb717d7f11d76a8dd6da
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok
for request 0
modcall[authorize]: module "chap" returns noop for
request 0
modcall[authorize]: module "mschap" returns noop for
request 0
rlm_realm: No '@' in User-Name = "user1", looking
up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for
request 0
rlm_eap: EAP packet type response id 41 length 9
rlm_eap: No EAP Start, assuming it's an on-going EAP
conversation
modcall[authorize]: module "eap" returns updated for
request 0
users: Matched DEFAULT at 146
modcall[authorize]: module "files" returns ok for
request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for user1
radius_xlat: '(uid=user1)'
radius_xlat: 'o=network'
ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldapserver:389,
authentication 0
rlm_ldap: bind as uid=user1,o=users,o=network/password
to ldapserver:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in o=network, with filter
(uid=user1)
rlm_ldap: Added password xxxxxxxxxxxxxxxxxxxxxxxxxxxx
in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user user1 authorized to use remote access
ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for
request 0
modcall: group authorize returns updated for request 0
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Requiring client certificate
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns handled
for request 0
modcall: group authenticate returns handled for
request 0
Sending Access-Challenge of id 88 to 10.1.14.23:1112
EAP-Message = 0x012a00060d20
Message-Authenticator =
0x00000000000000000000000000000000
State = 0xa41b75f68ee657c28b3553c325115578
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host
10.1.14.23:1113, id=89, length=165
User-Name = "user1"
Cisco-AVPair = "ssid=wireless"
NAS-IP-Address = 10.1.14.23
Called-Station-Id = "004096"
Calling-Station-Id = "004096"
NAS-Identifier = "AP01"
NAS-Port = 37
Framed-MTU = 1400
State = 0xa41b75f68ee657c28b3553c325115578
NAS-Port-Type = Wireless-802.11
Service-Type = Authenticate-Only
EAP-Message = 0x022a00060315
Message-Authenticator =
0x684e09ddab9f564306a8ee0a320be8cc
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
modcall[authorize]: module "preprocess" returns ok
for request 1
modcall[authorize]: module "chap" returns noop for
request 1
modcall[authorize]: module "mschap" returns noop for
request 1
rlm_realm: No '@' in User-Name = "user1", looking
up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for
request 1
rlm_eap: EAP packet type response id 42 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP
conversation
modcall[authorize]: module "eap" returns updated for
request 1
users: Matched DEFAULT at 146
modcall[authorize]: module "files" returns ok for
request 1
rlm_ldap: - authorize
rlm_ldap: performing user authorization for user1
radius_xlat: '(uid=user1)'
radius_xlat: 'o=network'
ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=network, with filter
(uid=user1)
rlm_ldap: Added password xxxxxxxxxxxxxxxxxxxxxxxxxxxx
in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user user1 authorized to use remote access
ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for
request 1
modcall: group authorize returns updated for request 1
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1
rlm_eap: Request found, released from the list
rlm_eap: EAP NAK
rlm_eap: EAP-NAK asked for EAP-Type/ttls
rlm_eap: processing type tls
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns handled
for request 1
modcall: group authenticate returns handled for
request 1
Sending Access-Challenge of id 89 to 10.1.14.23:1113
EAP-Message = 0x012b00061520
Message-Authenticator =
0x00000000000000000000000000000000
State = 0x45493f682e707bec1094904a38d2dbd0
Finished request 1
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host
10.1.14.23:1114, id=90, length=219
User-Name = "user1"
Cisco-AVPair = "ssid=wireless"
NAS-IP-Address = 10.1.14.23
Called-Station-Id = "004096"
Calling-Station-Id = "004096"
NAS-Identifier = "AP01"
NAS-Port = 37
Framed-MTU = 1400
State = 0x45493f682e707bec1094904a38d2dbd0
NAS-Port-Type = Wireless-802.11
Service-Type = Authenticate-Only
EAP-Message =
0x022b003c158000000032160301002d0100002903018802320072731b407a9f787f35759aa0e91860694a9bdc7ea0c12a260d133645000002000a0100
Message-Authenticator =
0x9fd228a07898128cc70c42e709c4b872
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
modcall[authorize]: module "preprocess" returns ok
for request 2
modcall[authorize]: module "chap" returns noop for
request 2
modcall[authorize]: module "mschap" returns noop for
request 2
rlm_realm: No '@' in User-Name = "user1", looking
up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for
request 2
rlm_eap: EAP packet type response id 43 length 60
rlm_eap: No EAP Start, assuming it's an on-going EAP
conversation
modcall[authorize]: module "eap" returns updated for
request 2
users: Matched DEFAULT at 146
modcall[authorize]: module "files" returns ok for
request 2
rlm_ldap: - authorize
rlm_ldap: performing user authorization for user1
radius_xlat: '(uid=user1)'
radius_xlat: 'o=network'
ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=network, with filter
(uid=user1)
rlm_ldap: Added password xxxxxxxxxxxxxxxxxxxxxxxxxxxx
in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user user1 authorized to use remote access
ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for
request 2
modcall: group authorize returns updated for request 2
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 2
rlm_eap: Request found, released from the list
rlm_eap: EAP/ttls
rlm_eap: processing type ttls
rlm_eap_ttls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
(other): before/accept initialization
TLS_accept: before/accept initialization
rlm_eap_tls: <<< TLS 1.0 Handshake [length 002d],
ClientHello
TLS_accept: SSLv3 read client hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a],
ServerHello
TLS_accept: SSLv3 write server hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0694],
Certificate
TLS_accept: SSLv3 write certificate A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004],
ServerHelloDone
TLS_accept: SSLv3 write server done A
TLS_accept: SSLv3 flush data
TLS_accept:error in SSLv3 read client certificate
A
In SSL Handshake Phase
In SSL Accept mode
eaptls_process returned 13
modcall[authenticate]: module "eap" returns handled
for request 2
modcall: group authenticate returns handled for
request 2
Sending Access-Challenge of id 90 to 10.1.14.23:1114
EAP-Message =
0x012c040a15c0000006f1160301004a020000460301405a53f20c005fbd0f54410dcfb4bf5cfa13dc5a28942af6cec341cbf2f8b6d82084bba3be4fee585d6e6d05f9f19fb729a1537e5ef0d0050b04ccdf9328300879000a0016030106940b00069000068d0002cd308202c930820232a003020102020102300d06092a864886f70d010104050030819f310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010060355040b13096c6f63616c686f7374311b301906035504031312436c69656e74206365
EAP-Message =
0x7274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c652e636f6d301e170d3034303132353133323631305a170d3035303132343133323631305a30819b310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010060355040b13096c6f63616c686f73743119301706035504031310526f6f74206365727469666963617465311f301d06092a864886f70d0109011610726f6f74406578616d706c652e636f6d30819f300d06092a864886f70d010101050003
EAP-Message =
0x818d0030818902818100dac525422bfedb082629a2cba44b3449c90d0ab462fb72c8434a782098863d7eb7d7e70028c2b7ad555a51cc756cf4fa1d7091615ab450d5289553ae6616aff014a55085d6b8fb4aee98638e426175cdd36c665c63cda177d34920eb30585edc8773999c2980f81ad4638bbbea1c82d054023db7ef24a3ec1c3f6241a903d7f30203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101040500038181007a2d921b1cf13bf2982a9178ec9ede6d88edc178a2e8bd40a0a06fb6f0769957884cd7084537083496fd184165293f583c8e8240eb68e042c94b15752e4c07e80d09
EAP-Message =
0x779afa3dd55c24fa54ac292d77205d1c2477ed30d59f57caf9bd21ff2a8d16cc0911c50e4f295763fcb60efa3c3d2d0e43850f6e6fbe284902f6e83503650003ba308203b63082031fa003020102020100300d06092a864886f70d010104050030819f310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010060355040b13096c6f63616c686f7374311b301906035504031312436c69656e742063657274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c
EAP-Message =
0x652e636f6d301e170d3034303132353133323630375a
Message-Authenticator =
0x00000000000000000000000000000000
State = 0xafa99d3f945fdd8d901975ad7fa39ac6
Finished request 2
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host
10.1.14.23:1115, id=91, length=164
User-Name = "user1"
Cisco-AVPair = "ssid=wireless"
NAS-IP-Address = 10.1.14.23
Called-Station-Id = "004096"
Calling-Station-Id = "004096"
NAS-Identifier = "AP01"
NAS-Port = 37
Framed-MTU = 1400
State = 0xafa99d3f945fdd8d901975ad7fa39ac6
NAS-Port-Type = Wireless-802.11
Service-Type = Authenticate-Only
EAP-Message = 0x022c000515
Message-Authenticator =
0xc74eed5e6781a12cd592d5f4abe2e0b6
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 3
modcall[authorize]: module "preprocess" returns ok
for request 3
modcall[authorize]: module "chap" returns noop for
request 3
modcall[authorize]: module "mschap" returns noop for
request 3
rlm_realm: No '@' in User-Name = "user1", looking
up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for
request 3
rlm_eap: EAP packet type response id 44 length 5
rlm_eap: No EAP Start, assuming it's an on-going EAP
conversation
modcall[authorize]: module "eap" returns updated for
request 3
users: Matched DEFAULT at 146
modcall[authorize]: module "files" returns ok for
request 3
rlm_ldap: - authorize
rlm_ldap: performing user authorization for user1
radius_xlat: '(uid=user1)'
radius_xlat: 'o=network'
ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=network, with filter
(uid=user1)
rlm_ldap: Added password xxxxxxxxxxxxxxxxxxxxxxxxxxxx
in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user user1 authorized to use remote access
ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for
request 3
modcall: group authorize returns updated for request 3
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 3
rlm_eap: Request found, released from the list
rlm_eap: EAP/ttls
rlm_eap: processing type ttls
rlm_eap_ttls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake fragment handler
eaptls_verify returned 1
eaptls_process returned 13
modcall[authenticate]: module "eap" returns handled
for request 3
modcall: group authenticate returns handled for
request 3
Sending Access-Challenge of id 91 to 10.1.14.23:1115
EAP-Message =
0x012d02fb1580000006f1170d3036303132343133323630375a30819f310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010060355040b13096c6f63616c686f7374311b301906035504031312436c69656e742063657274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c652e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100d4c5b19724f164acf1ffb189db1c8fbff4f14396ea7cb1e90f78d69451725377895dfe52cc
EAP-Message =
0xb99b41e80ddeb58b127a943f4f58cbc562878192fbdc6fece9f871e7c130d35cf5188817e9b133249edd2a1c75d31043ae87553cec7a77ef26aa7d74281db9b77e17c6446c5dd9b188b43250ca0229963722a123a726b00b4027fd0203010001a381ff3081fc301d0603551d0e0416041468d36d3e1ee7bc9d5a057021c363da1365d1ade33081cc0603551d230481c43081c1801468d36d3e1ee7bc9d5a057021c363da1365d1ade3a181a5a481a230819f310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e
EAP-Message =
0x31123010060355040b13096c6f63616c686f7374311b301906035504031312436c69656e742063657274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c652e636f6d820100300c0603551d13040530030101ff300d06092a864886f70d01010405000381810033c00b66b1e579ef73a06798252dab8d5e5511fc00fd276d80d12f834777c6743fdc2743fca1507704e4bc0979e4f60ac3ad9ee83e6f347369229d1f77229ba2e982359da563024a00163dba6d6c986c0bad28af85132ff8f0d76501bf1b7c2dff658ce1e62c01997b6e64e3e8d4373354ce9912847651539063b85bbc5485c51603010004
EAP-Message = 0x0e000000
Message-Authenticator =
0x00000000000000000000000000000000
State = 0x058cf4e7a546cde56eb32a77dc3a3150
Finished request 3
Going to the next request
--- Walking the entire request list ---
Waking up in 5 seconds...
rad_recv: Access-Request packet from host
10.1.14.23:1116, id=92, length=359
User-Name = "user1"
Cisco-AVPair = "ssid=wireless"
NAS-IP-Address = 10.1.14.23
Called-Station-Id = "004096"
Calling-Station-Id = "004096"
NAS-Identifier = "AP01"
NAS-Port = 37
Framed-MTU = 1400
State = 0x058cf4e7a546cde56eb32a77dc3a3150
NAS-Port-Type = Wireless-802.11
Service-Type = Authenticate-Only
EAP-Message =
0x022d00c81580000000be160301008610000082008064262741e14313c97f9c6edfcf6d3db77f8197cdd66727465052570d3e3c79a543e7787a452ea28782e4491801fcdf723edb70b7e22c887208e377a8edd9fe0fc354dc9e95bfe8675b563946a40665dceb8510c8ed744d3c18b12d4bdea4fa52ff23b5dc873f87199448355b5f2c9ef264416299464dc59bd6cc99990e226a6914030100010116030100286b5c53a51630c28e0927dffc8f7bb6d4409ce9ad74f3a42cbe04d58129fafd7f47b8ac9cf43ce4f8
Message-Authenticator =
0x1e002c5548cb7566a92455af62757a15
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 4
modcall[authorize]: module "preprocess" returns ok
for request 4
modcall[authorize]: module "chap" returns noop for
request 4
modcall[authorize]: module "mschap" returns noop for
request 4
rlm_realm: No '@' in User-Name = "user1", looking
up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for
request 4
rlm_eap: EAP packet type response id 45 length 200
rlm_eap: No EAP Start, assuming it's an on-going EAP
conversation
modcall[authorize]: module "eap" returns updated for
request 4
users: Matched DEFAULT at 146
modcall[authorize]: module "files" returns ok for
request 4
rlm_ldap: - authorize
rlm_ldap: performing user authorization for user1
radius_xlat: '(uid=user1)'
radius_xlat: 'o=network'
ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=network, with filter
(uid=user1)
rlm_ldap: Added password xxxxxxxxxxxxxxxxxxxxxxxxxxxx
in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user user1 authorized to use remote access
ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for
request 4
modcall: group authorize returns updated for request 4
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 4
rlm_eap: Request found, released from the list
rlm_eap: EAP/ttls
rlm_eap: processing type ttls
rlm_eap_ttls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086],
ClientKeyExchange
TLS_accept: SSLv3 read client key exchange A
rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length
0001]
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010],
Finished
TLS_accept: SSLv3 read finished A
rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length
0001]
TLS_accept: SSLv3 write change cipher spec A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010],
Finished
TLS_accept: SSLv3 write finished A
TLS_accept: SSLv3 flush data
(other): SSL negotiation finished successfully
SSL Connection Established
eaptls_process returned 13
modcall[authenticate]: module "eap" returns handled
for request 4
modcall: group authenticate returns handled for
request 4
Sending Access-Challenge of id 92 to 10.1.14.23:1116
EAP-Message =
0x012e003d1580000000331403010001011603010028f5808af65516fa1f74bf2447d55462f9b4ff1748d26aac2770d98a4eaef66bff4ab3311db24ebee7
Message-Authenticator =
0x00000000000000000000000000000000
State = 0x364f92bc59a5ae6abfc171f30d8f6083
Finished request 4
Going to the next request
Waking up in 5 seconds...
rad_recv: Access-Request packet from host
10.1.14.23:1117, id=93, length=230
User-Name = "user1"
Cisco-AVPair = "ssid=wireless"
NAS-IP-Address = 10.1.14.23
Called-Station-Id = "004096"
Calling-Station-Id = "004096"
NAS-Identifier = "AP01"
NAS-Port = 37
Framed-MTU = 1400
State = 0x364f92bc59a5ae6abfc171f30d8f6083
NAS-Port-Type = Wireless-802.11
Service-Type = Authenticate-Only
EAP-Message =
0x022e004715800000003d1703010038beee1f2475dbf589e89499fe6a0de5427f66152a7db6a5ffd884d470adb6356d22228944e59166d83506b9d95fc90b1cae0303d34d4aee7d
Message-Authenticator =
0xf91b3a4d6fa7973995f206328e8da2cb
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 5
modcall[authorize]: module "preprocess" returns ok
for request 5
modcall[authorize]: module "chap" returns noop for
request 5
modcall[authorize]: module "mschap" returns noop for
request 5
rlm_realm: No '@' in User-Name = "user1", looking
up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for
request 5
rlm_eap: EAP packet type response id 46 length 71
rlm_eap: No EAP Start, assuming it's an on-going EAP
conversation
modcall[authorize]: module "eap" returns updated for
request 5
users: Matched DEFAULT at 146
modcall[authorize]: module "files" returns ok for
request 5
rlm_ldap: - authorize
rlm_ldap: performing user authorization for user1
radius_xlat: '(uid=user1)'
radius_xlat: 'o=network'
ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=network, with filter
(uid=user1)
rlm_ldap: Added password xxxxxxxxxxxxxxxxxxxxxxxxxxxx
in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user user1 authorized to use remote access
ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for
request 5
modcall: group authorize returns updated for request 5
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 5
rlm_eap: Request found, released from the list
rlm_eap: EAP/ttls
rlm_eap: processing type ttls
rlm_eap_ttls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
eaptls_process returned 7
rlm_eap_ttls: Session established. Proceeding to
decode tunneled attributes.
TTLS: Got tunneled request
User-Name = "user1"
User-Password = "password"
FreeRADIUS-Proxied-To = 127.0.0.1
TTLS: Sending tunneled request
User-Name = "user1"
User-Password = "password"
FreeRADIUS-Proxied-To = 127.0.0.1
Cisco-AVPair = "ssid=wireless"
NAS-IP-Address = 10.1.14.23
Called-Station-Id = "004096"
Calling-Station-Id = "004096"
NAS-Identifier = "AP01"
NAS-Port = 37
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Service-Type = Authenticate-Only
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 5
modcall[authorize]: module "preprocess" returns ok
for request 5
modcall[authorize]: module "chap" returns noop for
request 5
modcall[authorize]: module "mschap" returns noop for
request 5
rlm_realm: No '@' in User-Name = "user1", looking
up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for
request 5
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for
request 5
users: Matched DEFAULT at 146
modcall[authorize]: module "files" returns ok for
request 5
rlm_ldap: - authorize
rlm_ldap: performing user authorization for user1
radius_xlat: '(uid=user1)'
radius_xlat: 'o=network'
ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=network, with filter
(uid=user1)
rlm_ldap: Added password xxxxxxxxxxxxxxxxxxxxxxxxxxxx
in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user user1 authorized to use remote access
ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for
request 5
modcall: group authorize returns ok for request 5
rad_check_password: Found Auth-Type LDAP
auth: type "LDAP"
ERROR: Unknown value specified for Auth-Type.
Cannot perform requested action.
auth: Failed to validate the user.
TTLS: Got tunneled reply RADIUS code 3
TTLS: Got tunneled Access-Reject
rlm_eap: Handler failed in EAP/ttls
rlm_eap: Failed in EAP select
modcall[authenticate]: module "eap" returns invalid
for request 5
modcall: group authenticate returns invalid for
request 5
auth: Failed to validate the user.
Delaying request 5 for 1 seconds
Finished request 5
Going to the next request
Waking up in 5 seconds...
rad_recv: Access-Request packet from host
10.1.14.23:1117, id=93, length=230
Sending Access-Reject of id 93 to 10.1.14.23:1117
EAP-Message = 0x042e0004
Message-Authenticator =
0x00000000000000000000000000000000
--- Walking the entire request list ---
Cleaning up request 0 ID 88 with timestamp 405a53f2
Cleaning up request 1 ID 89 with timestamp 405a53f2
Cleaning up request 2 ID 90 with timestamp 405a53f2
Waking up in 1 seconds...
--- Walking the entire request list ---
Cleaning up request 3 ID 91 with timestamp 405a53f3
Cleaning up request 4 ID 92 with timestamp 405a53f3
Cleaning up request 5 ID 93 with timestamp 405a53f3
Nothing to do. Sleeping until we see a request.
-------------------------------------------
-------------------
users
-------------------------------------------
DEFAULT
Fall-Through = no
-------------------------------------------
-------------------
radiusd.conf
-------------------------------------------
prefix = /usr/local
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = ${prefix}/var
sbindir = ${exec_prefix}/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
log_file = ${logdir}/radius.log
libdir = ${exec_prefix}/lib
pidfile = ${run_dir}/radiusd.pid
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log_stripped_names = no
log_auth = no
log_auth_badpass = no
log_auth_goodpass = no
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
proxy_requests = no
$INCLUDE ${confdir}/clients.conf
snmp = no
$INCLUDE ${confdir}/snmp.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
pap {
encryption_scheme = sha1
}
chap {
authtype = CHAP
}
eap {
default_eap_type = tls
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
tls {
private_key_password = whatever
private_key_file = ${raddbdir}/certs/cert-srv.pem
certificate_file = ${raddbdir}/certs/cert-srv.pem
CA_file = ${raddbdir}/certs/demoCA/cacert.pem
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random
fragment_size = 1024
include_length = yes
}
ttls {
default_eap_type = md5
copy_request_to_tunnel = yes
use_tunneled_reply = no
}
}
mschap {
authtype = MS-CHAP
}
ldap {
server = "ldapserver"
identity = "uid=user1,o=users,o=network"
password = "password"
basedn = "o=network"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
start_tls = no
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
password_header = "{SHA}"
password_attribute = userPassword
timeout = 4
timelimit = 3
net_timeout = 1
}
realm suffix {
format = suffix
delimiter = "@"
}
realm realmpercent {
format = suffix
delimiter = "%"
}
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
}
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
compat = no
}
detail {
detailfile =
${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
detailperm = 0600
}
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
}
radutmp {
filename = ${logdir}/radutmp
username = %{User-Name}
case_sensitive = yes
check_with_nas = yes
callerid = "yes"
}
radutmp sradutmp {
filename = ${logdir}/sradutmp
perm = 0644
callerid = "no"
}
attr_filter {
attrsfile = ${confdir}/attrs
}
counter daily {
filename = ${raddbdir}/db.daily
key = User-Name
count-attribute = Acct-Session-Time
reset = daily
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
allowed-servicetype = Framed-User
cache-size = 5000
}
always fail {
rcode = fail
}
always reject {
rcode = reject
}
always ok {
rcode = ok
simulcount = 0
mpp = no
}
expr {
}
digest {
}
exec {
wait = yes
input_pairs = request
}
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = request
output_pairs = reply
}
ippool main_pool {
range-start = 192.168.1.1
range-stop = 192.168.3.254
netmask = 255.255.255.0
cache-size = 800
session-db = ${raddbdir}/db.ippool
ip-index = ${raddbdir}/db.ipindex
override = no
maximum-timeout = 0
}
}
instantiate {
exec
expr
}
authorize {
preprocess
chap
mschap
suffix
eap
files
ldap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
eap
}
preacct {
preprocess
suffix
files
}
accounting {
acct_unique
detail
radutmp
}
session {
radutmp
}
post-auth {
}
pre-proxy {
}
post-proxy {
eap
}
-------------------------------------------
__________________________________
Do you Yahoo!?
Yahoo! Mail - More reliable, more storage, less spam
http://mail.yahoo.com
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
