I think I have tried every possible setting to get this thing to work,
so as requested here are my conf files and logs when I tried different
settings. I apologize for the long post (its is actually 2, since the
first got bounced), but I am hoping someone had this problem and will
catch something that is an easy fix.
- Joe
*******************radiusd.conf
modules {
#
# PAP module to authenticate users based on their stored password
#
# Supports multiple encryption schemes
# clear: Clear text
# crypt: Unix crypt
# md5: MD5 ecnryption
# sha1: SHA1 encryption.
# DEFAULT: crypt
pap {
encryption_scheme = crypt
}
# Extensible Authentication Protocol
$INCLUDE ${confdir}/eap.conf
ldap Wireless_Staff {
server = "ldapchild2.MySchool.edu"
basedn = "ou=people,dc=MySchool,dc=edu"
filter =
"(&(uid=%{Stripped-User-Name:-%{User-Name}})(eduPersonEntitlement=wireless))"
start_tls = no
tls_mode = no
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 15
timeout = 4
timelimit = 3
net_timeout = 1
}
ldap Wireless_Students {
server = "ldapchild2.MySchool.edu"
basedn = "ou=people,dc=MySchool,dc=edu"
filter =
"(&(uid=%{Stripped-User-Name:-%{User-Name}})(eduPersonEntitlement=wirelessStudent))"
start_tls = no
tls_mode = no
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 15
timeout = 4
timelimit = 3
net_timeout = 1
}
authorize {
preprocess
auth_log
eap
files
autztype Wireless_Staff {
Wireless_Staff
}
autztype Wireless_Students {
Wireless_Students
}
}
#
authenticate {
#
# PAP authentication, when a back-end database listed
# in the 'authorize' section supplies a password. The
# password can be clear-text, or encrypted.
Auth-Type PAP {
pap
}
# Allow EAP authentication.
eap
}
***************************************eap.conf
eap {
default_eap_type = tls
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
md5 {
}
tls {
private_key_password = whatever
private_key_file = ${raddbdir}/certs/cert-srv.pem
certificate_file = ${raddbdir}/certs/cert-srv.pem
CA_file = ${raddbdir}/certs/demoCA/cacert.pem
dh_file = ${raddbdir}/certs/dh
random_file = /dev/urandom
fragment_size = 1024
include_length = yes
check_crl = yes
}
ttls {
default_eap_type = md5
copy_request_to_tunnel = yes
use_tunneled_reply = yes
}
}
***************************************users (I will explain in a moment)
"test" User-Password == "test"
DEFAULT Huntgroup-Name == 1X, Autz-Type := Wireless_Staff, Auth-Type := EAP
******************************************************
The first log I am posting is when I comment out the Default line and
auth locally
testrad raddb # tail -f log
radutmp: username = "%{User-Name}"
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on authentication *:1812
Listening on accounting *:1813
Listening on proxy *:1814
Ready to process requests.
rad_recv: Access-Request packet from host X.x.x.5:6001, id=0, length=141
User-Name = "test"
NAS-IP-Address = X.x.x.5
Called-Station-Id = "00-20-A6-4A-E7-15"
Calling-Station-Id = "00-0D-93-8A-34-81;MySchool-Staff"
NAS-Identifier = "ORiNOCO-AP-600"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020200090174657374
Message-Authenticator = 0x02521fa69ec92e5d9da39a3ffb06e1f7
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
radius_xlat: '/var/log/radius/radacct/X.x.x.5/auth-detail-20041220'
rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/X.x.x.5/auth-detail-20041220
modcall[authorize]: module "auth_log" returns ok for request 0
rlm_eap: EAP packet type response id 2 length 9
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 0
users: Matched test at 1
modcall[authorize]: module "files" returns ok for request 0
modcall: group authorize returns updated for request 0
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Requiring client certificate
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns handled for request 0
modcall: group authenticate returns handled for request 0
Sending Access-Challenge of id 0 to X.x.x.5:6001
EAP-Message = 0x010300060d20
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xe5ec2109a619625dd75ad5bc883da9cb
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host X.x.x.5:6001, id=1, length=156
User-Name = "test"
NAS-IP-Address = X.x.x.5
Called-Station-Id = "00-20-A6-4A-E7-15"
Calling-Station-Id = "00-0D-93-8A-34-81;MySchool-Staff"
NAS-Identifier = "ORiNOCO-AP-600"
State = 0xe5ec2109a619625dd75ad5bc883da9cb
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020300060315
Message-Authenticator = 0xff03eff1e3878c148e84044b16e6a30d
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
modcall[authorize]: module "preprocess" returns ok for request 1
radius_xlat: '/var/log/radius/radacct/X.x.x.5/auth-detail-20041220'
rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/X.x.x.5/auth-detail-20041220
modcall[authorize]: module "auth_log" returns ok for request 1
rlm_eap: EAP packet type response id 3 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 1
users: Matched test at 1
modcall[authorize]: module "files" returns ok for request 1
modcall: group authorize returns updated for request 1
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1
rlm_eap: Request found, released from the list
rlm_eap: EAP NAK
rlm_eap: EAP-NAK asked for EAP-Type/ttls
rlm_eap: processing type tls
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns handled for request 1
modcall: group authenticate returns handled for request 1
Sending Access-Challenge of id 1 to X.x.x.5:6001
EAP-Message = 0x010400061520
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xb9d3a38dd7f9b0c5f89f1362bd4b1cae
Finished request 1
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host X.x.x.5:6001, id=2, length=252
User-Name = "test"
NAS-IP-Address = X.x.x.5
Called-Station-Id = "00-20-A6-4A-E7-15"
Calling-Station-Id = "00-0D-93-8A-34-81;MySchool-Staff"
NAS-Identifier = "ORiNOCO-AP-600"
State = 0xb9d3a38dd7f9b0c5f89f1362bd4b1cae
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x0204006615800000005c160301005701000053030141c79abcbd94ade29112c3784dcf23112ef8b25945a5a1410b814aa092217dfe00002c00050004000aff830009ff82000300080006ff8000010016001500140013001200110018001b001a001700190100
Message-Authenticator = 0xa9d60ebbfed54b9d58868aa7180a69d1
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
modcall[authorize]: module "preprocess" returns ok for request 2
radius_xlat: '/var/log/radius/radacct/X.x.x.5/auth-detail-20041220'
rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/X.x.x.5/auth-detail-20041220
modcall[authorize]: module "auth_log" returns ok for request 2
rlm_eap: EAP packet type response id 4 length 102
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 2
users: Matched test at 1
modcall[authorize]: module "files" returns ok for request 2
modcall: group authorize returns updated for request 2
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 2
rlm_eap: Request found, released from the list
rlm_eap: EAP/ttls
rlm_eap: processing type ttls
rlm_eap_ttls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
(other): before/accept initialization
TLS_accept: before/accept initialization
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0057], ClientHello
TLS_accept: SSLv3 read client hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
TLS_accept: SSLv3 write server hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0694], Certificate
TLS_accept: SSLv3 write certificate A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
TLS_accept: SSLv3 write server done A
TLS_accept: SSLv3 flush data
TLS_accept:error in SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
eaptls_process returned 13
modcall[authenticate]: module "eap" returns handled for request 2
modcall: group authenticate returns handled for request 2
Sending Access-Challenge of id 2 to X.x.x.5:6001
EAP-Message =
0x0105040a15c0000006f1160301004a02000046030141c753a9d24a9550e90dcf3e868737f5e7613bb3b9fb7dd63e4c0641126a534a20f640cfe068ad1a9656ee173372dad3520207e3f3b0c5e7b4216acb82e4705af900050016030106940b00069000068d0002cd308202c930820232a003020102020102300d06092a864886f70d010104050030819f310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010060355040b13096c6f63616c686f7374311b301906035504031312436c69656e74206365
EAP-Message =
0x7274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c652e636f6d301e170d3034303132353133323631305a170d3035303132343133323631305a30819b310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010060355040b13096c6f63616c686f73743119301706035504031310526f6f74206365727469666963617465311f301d06092a864886f70d0109011610726f6f74406578616d706c652e636f6d30819f300d06092a864886f70d010101050003
EAP-Message =
0x818d0030818902818100dac525422bfedb082629a2cba44b3449c90d0ab462fb72c8434a782098863d7eb7d7e70028c2b7ad555a51cc756cf4fa1d7091615ab450d5289553ae6616aff014a55085d6b8fb4aee98638e426175cdd36c665c63cda177d34920eb30585edc8773999c2980f81ad4638bbbea1c82d054023db7ef24a3ec1c3f6241a903d7f30203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101040500038181007a2d921b1cf13bf2982a9178ec9ede6d88edc178a2e8bd40a0a06fb6f0769957884cd7084537083496fd184165293f583c8e8240eb68e042c94b15752e4c07e80d09
EAP-Message =
0x779afa3dd55c24fa54ac292d77205d1c2477ed30d59f57caf9bd21ff2a8d16cc0911c50e4f295763fcb60efa3c3d2d0e43850f6e6fbe284902f6e83503650003ba308203b63082031fa003020102020100300d06092a864886f70d010104050030819f310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010060355040b13096c6f63616c686f7374311b301906035504031312436c69656e742063657274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c
EAP-Message = 0x652e636f6d301e170d3034303132353133323630375a
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x6465a1019f628e4e12e4fb0a281488ba
Finished request 2
Going to the next request
--- Walking the entire request list ---
Waking up in 5 seconds...
rad_recv: Access-Request packet from host X.x.x.5:6001, id=3, length=156
User-Name = "test"
NAS-IP-Address = X.x.x.5
Called-Station-Id = "00-20-A6-4A-E7-15"
Calling-Station-Id = "00-0D-93-8A-34-81;MySchool-Staff"
NAS-Identifier = "ORiNOCO-AP-600"
State = 0x6465a1019f628e4e12e4fb0a281488ba
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020500061500
Message-Authenticator = 0x7241882ffccc5093d560235fe2ca7a52
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 3
modcall[authorize]: module "preprocess" returns ok for request 3
radius_xlat: '/var/log/radius/radacct/X.x.x.5/auth-detail-20041220'
rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/X.x.x.5/auth-detail-20041220
modcall[authorize]: module "auth_log" returns ok for request 3
rlm_eap: EAP packet type response id 5 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 3
users: Matched test at 1
modcall[authorize]: module "files" returns ok for request 3
modcall: group authorize returns updated for request 3
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 3
rlm_eap: Request found, released from the list
rlm_eap: EAP/ttls
rlm_eap: processing type ttls
rlm_eap_ttls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake fragment handler
eaptls_verify returned 1
eaptls_process returned 13
modcall[authenticate]: module "eap" returns handled for request 3
modcall: group authenticate returns handled for request 3
Sending Access-Challenge of id 3 to X.x.x.5:6001
EAP-Message =
0x010602fb1580000006f1170d3036303132343133323630375a30819f310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010060355040b13096c6f63616c686f7374311b301906035504031312436c69656e742063657274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c652e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100d4c5b19724f164acf1ffb189db1c8fbff4f14396ea7cb1e90f78d69451725377895dfe52cc
EAP-Message =
0xb99b41e80ddeb58b127a943f4f58cbc562878192fbdc6fece9f871e7c130d35cf5188817e9b133249edd2a1c75d31043ae87553cec7a77ef26aa7d74281db9b77e17c6446c5dd9b188b43250ca0229963722a123a726b00b4027fd0203010001a381ff3081fc301d0603551d0e0416041468d36d3e1ee7bc9d5a057021c363da1365d1ade33081cc0603551d230481c43081c1801468d36d3e1ee7bc9d5a057021c363da1365d1ade3a181a5a481a230819f310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e
EAP-Message =
0x31123010060355040b13096c6f63616c686f7374311b301906035504031312436c69656e742063657274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c652e636f6d820100300c0603551d13040530030101ff300d06092a864886f70d01010405000381810033c00b66b1e579ef73a06798252dab8d5e5511fc00fd276d80d12f834777c6743fdc2743fca1507704e4bc0979e4f60ac3ad9ee83e6f347369229d1f77229ba2e982359da563024a00163dba6d6c986c0bad28af85132ff8f0d76501bf1b7c2dff658ce1e62c01997b6e64e3e8d4373354ce9912847651539063b85bbc5485c51603010004
EAP-Message = 0x0e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xd26fb0202d08153c11bc075bbc01697e
Finished request 3
Going to the next request
Waking up in 5 seconds...
rad_recv: Access-Request packet from host X.x.x.5:6001, id=4, length=346
User-Name = "test"
NAS-IP-Address = X.x.x.5
Called-Station-Id = "00-20-A6-4A-E7-15"
Calling-Station-Id = "00-0D-93-8A-34-81;MySchool-Staff"
NAS-Identifier = "ORiNOCO-AP-600"
State = 0xd26fb0202d08153c11bc075bbc01697e
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x020600c41580000000ba160301008610000082008042450aa6feb5b4d9e76d0e59ed58d9f4915e16e9dce3740a7f0ac70f284413ddb35520b8fc87e7964228092f3d369124d8a9a3ccaf1c6687c18290f9c55e1fa579a0e74b59d6bff8abb1b533c772e10d5c3dc53e8b1dde35ef85ee6e16597a036d4632969ceee6048da2a1a9a3caf9ac284fabc26e7200a11e3c2e79fc2cf7b814030100010116030100243b2658d59b5fee1bb46036607bd00c328a6b273eb1a97af1de8e2b65024c8d19cca2fbfe
Message-Authenticator = 0x3c8f201b0b7733ddc14d5a26bf826853
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 4
modcall[authorize]: module "preprocess" returns ok for request 4
radius_xlat: '/var/log/radius/radacct/X.x.x.5/auth-detail-20041220'
rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/X.x.x.5/auth-detail-20041220
modcall[authorize]: module "auth_log" returns ok for request 4
rlm_eap: EAP packet type response id 6 length 196
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 4
users: Matched test at 1
modcall[authorize]: module "files" returns ok for request 4
modcall: group authorize returns updated for request 4
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 4
rlm_eap: Request found, released from the list
rlm_eap: EAP/ttls
rlm_eap: processing type ttls
rlm_eap_ttls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
TLS_accept: SSLv3 read client key exchange A
rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001]
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 read finished A
rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001]
TLS_accept: SSLv3 write change cipher spec A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 write finished A
TLS_accept: SSLv3 flush data
(other): SSL negotiation finished successfully
SSL Connection Established
eaptls_process returned 13
modcall[authenticate]: module "eap" returns handled for request 4
modcall: group authenticate returns handled for request 4
Sending Access-Challenge of id 4 to X.x.x.5:6001
EAP-Message =
0x0107003915800000002f14030100010116030100243add4ae6258fedcf4ecf5c5c8128e261f2d81fe243e8770bd307fe064712d08de950e5ef
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x2d0587bb59d91199ede19b4185fc3f3a
Finished request 4
Going to the next request
Waking up in 5 seconds...
rad_recv: Access-Request packet from host X.x.x.5:6001, id=5, length=221
User-Name = "test"
NAS-IP-Address = X.x.x.5
Called-Station-Id = "00-20-A6-4A-E7-15"
Calling-Station-Id = "00-0D-93-8A-34-81;MySchool-Staff"
NAS-Identifier = "ORiNOCO-AP-600"
State = 0x2d0587bb59d91199ede19b4185fc3f3a
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x0207004715800000003d1703010038d3963d63c57f9b5c82f56351729ee5d427bd5079a24901aa24612b4dc80aae4c3b292ccc80dffe25e2ef3de5870144b81d1e34a05d1263fc
Message-Authenticator = 0x377f0c3a8f708771191d8de87be01d8f
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 5
modcall[authorize]: module "preprocess" returns ok for request 5
radius_xlat: '/var/log/radius/radacct/X.x.x.5/auth-detail-20041220'
rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/X.x.x.5/auth-detail-20041220
modcall[authorize]: module "auth_log" returns ok for request 5
rlm_eap: EAP packet type response id 7 length 71
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 5
users: Matched test at 1
modcall[authorize]: module "files" returns ok for request 5
modcall: group authorize returns updated for request 5
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 5
rlm_eap: Request found, released from the list
rlm_eap: EAP/ttls
rlm_eap: processing type ttls
rlm_eap_ttls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
eaptls_process returned 7
rlm_eap_ttls: Session established. Proceeding to decode tunneled attributes.
TTLS: Got tunneled request
User-Name = "test"
User-Password = "test"
FreeRADIUS-Proxied-To = 127.0.0.1
TTLS: Sending tunneled request
User-Name = "test"
User-Password = "test"
FreeRADIUS-Proxied-To = 127.0.0.1
NAS-IP-Address = X.x.x.5
Called-Station-Id = "00-20-A6-4A-E7-15"
Calling-Station-Id = "00-0D-93-8A-34-81;MySchool-Staff"
NAS-Identifier = "ORiNOCO-AP-600"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 5
modcall[authorize]: module "preprocess" returns ok for request 5
radius_xlat: '/var/log/radius/radacct/127.0.0.1/auth-detail-20041220'
rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/127.0.0.1/auth-detail-20041220
modcall[authorize]: module "auth_log" returns ok for request 5
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 5
users: Matched test at 1
modcall[authorize]: module "files" returns ok for request 5
modcall: group authorize returns ok for request 5
auth: type Local
auth: user supplied User-Password matches local User-Password
Login OK: [test/test] (from client localhost port 0 cli
00-0D-93-8A-34-81;MySchool-Staff)
TTLS: Got tunneled reply RADIUS code 2
TTLS: Got tunneled Access-Accept
rlm_eap: Freeing handler
modcall[authenticate]: module "eap" returns ok for request 5
modcall: group authenticate returns ok for request 5
Login OK: [test/<no User-Password attribute>] (from client
AccessPoints port 0 cli 00-0D-93-8A-34-81;MySchool-Staff)
Sending Access-Accept of id 5 to X.x.x.5:6001
MS-MPPE-Recv-Key =
0x280ff4f79ac0a383e478a242f7d7344333e914b7297dc6970474b35b3e74dd74
MS-MPPE-Send-Key =
0x7d75e4859abeb0850a8905b1adff980149eea844a752558ea87ba165875b804f
EAP-Message = 0x03070004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "test"
Finished request 5
Going to the next request
Waking up in 5 seconds...
rad_recv: Accounting-Request packet from host X.x.x.5:6002, id=6, length=91
User-Name = "test"
Acct-Session-Id = "00-0D-93-8A-34-81"
NAS-Identifier = "ORiNOCO-AP-600"
NAS-IP-Address = X.x.x.5
NAS-Port = 2
NAS-Port-Type = Wireless-802.11
Acct-Authentic = RADIUS
Acct-Status-Type = Start
Processing the preacct section of radiusd.conf
modcall: entering group preacct for request 6
modcall[preacct]: module "preprocess" returns noop for request 6
rlm_acct_unique: Hashing 'NAS-Port = 2,Client-IP-Address =
X.x.x.5,NAS-IP-Address = X.x.x.5,Acct-Session-Id =
"00-0D-93-8A-34-81",User-Name = "test"'
rlm_acct_unique: Acct-Unique-Session-ID = "63081c785c49fb14".
modcall[preacct]: module "acct_unique" returns ok for request 6
rlm_realm: No '@' in User-Name = "test", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[preacct]: module "suffix" returns noop for request 6
modcall[preacct]: module "files" returns noop for request 6
modcall: group preacct returns ok for request 6
Processing the accounting section of radiusd.conf
modcall: entering group accounting for request 6
radius_xlat: '/var/log/radius/radacct/X.x.x.5/detail-20041220'
rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
expands to /var/log/radius/radacct/X.x.x.5/detail-20041220
modcall[accounting]: module "detail" returns ok for request 6
modcall[accounting]: module "unix" returns ok for request 6
radius_xlat: '/var/log/radius/radutmp'
radius_xlat: 'test'
modcall[accounting]: module "radutmp" returns ok for request 6
modcall: group accounting returns ok for request 6
Sending Accounting-Response of id 6 to X.x.x.5:6002
Finished request 6
Going to the next request
Waking up in 5 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 0 with timestamp 41c753a8
Cleaning up request 1 ID 1 with timestamp 41c753a8
Cleaning up request 6 ID 6 with timestamp 41c753a9
Waking up in 1 seconds...
--- Walking the entire request list ---
Cleaning up request 2 ID 2 with timestamp 41c753a9
Cleaning up request 3 ID 3 with timestamp 41c753a9
Cleaning up request 4 ID 4 with timestamp 41c753a9
Cleaning up request 5 ID 5 with timestamp 41c753a9
Nothing to do. Sleeping until we see a request.
************************************************************************************
The next log I set users to:
DEFAULT Huntgroup-Name == 1X, Autz-Type := Wireless_Staff
and it fails with ERROR: Unknown value specified for Auth-Type
testrad raddb # tail -f log
radutmp: username = "%{User-Name}"
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on authentication *:1812
Listening on accounting *:1813
Listening on proxy *:1814
Ready to process requests.
rad_recv: Access-Request packet from host X.x.x.5:6001, id=230, length=149
User-Name = "factest1"
NAS-IP-Address = X.x.x.5
Called-Station-Id = "00-20-A6-4A-E7-15"
Calling-Station-Id = "00-0D-93-8A-34-81;MySchool-Staff"
NAS-Identifier = "ORiNOCO-AP-600"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0202000d016661637465737431
Message-Authenticator = 0x32e9a5221f9611f157ea39ee660af716
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
radius_xlat: '/var/log/radius/radacct/X.x.x.5/auth-detail-20041220'
rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/X.x.x.5/auth-detail-20041220
modcall[authorize]: module "auth_log" returns ok for request 0
rlm_eap: EAP packet type response id 2 length 13
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 0
users: Matched DEFAULT at 3
modcall[authorize]: module "files" returns ok for request 0
modcall: group authorize returns updated for request 0
Processing the authorize section of radiusd.conf
modcall: entering group autztype for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for factest1
radius_xlat: '(&(uid=factest1)(eduPersonEntitlement=wireless))'
radius_xlat: 'ou=people,dc=MySchool,dc=edu'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldapchild2.MySchool.edu:389, authentication 0
rlm_ldap: bind as / to ldapchild2.MySchool.edu:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=people,dc=MySchool,dc=edu, with
filter (&(uid=factest1)(eduPersonEntitlement=wireless))
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user factest1 authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "Wireless_Staff" returns ok for request 0
modcall: group autztype returns ok for request 0
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Requiring client certificate
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns handled for request 0
modcall: group authenticate returns handled for request 0
Sending Access-Challenge of id 230 to X.x.x.5:6001
EAP-Message = 0x010300060d20
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xe5ec2109a619625d20bb9cbc25101212
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host X.x.x.5:6001, id=231, length=160
User-Name = "factest1"
NAS-IP-Address = X.x.x.5
Called-Station-Id = "00-20-A6-4A-E7-15"
Calling-Station-Id = "00-0D-93-8A-34-81;MySchool-Staff"
NAS-Identifier = "ORiNOCO-AP-600"
State = 0xe5ec2109a619625d20bb9cbc25101212
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020300060315
Message-Authenticator = 0xd8c5d8bc84ce07ec26da008c34e10a14
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
modcall[authorize]: module "preprocess" returns ok for request 1
radius_xlat: '/var/log/radius/radacct/X.x.x.5/auth-detail-20041220'
rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/X.x.x.5/auth-detail-20041220
modcall[authorize]: module "auth_log" returns ok for request 1
rlm_eap: EAP packet type response id 3 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 1
users: Matched DEFAULT at 3
modcall[authorize]: module "files" returns ok for request 1
modcall: group authorize returns updated for request 1
Processing the authorize section of radiusd.conf
modcall: entering group autztype for request 1
rlm_ldap: - authorize
rlm_ldap: performing user authorization for factest1
radius_xlat: '(&(uid=factest1)(eduPersonEntitlement=wireless))'
radius_xlat: 'ou=people,dc=MySchool,dc=edu'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=people,dc=MySchool,dc=edu, with
filter (&(uid=factest1)(eduPersonEntitlement=wireless))
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user factest1 authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "Wireless_Staff" returns ok for request 1
modcall: group autztype returns ok for request 1
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1
rlm_eap: Request found, released from the list
rlm_eap: EAP NAK
rlm_eap: EAP-NAK asked for EAP-Type/ttls
rlm_eap: processing type tls
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns handled for request 1
modcall: group authenticate returns handled for request 1
Sending Access-Challenge of id 231 to X.x.x.5:6001
EAP-Message = 0x010400061520
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xb9d3a38dd7f9b0c5f1fd5d8841649b8b
Finished request 1
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host X.x.x.5:6001, id=232, length=256
User-Name = "factest1"
NAS-IP-Address = X.x.x.5
Called-Station-Id = "00-20-A6-4A-E7-15"
Calling-Station-Id = "00-0D-93-8A-34-81;MySchool-Staff"
NAS-Identifier = "ORiNOCO-AP-600"
State = 0xb9d3a38dd7f9b0c5f1fd5d8841649b8b
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x0204006615800000005c160301005701000053030141c798953dbaa606ecdb7c84113ef647d792242a38f48691fe3e89e92d9585ab00002c00050004000aff830009ff82000300080006ff8000010016001500140013001200110018001b001a001700190100
Message-Authenticator = 0xbd80ff13029b4bb4f097d1e5c1c1abd8
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
modcall[authorize]: module "preprocess" returns ok for request 2
radius_xlat: '/var/log/radius/radacct/X.x.x.5/auth-detail-20041220'
rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/X.x.x.5/auth-detail-20041220
modcall[authorize]: module "auth_log" returns ok for request 2
rlm_eap: EAP packet type response id 4 length 102
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 2
users: Matched DEFAULT at 3
modcall[authorize]: module "files" returns ok for request 2
modcall: group authorize returns updated for request 2
Processing the authorize section of radiusd.conf
modcall: entering group autztype for request 2
rlm_ldap: - authorize
rlm_ldap: performing user authorization for factest1
radius_xlat: '(&(uid=factest1)(eduPersonEntitlement=wireless))'
radius_xlat: 'ou=people,dc=MySchool,dc=edu'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=people,dc=MySchool,dc=edu, with
filter (&(uid=factest1)(eduPersonEntitlement=wireless))
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user factest1 authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "Wireless_Staff" returns ok for request 2
modcall: group autztype returns ok for request 2
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 2
rlm_eap: Request found, released from the list
rlm_eap: EAP/ttls
rlm_eap: processing type ttls
rlm_eap_ttls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
(other): before/accept initialization
TLS_accept: before/accept initialization
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0057], ClientHello
TLS_accept: SSLv3 read client hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
TLS_accept: SSLv3 write server hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0694], Certificate
TLS_accept: SSLv3 write certificate A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
TLS_accept: SSLv3 write server done A
TLS_accept: SSLv3 flush data
TLS_accept:error in SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
eaptls_process returned 13
modcall[authenticate]: module "eap" returns handled for request 2
modcall: group authenticate returns handled for request 2
Sending Access-Challenge of id 232 to X.x.x.5:6001
EAP-Message =
0x0105040a15c0000006f1160301004a02000046030141c75181ce790576ab3f86e7c780084376aa492d835790dc1e02c83fafbddd3220fd68b4ccd5b79e1785113e53e7a0b8a04beb0574fa48cd3ad46e6eaa446241c300050016030106940b00069000068d0002cd308202c930820232a003020102020102300d06092a864886f70d010104050030819f310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010060355040b13096c6f63616c686f7374311b301906035504031312436c69656e74206365
EAP-Message =
0x7274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c652e636f6d301e170d3034303132353133323631305a170d3035303132343133323631305a30819b310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010060355040b13096c6f63616c686f73743119301706035504031310526f6f74206365727469666963617465311f301d06092a864886f70d0109011610726f6f74406578616d706c652e636f6d30819f300d06092a864886f70d010101050003
EAP-Message =
0x818d0030818902818100dac525422bfedb082629a2cba44b3449c90d0ab462fb72c8434a782098863d7eb7d7e70028c2b7ad555a51cc756cf4fa1d7091615ab450d5289553ae6616aff014a55085d6b8fb4aee98638e426175cdd36c665c63cda177d34920eb30585edc8773999c2980f81ad4638bbbea1c82d054023db7ef24a3ec1c3f6241a903d7f30203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101040500038181007a2d921b1cf13bf2982a9178ec9ede6d88edc178a2e8bd40a0a06fb6f0769957884cd7084537083496fd184165293f583c8e8240eb68e042c94b15752e4c07e80d09
EAP-Message =
0x779afa3dd55c24fa54ac292d77205d1c2477ed30d59f57caf9bd21ff2a8d16cc0911c50e4f295763fcb60efa3c3d2d0e43850f6e6fbe284902f6e83503650003ba308203b63082031fa003020102020100300d06092a864886f70d010104050030819f310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010060355040b13096c6f63616c686f7374311b301906035504031312436c69656e742063657274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c
EAP-Message = 0x652e636f6d301e170d3034303132353133323630375a
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x6465a1019f628e4ee4f6a590513caa8e
Finished request 2
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host X.x.x.5:6001, id=233, length=160
User-Name = "factest1"
NAS-IP-Address = X.x.x.5
Called-Station-Id = "00-20-A6-4A-E7-15"
Calling-Station-Id = "00-0D-93-8A-34-81;MySchool-Staff"
NAS-Identifier = "ORiNOCO-AP-600"
State = 0x6465a1019f628e4ee4f6a590513caa8e
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020500061500
Message-Authenticator = 0xdd50689369ad7cd1e542164575df72ff
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 3
modcall[authorize]: module "preprocess" returns ok for request 3
radius_xlat: '/var/log/radius/radacct/X.x.x.5/auth-detail-20041220'
rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/X.x.x.5/auth-detail-20041220
modcall[authorize]: module "auth_log" returns ok for request 3
rlm_eap: EAP packet type response id 5 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 3
users: Matched DEFAULT at 3
modcall[authorize]: module "files" returns ok for request 3
modcall: group authorize returns updated for request 3
Processing the authorize section of radiusd.conf
modcall: entering group autztype for request 3
rlm_ldap: - authorize
rlm_ldap: performing user authorization for factest1
radius_xlat: '(&(uid=factest1)(eduPersonEntitlement=wireless))'
radius_xlat: 'ou=people,dc=MySchool,dc=edu'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=people,dc=MySchool,dc=edu, with
filter (&(uid=factest1)(eduPersonEntitlement=wireless))
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user factest1 authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "Wireless_Staff" returns ok for request 3
modcall: group autztype returns ok for request 3
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 3
rlm_eap: Request found, released from the list
rlm_eap: EAP/ttls
rlm_eap: processing type ttls
rlm_eap_ttls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake fragment handler
eaptls_verify returned 1
eaptls_process returned 13
modcall[authenticate]: module "eap" returns handled for request 3
modcall: group authenticate returns handled for request 3
Sending Access-Challenge of id 233 to X.x.x.5:6001
EAP-Message =
0x010602fb1580000006f1170d3036303132343133323630375a30819f310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010060355040b13096c6f63616c686f7374311b301906035504031312436c69656e742063657274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c652e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100d4c5b19724f164acf1ffb189db1c8fbff4f14396ea7cb1e90f78d69451725377895dfe52cc
EAP-Message =
0xb99b41e80ddeb58b127a943f4f58cbc562878192fbdc6fece9f871e7c130d35cf5188817e9b133249edd2a1c75d31043ae87553cec7a77ef26aa7d74281db9b77e17c6446c5dd9b188b43250ca0229963722a123a726b00b4027fd0203010001a381ff3081fc301d0603551d0e0416041468d36d3e1ee7bc9d5a057021c363da1365d1ade33081cc0603551d230481c43081c1801468d36d3e1ee7bc9d5a057021c363da1365d1ade3a181a5a481a230819f310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e
EAP-Message =
0x31123010060355040b13096c6f63616c686f7374311b301906035504031312436c69656e742063657274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c652e636f6d820100300c0603551d13040530030101ff300d06092a864886f70d01010405000381810033c00b66b1e579ef73a06798252dab8d5e5511fc00fd276d80d12f834777c6743fdc2743fca1507704e4bc0979e4f60ac3ad9ee83e6f347369229d1f77229ba2e982359da563024a00163dba6d6c986c0bad28af85132ff8f0d76501bf1b7c2dff658ce1e62c01997b6e64e3e8d4373354ce9912847651539063b85bbc5485c51603010004
EAP-Message = 0x0e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xd26fb0202d08153c378daf3ea9c22aae
Finished request 3
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host X.x.x.5:6001, id=234, length=350
User-Name = "factest1"
NAS-IP-Address = X.x.x.5
Called-Station-Id = "00-20-A6-4A-E7-15"
Calling-Station-Id = "00-0D-93-8A-34-81;MySchool-Staff"
NAS-Identifier = "ORiNOCO-AP-600"
State = 0xd26fb0202d08153c378daf3ea9c22aae
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x020600c41580000000ba16030100861000008200807728e2bb9a8929b468641d430f10394f0ba8e98eb93f9f8c8c8c216d6d86f307d114e725b0ce7d14ce0f4c5b0f6523942614f38a036309225a94696733bfeca258e71762a883d42d4e63ab70d8a83ba56fd8e9a671d1296859a0f008a97b5f158247fb1cf5eacd7b1af3816be06ea8295deab688dad17bc0ec08a21407233b5e1403010001011603010024d9900b6fa12d2f6ef007f89243c1eed9492ede58389787032b6265cc152a12c220234b02
Message-Authenticator = 0xef40d3a2137477619649a2d99ebcb70b
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 4
modcall[authorize]: module "preprocess" returns ok for request 4
radius_xlat: '/var/log/radius/radacct/X.x.x.5/auth-detail-20041220'
rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/X.x.x.5/auth-detail-20041220
modcall[authorize]: module "auth_log" returns ok for request 4
rlm_eap: EAP packet type response id 6 length 196
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 4
users: Matched DEFAULT at 3
modcall[authorize]: module "files" returns ok for request 4
modcall: group authorize returns updated for request 4
Processing the authorize section of radiusd.conf
modcall: entering group autztype for request 4
rlm_ldap: - authorize
rlm_ldap: performing user authorization for factest1
radius_xlat: '(&(uid=factest1)(eduPersonEntitlement=wireless))'
radius_xlat: 'ou=people,dc=MySchool,dc=edu'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=people,dc=MySchool,dc=edu, with
filter (&(uid=factest1)(eduPersonEntitlement=wireless))
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user factest1 authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "Wireless_Staff" returns ok for request 4
modcall: group autztype returns ok for request 4
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 4
rlm_eap: Request found, released from the list
rlm_eap: EAP/ttls
rlm_eap: processing type ttls
rlm_eap_ttls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
TLS_accept: SSLv3 read client key exchange A
rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001]
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 read finished A
rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001]
TLS_accept: SSLv3 write change cipher spec A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 write finished A
TLS_accept: SSLv3 flush data
(other): SSL negotiation finished successfully
SSL Connection Established
eaptls_process returned 13
modcall[authenticate]: module "eap" returns handled for request 4
modcall: group authenticate returns handled for request 4
Sending Access-Challenge of id 234 to X.x.x.5:6001
EAP-Message =
0x0107003915800000002f1403010001011603010024ea24ad1b029e0b0bf380eca6b0a1bf1dd28e2d32b30bba86901823291d8a3dd7b41f8507
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x2d0587bb59d91199574e01acc4fa0060
Finished request 4
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host X.x.x.5:6001, id=235, length=229
User-Name = "factest1"
NAS-IP-Address = X.x.x.5
Called-Station-Id = "00-20-A6-4A-E7-15"
Calling-Station-Id = "00-0D-93-8A-34-81;MySchool-Staff"
NAS-Identifier = "ORiNOCO-AP-600"
State = 0x2d0587bb59d91199574e01acc4fa0060
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x0207004b158000000041170301003cf932e81eb339f2fc622d7aebacc09790d224436583c2df0c93515f70d65bb38d68e2a00fa83c99fdab25999ae7bf058667db58e29f390b51f1c7d246
Message-Authenticator = 0x1e96057c7c2c9331d7b94a09a1616103
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 5
modcall[authorize]: module "preprocess" returns ok for request 5
radius_xlat: '/var/log/radius/radacct/X.x.x.5/auth-detail-20041220'
rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/X.x.x.5/auth-detail-20041220
modcall[authorize]: module "auth_log" returns ok for request 5
rlm_eap: EAP packet type response id 7 length 75
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 5
users: Matched DEFAULT at 3
modcall[authorize]: module "files" returns ok for request 5
modcall: group authorize returns updated for request 5
Processing the authorize section of radiusd.conf
modcall: entering group autztype for request 5
rlm_ldap: - authorize
rlm_ldap: performing user authorization for factest1
radius_xlat: '(&(uid=factest1)(eduPersonEntitlement=wireless))'
radius_xlat: 'ou=people,dc=MySchool,dc=edu'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=people,dc=MySchool,dc=edu, with
filter (&(uid=factest1)(eduPersonEntitlement=wireless))
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user factest1 authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "Wireless_Staff" returns ok for request 5
modcall: group autztype returns ok for request 5
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 5
rlm_eap: Request found, released from the list
rlm_eap: EAP/ttls
rlm_eap: processing type ttls
rlm_eap_ttls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
eaptls_process returned 7
rlm_eap_ttls: Session established. Proceeding to decode tunneled attributes.
TTLS: Got tunneled request
User-Name = "factest1"
User-Password = "MySchool"
FreeRADIUS-Proxied-To = 127.0.0.1
TTLS: Sending tunneled request
User-Name = "factest1"
User-Password = "MySchool"
FreeRADIUS-Proxied-To = 127.0.0.1
NAS-IP-Address = X.x.x.5
Called-Station-Id = "00-20-A6-4A-E7-15"
Calling-Station-Id = "00-0D-93-8A-34-81;MySchool-Staff"
NAS-Identifier = "ORiNOCO-AP-600"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 5
modcall[authorize]: module "preprocess" returns ok for request 5
radius_xlat: '/var/log/radius/radacct/127.0.0.1/auth-detail-20041220'
rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/127.0.0.1/auth-detail-20041220
modcall[authorize]: module "auth_log" returns ok for request 5
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 5
users: Matched DEFAULT at 3
modcall[authorize]: module "files" returns ok for request 5
modcall: group authorize returns ok for request 5
Processing the authorize section of radiusd.conf
modcall: entering group autztype for request 5
rlm_ldap: - authorize
rlm_ldap: performing user authorization for factest1
radius_xlat: '(&(uid=factest1)(eduPersonEntitlement=wireless))'
radius_xlat: 'ou=people,dc=MySchool,dc=edu'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=people,dc=MySchool,dc=edu, with
filter (&(uid=factest1)(eduPersonEntitlement=wireless))
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user factest1 authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "Wireless_Staff" returns ok for request 5
modcall: group autztype returns ok for request 5
rad_check_password: Found Auth-Type LDAP
auth: type "LDAP"
ERROR: Unknown value specified for Auth-Type. Cannot perform
requested action.
auth: Failed to validate the user.
Login incorrect: [factest1/MySchool] (from client localhost port 0 cli
00-0D-93-8A-34-81;MySchool-Staff)
TTLS: Got tunneled reply RADIUS code 3
TTLS: Got tunneled Access-Reject
rlm_eap: Handler failed in EAP/ttls
rlm_eap: Failed in EAP select
modcall[authenticate]: module "eap" returns invalid for request 5
modcall: group authenticate returns invalid for request 5
auth: Failed to validate the user.
Login incorrect: [factest1/<no User-Password attribute>] (from client
AccessPoints port 0 cli 00-0D-93-8A-34-81;MySchool-Staff)
Delaying request 5 for 1 seconds
Finished request 5
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host X.x.x.5:6001, id=235, length=229
Sending Access-Reject of id 235 to X.x.x.5:6001
EAP-Message = 0x04070004
Message-Authenticator = 0x00000000000000000000000000000000
--- Walking the entire request list ---
Waking up in 3 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 230 with timestamp 41c75181
Cleaning up request 1 ID 231 with timestamp 41c75181
Cleaning up request 2 ID 232 with timestamp 41c75181
Cleaning up request 3 ID 233 with timestamp 41c75181
Cleaning up request 4 ID 234 with timestamp 41c75181
Cleaning up request 5 ID 235 with timestamp 41c75181
Nothing to do. Sleeping until we see a request.
On Thu, 16 Dec 2004 14:36:43 -0500 (EST), Dustin Doris
<[EMAIL PROTECTED]> wrote:
> If you are still failing, I would suggest you send the list a copy of your
> radiusd.conf file and the output of radiusd -X when it fails. The debug
> messages when it does fail, should be able to tell you why it is failing.
> Without the debug info, we can only guess.
>
> -Dusty Doris
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
