Ok, this is it radius -X logs with packets: rad_recv: Access-Request packet from host 10.1.3.17 port 1645, id=151, length=134 User-Name = "SCxxxxxx" Framed-MTU = 1400 Called-Station-Id = "0016.9df4.c3d0" Calling-Station-Id = "001a.73a8.6482" Service-Type = Login-User Message-Authenticator = 0x69c0bdb2f77ea232cbb08cf2c83496b9 EAP-Message = 0x0201000d015343313030353538 NAS-Port-Type = Wireless-802.11 NAS-Port = 1965 NAS-IP-Address = 10.1.3.17 NAS-Identifier = "apTeste" +- entering group authorize {...} ++[preprocess] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "SCxxxxxx", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 13 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [sql] expand: %{User-Name} -> SCxxxxxx [sql] sql_set_user escaped user --> 'SCxxxxxx' rlm_sql (sql): Reserving sql socket id: 0 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'SCxxxxxx' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'SCxxxxxx' ORDER BY priority rlm_sql (sql): Released sql socket id: 0 [sql] User SCxxxxxx not found ++[sql] returns notfound ++? if (ok) ? Evaluating (ok) -> FALSE ++? if (ok) -> FALSE Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 151 to 10.1.3.17 port 1645 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x71a07f9a71a2665d779b09e23c4bbcc5 Finished request 10. Going to the next request Waking up in 1.0 seconds. rad_recv: Access-Request packet from host 10.1.3.17 port 1645, id=152, length=251 User-Name = "SCxxxxxx" Framed-MTU = 1400 Called-Station-Id = "0016.9df4.c3d0" Calling-Station-Id = "001a.73a8.6482" Service-Type = Login-User Message-Authenticator = 0xfec204f79341a8f5862c5667a618628d EAP-Message = 0x0202007019800000006616030100610100005d03014bf2bfb6ed6206a28296dff33b58190d3d71a6fa3fa34f7512115f8ea3f9214100003600390038003500160013000a00330032002f0007006600050004006300620061001500120009006500640060001400110008000600030100 NAS-Port-Type = Wireless-802.11 NAS-Port = 1965 State = 0x71a07f9a71a2665d779b09e23c4bbcc5 NAS-IP-Address = 10.1.3.17 NAS-Identifier = "apTeste" +- entering group authorize {...} ++[preprocess] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "SCxxxxxx", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 112 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 102 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0061], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 002a], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 0791], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 018d], ServerKeyExchange [peap] TLS_accept: SSLv3 write key exchange A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 152 to 10.1.3.17 port 1645 EAP-Message = 0x0103040019c000000960160301002a0200002603014bf2cdc4a5be307179f9e66645f49e7485abc9df3786e84fd2881f6908b164360000390016030107910b00078d00078a00030f3082030b308201f3a003020102020101300d06092a864886f70d0101040500308181310b3009060355040613025054310f300d060355040813064c6973626f613112301006035504071309416c6672616769646531143012060355040a130b53756d6f6c436f6d70616c3121301f06092a864886f70d01090116126473694073756d6f6c636f6d70616c2e7074311430120603550403130b53756d6f6c436f6d70616c301e170d3130303530333138303030375a17 EAP-Message = 0x0d3133303530323138303030375a307b310b3009060355040613025054310f300d060355040813064c6973626f6131143012060355040a130b53756d6f6c436f6d70616c310c300a060355040b1303647369311430120603550403130b53756d6f6c436f6d70616c3121301f06092a864886f70d01090116126473694073756d6f6c636f6d70616c2e707430819f300d06092a864886f70d010101050003818d0030818902818100f8957c8923b7bbefa910f557ab74f5f950f50b7211be83d0ac53630430edf40257c6b4f7f4cbb584e3ae97b48f66ac31cb8ac302f064d9c8967654128a9288297ff276e3c2dd91669b90d1ba52215990ad7a6a07e5 EAP-Message = 0x655f09ef328a16f80604e9df43c40d4b197981fe41bc0d3dc5950b56b1eb846226d3bcbca05be2c5de6faf0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101040500038201010051142c0e7e03b78e59ae31d321302ff36b0f12d6e289a38234d7ede583e3b668d33ff6f3ed2b02d19d6b0e56d7dd6626c085141fc9817327db0ccfadba32432eff943b646b8ddc71a022eef73e4dc78db61b754a088f68924f8ca6f4c6be87b5e18340a9f7bf38e2818c593004289d08b47897da3ef342f58a4fe7af887635d90a7032e70cd5bcc7345c6eaf2192930b30af56e55704799517a87adc6e9a630f EAP-Message = 0x5ed60b0ec2127ac4bbd28a605825c91d0f2d6f566e72e16e28baa9b6a9053176f3067465f13c92ac05deaba34a6a93ba1e35ac0bbd6eb1fd2def51f8d60cddde7d591e29d0f320a7cf51418c818b6fce6cadef076ef1614d1d26804377d7bb620004753082047130820359a003020102020900f17af5bcd5a336d4300d06092a864886f70d0101050500308181310b3009060355040613025054310f300d060355040813064c6973626f613112301006035504071309416c6672616769646531143012060355040a130b53756d6f6c436f6d70616c3121301f06092a864886f70d01090116126473694073756d6f6c636f6d70616c2e70743114301206 EAP-Message = 0x03550403130b53756d6f6c43 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x71a07f9a70a3665d779b09e23c4bbcc5 Finished request 11. Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 10.1.3.17 port 1645, id=153, length=145 User-Name = "SCxxxxxx" Framed-MTU = 1400 Called-Station-Id = "0016.9df4.c3d0" Calling-Station-Id = "001a.73a8.6482" Service-Type = Login-User Message-Authenticator = 0x3bb21c2657201679cb8ec944891469f4 EAP-Message = 0x020300061900 NAS-Port-Type = Wireless-802.11 NAS-Port = 1965 State = 0x71a07f9a70a3665d779b09e23c4bbcc5 NAS-IP-Address = 10.1.3.17 NAS-Identifier = "apTeste" +- entering group authorize {...} ++[preprocess] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "SCxxxxxx", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 153 to 10.1.3.17 port 1645 EAP-Message = 0x010403fc19406f6d70616c301e170d3130303530333138303030375a170d3133303530323138303030375a308181310b3009060355040613025054310f300d060355040813064c6973626f613112301006035504071309416c6672616769646531143012060355040a130b53756d6f6c436f6d70616c3121301f06092a864886f70d01090116126473694073756d6f6c636f6d70616c2e7074311430120603550403130b53756d6f6c436f6d70616c30820122300d06092a864886f70d01010105000382010f003082010a0282010100c22f4331e11c8a97823dd2e22b09bb25d14519b49edca72e81123bbd4bbdfdad77a968c8e3f8d46a8bd657a636 EAP-Message = 0x1544b1e58ac3589d701ee275a5d386a892def7dd0d90edb7adf46793d1bc90044e770f801e90156b02162ef932142d4c6f26db1faf5000bf1a910fd5427e4e25ca904ef164e30983841e5af2acfbf082eb4dbaabea870699ca7319d857dcfaaa3483097d0afea7286265f2a85df491c222508c15e21bec0eaaeb13822ba9c0d67818db0bf0b37f6660e35d0f95383bb780c8adb6791086cdc90cba8efa705b051a660d16c13bbfd9a56188e6deb6a044f12d2ff81efcc141608ad423109b52cce64543a2c9b3927e3101f1b8b6ca60a3e043810203010001a381e93081e6301d0603551d0e041604143f6ba9f9a46015e19021e778c73e34281fe547cd EAP-Message = 0x3081b60603551d230481ae3081ab80143f6ba9f9a46015e19021e778c73e34281fe547cda18187a48184308181310b3009060355040613025054310f300d060355040813064c6973626f613112301006035504071309416c6672616769646531143012060355040a130b53756d6f6c436f6d70616c3121301f06092a864886f70d01090116126473694073756d6f6c636f6d70616c2e7074311430120603550403130b53756d6f6c436f6d70616c820900f17af5bcd5a336d4300c0603551d13040530030101ff300d06092a864886f70d0101050500038201010071e8ab8308a34ac0b8a083c5a6d85025b9e17a677db2c2f68d7cb42c906e9f3032e3 EAP-Message = 0x82bd876717c5f62932ca6a52145bb0050aec8af14c318eaef68b4c659b2b21f515ab29276d06deb095cab322c3b3de511edfae55fa290d84e4038a2b1aabb45f0dca3e5875fab8cf241fb4646f04e9e02c41ae9c1db6c9a23b1a63f9e9d7b708c62cafdc0274f7083fd81ce4e15287e938ec06824545373b911cfe58a37bf41c72869947dc217fed008884a7b6c8dad73616637691dde2b76addcbf184832b97e9466ca7c05ef33eb16104f0c81f094daa4f6e9367ce79c1a05cfed53c494c64dffbfca5d1268e63bd4233a722499d893d774287bb2bc6729a28f906f528160301018d0c0001890080b14d2f089c3b50d74a3f9e5ce2c2880a8f1b8b93 EAP-Message = 0x22e1b8d859d4f5de Message-Authenticator = 0x00000000000000000000000000000000 State = 0x71a07f9a73a4665d779b09e23c4bbcc5 Finished request 12. Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 10.1.3.17 port 1645, id=154, length=145 User-Name = "SCxxxxxx" Framed-MTU = 1400 Called-Station-Id = "0016.9df4.c3d0" Calling-Station-Id = "001a.73a8.6482" Service-Type = Login-User Message-Authenticator = 0xa3951d2c17ace66b077f00fc7bf0e6d9 EAP-Message = 0x020400061900 NAS-Port-Type = Wireless-802.11 NAS-Port = 1965 State = 0x71a07f9a73a4665d779b09e23c4bbcc5 NAS-IP-Address = 10.1.3.17 NAS-Identifier = "apTeste" +- entering group authorize {...} ++[preprocess] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "SCxxxxxx", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 154 to 10.1.3.17 port 1645 EAP-Message = 0x0105017a19009676138f73c79a82ddd65a1542a379689ddae4af8e5ecef841f47e257d1cf25a8eba135c2609a54fa1f0b2e79b55050b3b96728df6510ac7410631e34914f8c79749f595086ee5aefdc15de18835d952d2eaeb9dab4864e7b67264d57cd57824ae4bfebb00010200804aace583e12c1e575ec9f6c497caa2865034bfd9362bf22a166b71ba10e42be564b0be336ad8eb10fede894a30cd9cc77fcc16addf032ce300f67adc92ec5c645271421b2d2fccd6f2be423ba9281615e0a42198c04dbf42f4324fb0eb27b47f9219bc66767eebf2eb38e4cfbac8ad6da8548638c5812645bae9f41c8b8aa42a00805fbd31d37d5709d5a4fda9fe EAP-Message = 0x7e2faed53317515aba6737ea4dc992a3c60a479de7aee9a7cb4d9fb5adbffb0ce15a9e4454ba8a52311ecdd7b0e59656f1a9992e16ed0f34eb3e0b680f50b16338f37a8252b818f1241df03a9e16840ba3a1639db282d5aacbf4f6ff1d87f6a5574c33ea5bc02b6fa9c9ef9f7931562b011bee0316030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x71a07f9a72a5665d779b09e23c4bbcc5 Finished request 13. Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 10.1.3.17 port 1645, id=155, length=347 User-Name = "SCxxxxxx" Framed-MTU = 1400 Called-Station-Id = "0016.9df4.c3d0" Calling-Station-Id = "001a.73a8.6482" Service-Type = Login-User Message-Authenticator = 0x19105064daaf31e887425b24651b81f0 EAP-Message = 0x020500d01980000000c61603010086100000820080abae2e2f4f44f5d08810fd2381d392c2015258106ee277bbe0b05610ffb1ef62b44656acb92e2393268c0c1941480ab6ae8ff78518a2b32a41d28376dd06a05653661d4fa894fef1580415fcfdf9124c7c37a7bd4257191ac95976ff7bb98e92457676556df1cf7e5091e73cec917340ee1cb931fbc2042b77614881c785d40f140301000101160301003057e5cb45b47e93b0b594619d739390e28385488a9498746b9268cb2c78d81aab44bee5f592d76374a58615ff155e81ac NAS-Port-Type = Wireless-802.11 NAS-Port = 1965 State = 0x71a07f9a72a5665d779b09e23c4bbcc5 NAS-IP-Address = 10.1.3.17 NAS-Identifier = "apTeste" +- entering group authorize {...} ++[preprocess] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "SCxxxxxx", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 208 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 198 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 155 to 10.1.3.17 port 1645 EAP-Message = 0x01060041190014030100010116030100305e71c8d68d36fcd86bcafcc8cb3e2844c70ab21c81dd08f95ed93e7f00f4beb433f6d8b85766b0b5589a00357960c5ba Message-Authenticator = 0x00000000000000000000000000000000 State = 0x71a07f9a75a6665d779b09e23c4bbcc5 Finished request 14. Going to the next request Waking up in 0.8 seconds. rad_recv: Access-Request packet from host 10.1.3.17 port 1645, id=156, length=145 User-Name = "SCxxxxxx" Framed-MTU = 1400 Called-Station-Id = "0016.9df4.c3d0" Calling-Station-Id = "001a.73a8.6482" Service-Type = Login-User Message-Authenticator = 0x48ce51b9867ef2956fe03dc1f1d03439 EAP-Message = 0x020600061900 NAS-Port-Type = Wireless-802.11 NAS-Port = 1965 State = 0x71a07f9a75a6665d779b09e23c4bbcc5 NAS-IP-Address = 10.1.3.17 NAS-Identifier = "apTeste" +- entering group authorize {...} ++[preprocess] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "SCxxxxxx", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 6 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS ++[eap] returns handled Sending Access-Challenge of id 156 to 10.1.3.17 port 1645 EAP-Message = 0x0107002b19001703010020cf52edce1f82a710b58c1c4858ab02ad12f6a180500d84269090b540687e30dc Message-Authenticator = 0x00000000000000000000000000000000 State = 0x71a07f9a74a7665d779b09e23c4bbcc5 Finished request 15. Going to the next request Waking up in 0.8 seconds. rad_recv: Access-Request packet from host 10.1.3.17 port 1645, id=157, length=219 User-Name = "SCxxxxxx" Framed-MTU = 1400 Called-Station-Id = "0016.9df4.c3d0" Calling-Station-Id = "001a.73a8.6482" Service-Type = Login-User Message-Authenticator = 0xd530849a7abac306539b90b908518fc3 EAP-Message = 0x02070050190017030100206bc36363ce7860db7b98d045d281e783ab75f7cb90b274ea5abe9b21a25685d9170301002013fcf9dbfe1a5f4d0ede5bc6b33b8faa6cc6da182c9d64658e862b22a2cc11a9 NAS-Port-Type = Wireless-802.11 NAS-Port = 1965 State = 0x71a07f9a74a7665d779b09e23c4bbcc5 NAS-IP-Address = 10.1.3.17 NAS-Identifier = "apTeste" +- entering group authorize {...} ++[preprocess] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "SCxxxxxx", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 7 length 80 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Identity - SCxxxxxx [peap] Got tunneled request EAP-Message = 0x0207000d015343313030353538 server { PEAP: Got tunneled identity of SCxxxxxx PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to SCxxxxxx Sending tunneled request EAP-Message = 0x0207000d015343313030353538 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "SCxxxxxx" server inner-tunnel { +- entering group authorize {...} ++[preprocess] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "SCxxxxxx", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 7 length 13 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [sql] expand: %{User-Name} -> SCxxxxxx [sql] sql_set_user escaped user --> 'SCxxxxxx' rlm_sql (sql): Reserving sql socket id: 4 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'SCxxxxxx' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'SCxxxxxx' ORDER BY priority rlm_sql (sql): Released sql socket id: 4 [sql] User SCxxxxxx not found ++[sql] returns notfound ++? if (ok) ? Evaluating (ok) -> FALSE ++? if (ok) -> FALSE Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010800221a0108001d10da858d721d2eae1b76bceca6c3cf8fca5343313030353538 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa664a388a66cb983d236d23ebef37d3d [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010800221a0108001d10da858d721d2eae1b76bceca6c3cf8fca5343313030353538 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa664a388a66cb983d236d23ebef37d3d [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 157 to 10.1.3.17 port 1645 EAP-Message = 0x0108004b19001703010040fe8440f6630f7d88ee229e5a486b85ecd9fee28524b56055249a462f18800a2c7d5a06a9651e132b098be2f2c938b6dc795fa4bbf3a2345d78b216e847f4ae78 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x71a07f9a77a8665d779b09e23c4bbcc5 Finished request 16. Going to the next request Waking up in 0.8 seconds. rad_recv: Access-Request packet from host 10.1.3.17 port 1645, id=158, length=283 User-Name = "SCxxxxxx" Framed-MTU = 1400 Called-Station-Id = "0016.9df4.c3d0" Calling-Station-Id = "001a.73a8.6482" Service-Type = Login-User Message-Authenticator = 0x776ff2b831f9a969c494a1381e93b15e EAP-Message = 0x020800901900170301002024d1038c0d3204f8fdaffffeb5d27d8af99505c85af736757559407840d8d80117030100607a55a04202ab1bac1ee36032254706582604c929bb2cb1df635c7decc8a7eaea82a6f8f1cdaafaff46d5de57d4a0d739ed7d872723601879b37920586e1918f6618b69a6a6808bf94a203e34585c2db1efa0a25c448386e5d674a751b22ee8af NAS-Port-Type = Wireless-802.11 NAS-Port = 1965 State = 0x71a07f9a77a8665d779b09e23c4bbcc5 NAS-IP-Address = 10.1.3.17 NAS-Identifier = "apTeste" +- entering group authorize {...} ++[preprocess] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "SCxxxxxx", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 8 length 144 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020800431a0208003e318d6715cf1b766ba449213e70d547fd620000000000000000d27bf329069b5287e10c2aecb5db2d2b6ec72b5009d4b417005343313030353538 server { PEAP: Setting User-Name to SCxxxxxx Sending tunneled request EAP-Message = 0x020800431a0208003e318d6715cf1b766ba449213e70d547fd620000000000000000d27bf329069b5287e10c2aecb5db2d2b6ec72b5009d4b417005343313030353538 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "SCxxxxxx" State = 0xa664a388a66cb983d236d23ebef37d3d server inner-tunnel { +- entering group authorize {...} ++[preprocess] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "SCxxxxxx", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 8 length 67 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [sql] expand: %{User-Name} -> SCxxxxxx [sql] sql_set_user escaped user --> 'SCxxxxxx' rlm_sql (sql): Reserving sql socket id: 3 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'SCxxxxxx' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'SCxxxxxx' ORDER BY priority rlm_sql (sql): Released sql socket id: 3 [sql] User SCxxxxxx not found ++[sql] returns notfound ++? if (ok) ? Evaluating (ok) -> FALSE ++? if (ok) -> FALSE Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] Told to do MS-CHAPv2 for SCxxxxxx with NT-Password [mschap] No NT-Domain was found in the User-Name. [mschap] expand: %{mschap:NT-Domain} -> [mschap] ... expanding second conditional [mschap] expand: --domain=%{%{mschap:NT-Domain}:-sxxxxxxxx} -> --domain=sxxxxxxxxx [mschap] expand: %{Stripped-User-Name} -> [mschap] ... expanding second conditional [mschap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [mschap] expand: %{User-Name:-None} -> SCxxxxxx [mschap] expand: --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} -> --username=SCxxxxxx [mschap] mschap2: da [mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=6acdf0838a09579d [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=d27bf329069b5287e10c2aecb5db2d2b6ec72b5009d4b417 Exec-Program output: NT_KEY: 5F4E8449C438F65A74F572745BB76D4B Exec-Program-Wait: plaintext: NT_KEY: 5F4E8449C438F65A74F572745BB76D4B Exec-Program: returned: 0 ++[mschap] returns ok MSCHAP Success ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010900331a0308002e533d36394636324143333342424342363530313838433746413336413046323439434345363535423132 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa664a388a76db983d236d23ebef37d3d [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010900331a0308002e533d36394636324143333342424342363530313838433746413336413046323439434345363535423132 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa664a388a76db983d236d23ebef37d3d [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 158 to 10.1.3.17 port 1645 EAP-Message = 0x0109005b19001703010050f3713234ef67f70fb3db926e546551d060bea83aeb8cc7a5252cd2b6a28a6e1737369bb10c1926ac1241d3e8cd681e5fb431babf61bdc3db7b8ccc486adf282599179dd9afd5c249c26de9f939ff7be4 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x71a07f9a76a9665d779b09e23c4bbcc5 Finished request 17. Going to the next request Waking up in 0.7 seconds. rad_recv: Access-Request packet from host 10.1.3.17 port 1645, id=159, length=219 User-Name = "SCxxxxxx" Framed-MTU = 1400 Called-Station-Id = "0016.9df4.c3d0" Calling-Station-Id = "001a.73a8.6482" Service-Type = Login-User Message-Authenticator = 0x9cd0dabf5df53bfa7fc35fa43d366933 EAP-Message = 0x0209005019001703010020261ff487a8d8832e68d1548f56b04d87c6329b28fe2bc8d2575d21273da016ad170301002089f34c53faa28e493b56fbecc85f8cf2f0b1172212995969e6f5e2de1ab7604f NAS-Port-Type = Wireless-802.11 NAS-Port = 1965 State = 0x71a07f9a76a9665d779b09e23c4bbcc5 NAS-IP-Address = 10.1.3.17 NAS-Identifier = "apTeste" +- entering group authorize {...} ++[preprocess] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "SCxxxxxx", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 9 length 80 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020900061a04 server { PEAP: Setting User-Name to SCxxxxxx Sending tunneled request EAP-Message = 0x020900061a04 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "SCxxxxxx" State = 0xa664a388a76db983d236d23ebef37d3d server inner-tunnel { +- entering group authorize {...} ++[preprocess] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "SCxxxxxx", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 9 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [sql] expand: %{User-Name} -> SCxxxxxx [sql] sql_set_user escaped user --> 'SCxxxxxx' rlm_sql (sql): Reserving sql socket id: 2 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'SCxxxxxx' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'SCxxxxxx' ORDER BY priority rlm_sql (sql): Released sql socket id: 2 [sql] User SCxxxxxx not found ++[sql] returns notfound ++? if (ok) ? Evaluating (ok) -> FALSE ++? if (ok) -> FALSE Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 rlm_eap_mschapv2: Invalid response type 4 [eap] Handler failed in EAP/mschapv2 [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. } # server inner-tunnel [peap] Got tunneled reply code 3 EAP-Message = 0x04090004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Got tunneled reply RADIUS code 3 EAP-Message = 0x04090004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] returns handled Sending Access-Challenge of id 159 to 10.1.3.17 port 1645 EAP-Message = 0x010a002b190017030100202e8d249df8eae2bea8cc7a0715b973aaf3c7b9b75c1c4708cd475c7c41485156 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x71a07f9a79aa665d779b09e23c4bbcc5 Finished request 18. Going to the next request Waking up in 0.7 seconds. rad_recv: Access-Request packet from host 10.1.3.17 port 1645, id=160, length=219 User-Name = "SCxxxxxx" Framed-MTU = 1400 Called-Station-Id = "0016.9df4.c3d0" Calling-Station-Id = "001a.73a8.6482" Service-Type = Login-User Message-Authenticator = 0xb80ea40196f818e93145fa48861f26ee EAP-Message = 0x020a00501900170301002017fa468115e7a7cf26fb13623a2ae41edea9f192fa65bb84dc1f1a5d1f142a0e17030100208d47a1fdfa3ee6b8b62bde0c18c43d3ad37de55e74d5c99f92509b86f79ab892 NAS-Port-Type = Wireless-802.11 NAS-Port = 1965 State = 0x71a07f9a79aa665d779b09e23c4bbcc5 NAS-IP-Address = 10.1.3.17 NAS-Identifier = "apTeste" +- entering group authorize {...} ++[preprocess] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "SCxxxxxx", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 10 length 80 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Received EAP-TLV response. [peap] Had sent TLV failure. User was rejected earlier in this session. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> SCxxxxxx attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 19 for 1 seconds Going to the next request
-----Original Message----- From: freeradius-users-bounces+pedrojmalves=gmail....@lists.freeradius.org [mailto:freeradius-users-bounces+pedrojmalves=gmail....@lists.freeradius.org] On Behalf Of Alan Buxey Sent: quarta-feira, 19 de Maio de 2010 9:11 To: FreeRadius users mailing list Subject: Re: EAP mschapv2 Failed to authenticate the user Hi, > Radiusd –X log: ...which is useless because all it shows is the startup stuff.....ie we need to see the occurances after the following lines... > Listening on authentication address * port 1812 > Listening on accounting address * port 1813 > Listening on command file /usr/local/var/run/radiusd/radiusd.sock > Listening on proxy address * port 1814 > Ready to process requests. .....silence here. this is where we expect to see things to help you alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html