Dear Alan, Thanks for your prompt reply and helpful information.
I tried to get the error-message of inner-tunnel by running sql query in "Post-Auth-Type Reject {} of default. The message field in radpostauth table is empty. The query seems cannot access %{inner.control:My-Err-Message} attribute. My question is: Can sql in default (outer session) access innner-server control attribute when the login is rejected? If the answer is no, would you hint me how I can get & log the error message of inner-session? Thanks again. After your reply, I include: 1. The warning message: 2. sql query for radpostauth 3. content of authorize section of file /etc/raddb/sites-available/default 4. radiusd -X debug message for access-reject case ------------Alan's reply --------------------------------------- Fads Afds wrote: > Hi Fellows, > > I have configured FreeRadius 2.1.8 running on SLES 11 for PEAP/MSCHAPv2. > MySQL is used for user database. I have tested using "eapol_test" and win/XP > SP3 supplicant. > Accounting data can be received & stored to radacct table. > Inner-server can successfully accept user with accumulated session time > quota not exceeded and reject user with accumulated session time quota > exceeded. > My problem: > I expect to store accept or reject log with rejecting message to > radpostauth table. > For access-accept case, sql inside post-auth {} of inner-tunnl is invoked > and logging message is written to radpostauth table as expected. > For access-reject cases (username not existed in db, wrong username, > accumulated session time quota exceeded, etc), Post-Auth-Type REJECT {} of > inner-tunnel is never entered. What is wrong? Any help? Thanks in advance. The server does not currently run the "Post-Auth-Type Reject" when in the inner tunnel. Instead, it is run in the default virtual server, outside of the tunnel. Alan DeKok. - -----------Alan's reply ends ------------------------------ -------------1. The warning message ------- [sql] WARNING: Unknown module "inner.control" in string expansion "%{inner.control:My-Err-Message}', -------------1. ends -------------------------- ------2. sql query for radpostauth ------------------ postauth_query = "INSERT INTO ${postauth_table} \ (ID, username, password, nas_ip, auth_result, reply_message, authdate) \ VALUES (NULL, \ '%{User-Name}', \ aes_encrypt('NA', 'abc123456def'), \ '%{NAS-IP-ADDRESS}', \ '%{reply:Packet-Type}', \ '%{inner.control:My-Err-Message}', \ '%S')" -----------------2. ends ----------------------------- -----3. content of Post-Auth-Type Reject{} section of file /etc/raddb/sites-available/default --------------- Post-Auth-Type REJECT { sql reply_log attr_filter.access_reject } ----3. ends ------------------------------------------ ----4. radiusd -X message for rejected case------------------------------ Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 158.182.118.234 port 43514, id=159, length=168 User-Name = "visit04" NAS-IP-Address = 158.182.118.234 NAS-Port = 1 NAS-Identifier = "158.182.118.234" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "34159EE8BD35" Called-Station-Id = "000B8609D780" Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x0201000c0176697369743034 Aruba-Essid-Name = "BU-Guest" Aruba-Location-Id = "SRH-S906" Message-Authenticator = 0x5fbf723681bafb64473bda5fb613e4b4 +- entering group authorize {...} ++[preprocess] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "visit04", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 12 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Flushing SSL sessions (of #0) [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 159 to 158.182.118.234 port 43514 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2451839f24539a76dd46fbeb200155bb Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 158.182.118.234 port 43514, id=160, length=310 User-Name = "visit04" NAS-IP-Address = 158.182.118.234 NAS-Port = 1 NAS-Identifier = "158.182.118.234" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "34159EE8BD35" Called-Station-Id = "000B8609D780" Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x0202008819800000007e16030100790100007503014c36b96bd9a767fea76af8ea1ad3b3fe170ef44198d94e94e1d7f4d45eb7d95300003ac00ac009c007c008c013c014c011c012c004c005c002c003c00ec00fc00cc00d002f000500040035000a0009000300080033003900160015001401000012000a00080006001700180019000b00020100 State = 0x2451839f24539a76dd46fbeb200155bb Aruba-Essid-Name = "BU-Guest" Aruba-Location-Id = "SRH-S906" Message-Authenticator = 0x807c6e2d452be6f72076f30aae603e1e +- entering group authorize {...} ++[preprocess] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "visit04", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 136 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 126 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0079], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 004a], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 084d], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 160 to 158.182.118.234 port 43514 EAP-Message = 0x0103040019c0000008aa160301004a0200004603014c36b97de42d2baf0dfe1eaffecf9e25722e8e8bc582f3a8297b4a4096de4ea420747bba71baba01650b81ddf7414a3fb3d5ac2e003f9d20859ffc9ec61dd8fe59002f00160301084d0b0008490008460003a8308203a43082028ca003020102020101300d06092a864886f70d010104050030818c310b300906035504061302434e310b300906035504081302484b310c300a06035504071303656475310d300b060355040a1304484b42553127302506092a864886f70d0109011618726f6f7440667267756573742e686b62752e6564752e686b312a302806035504031321484b425520477565 EAP-Message = 0x737420434120636572742028363462697420736572766572293020170d3130303632343033353835305a180f32303530303631343033353835305a308182310b300906035504061302434e310b300906035504081302484b310d300b060355040a1304484b4255312e302c06035504031325484b42552047756573742073657276657220636572746966696361746520283634626974293127302506092a864886f70d0109011618726f6f7440667267756573742e686b62752e6564752e686b30820122300d06092a864886f70d01010105000382010f003082010a0282010100c7649ee337738ce465aec9a12a375bd4d76fc3c2f50ac701065d1433 EAP-Message = 0x22c38dd78776d5ad0cb747a32f6b512dce6d26cccffefd49cf1517670305c6cb6eee0b70c86cb259383ca439bf011e8d8689cd17c41e99498256f13e6f14282b8eeef46f95e742d40254b69d7270d1d349e8cd41cff1dc98ea38fb494ea6007aed1575391d69e9f1c230fea9125f09a28d544282e9520e4c5987f54ff43f94567991d6172f98bfd3a200aeb07e60345e40caff2f1f34c52e77707e3321a774bc7601827ccbd723e044ee635de38dc174e37aea2640f5dbacb3454bd89bd2e03b81031365232fe8f014c069983950f75aa8fdcce7a9ee52d57dc7fec1512a57fabb3b993b0203010001a317301530130603551d25040c300a06082b0601 EAP-Message = 0x0505070301300d06092a864886f70d01010405000382010100192613ffaf84004131ad7ce0d3da7b42d8a594371b96058ea7dc28554921dfd279076ad03cbf83ab81d7d3ac909202e97a3c22fdad6eee38f2961ef4e9cc9398c5e4bd8a0f41c9174d4fa44a1e77e95c887c065197300ea90c8ffc1d32c898c4e137b6a74834c769d7be8008fea4b3ca9c5a33505b588fd93fa440584d00f8c0c11d62bd886037289e5f27cec1039a4c311a04a7cf75b9ed578b840c66993dea65d31adf591ffc290d98d6565e70a1d3d45ae3f0c877c5104d1def8c23a79f38c92731165bfb2a84759f2c6c07e15ff75e4fe6f99e67dac4fc5ca7bf6cbdf849c44b77f6 EAP-Message = 0x614977256b1dcde1b92a76f3 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2451839f25529a76dd46fbeb200155bb Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 158.182.118.234 port 43514, id=161, length=180 User-Name = "visit04" NAS-IP-Address = 158.182.118.234 NAS-Port = 1 NAS-Identifier = "158.182.118.234" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "34159EE8BD35" Called-Station-Id = "000B8609D780" Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x020300061900 State = 0x2451839f25529a76dd46fbeb200155bb Aruba-Essid-Name = "BU-Guest" Aruba-Location-Id = "SRH-S906" Message-Authenticator = 0xc129a38994a204510116e4a413e3fd4f +- entering group authorize {...} ++[preprocess] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "visit04", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 161 to 158.182.118.234 port 43514 EAP-Message = 0x010403fc1940d8d084a884e20a2a165c46af33618c22000498308204943082037ca003020102020900a00b0c8b6ee723bb300d06092a864886f70d010105050030818c310b300906035504061302434e310b300906035504081302484b310c300a06035504071303656475310d300b060355040a1304484b42553127302506092a864886f70d0109011618726f6f7440667267756573742e686b62752e6564752e686b312a302806035504031321484b425520477565737420434120636572742028363462697420736572766572293020170d3130303632343033353833335a180f32303530303631343033353833335a30818c310b30090603550406 EAP-Message = 0x1302434e310b300906035504081302484b310c300a06035504071303656475310d300b060355040a1304484b42553127302506092a864886f70d0109011618726f6f7440667267756573742e686b62752e6564752e686b312a302806035504031321484b4255204775657374204341206365727420283634626974207365727665722930820122300d06092a864886f70d01010105000382010f003082010a0282010100c001917da3c962085a616702fa98c2bd794c7edfa3a1f038258e018a126e736e3a61ae5120b956ab0566a9258b889d66e616e2d702b1a0f5ec79b1b484a9a9ec5ff3ba49d31895a6073ac132c9aa28f3e9906d0a6e3c24e852 EAP-Message = 0x621586b8db41ce111ebf2befc143a5cc9d562d020594fe407135ec1c068dd0303eca75e5c5dd9cab898af3e870072ea3eca78602644eea0bac0c5619925b56aba1b1c1fc4c48fded87cdcf44d1b99a2c1f534e8b88e4a35f9d1ffa8a50cdb402743516a0cbce2a4796459501875ec225357d4a362202e15ee12a0154f018e5b84a5e5884c268d3154ed41f7b78ea2f6df852e07bdd50a55c26467bcaf75c41d393bc78b27fb5170203010001a381f43081f1301d0603551d0e04160414c134ca58d9d8f09b9207417630a08266b192ef523081c10603551d230481b93081b68014c134ca58d9d8f09b9207417630a08266b192ef52a18192a4818f3081 EAP-Message = 0x8c310b300906035504061302434e310b300906035504081302484b310c300a06035504071303656475310d300b060355040a1304484b42553127302506092a864886f70d0109011618726f6f7440667267756573742e686b62752e6564752e686b312a302806035504031321484b42552047756573742043412063657274202836346269742073657276657229820900a00b0c8b6ee723bb300c0603551d13040530030101ff300d06092a864886f70d010105050003820101000d81bb75569e9ce10ee1cc274ce224d6d175d681f14079bdb2953b179dc9e15eedecd08f8d61f1759f3bb4c97458573e0b9b6b6be66954fc48d713a54ad949e99d806a EAP-Message = 0x400957b5cd394c74 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2451839f26559a76dd46fbeb200155bb Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 158.182.118.234 port 43514, id=162, length=180 User-Name = "visit04" NAS-IP-Address = 158.182.118.234 NAS-Port = 1 NAS-Identifier = "158.182.118.234" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "34159EE8BD35" Called-Station-Id = "000B8609D780" Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x020400061900 State = 0x2451839f26559a76dd46fbeb200155bb Aruba-Essid-Name = "BU-Guest" Aruba-Location-Id = "SRH-S906" Message-Authenticator = 0x840c9d88dbf3256afd4525a35ea49bd4 +- entering group authorize {...} ++[preprocess] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "visit04", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 162 to 158.182.118.234 port 43514 EAP-Message = 0x010500c4190012c062cd3163799ab42c262a3b39ee4aadeba8ca0584 be4afc188b998b5b79ebc112998a4791842e212835761d44b5202634a16bdc8886be5a2a6ddef1be 58fd73726f412c140197da3a29fc44aa1b67361c18f9f72312826067f64edc638e6a8b5511cd2c9e d88cb6de9ef5c6c909025dc37b4abdc9fdc643561bb06b1e07e30de728a7e8a4dc07dda92896b897 6fedf2623b70b61a7757012cb421a8c76616030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2451839f27549a76dd46fbeb200155bb Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 158.182.118.234 port 43514, id=163, le ngth=512 User-Name = "visit04" NAS-IP-Address = 158.182.118.234 NAS-Port = 1 NAS-Identifier = "158.182.118.234" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "34159EE8BD35" Called-Station-Id = "000B8609D780" Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x0205015019800000014616030101061000010201003bf0a1c7ffabbf d264a9ed58e54032fa600764768552751ec7f53062cd5a9ebaa52c46c6d6473f0ca33765d222a337 0309fd496e403f48ffa250620d87d7e2b53adff292a0fe7aa59ce6c6a894c9a9f251310c58d2798e 462eaef1dd00f79a31fb4074edfeb033e90924c3f8d236a5155f28b1a3f99c6ec692afccca487db4 4f9a9044c7d837eebf3da89c3f8f4f441b1e7f89b8eb9ae31e4ace331184697e1becff07f91fae76 6b7db43ab8665fbf2fee0a1e60dc06b4da5372041ed4c3f0e8644c5833201b9fa612988d54f2909f 6a0c4378a46a93fb1c589f62dfe98b51d639aa10afc5cdfe22 EAP-Message = 0x4c6390331da2262fadc0868cc2a68da17c72dc060fbeb7d814030100 0101160301003054624df5fcb87f023583a20ff07bded2d37e6bade2f35680bb627a67a08c3715fb e34c1eab20dd678bebe49473239609 State = 0x2451839f27549a76dd46fbeb200155bb Aruba-Essid-Name = "BU-Guest" Aruba-Location-Id = "SRH-S906" Message-Authenticator = 0x305bb4b0e144e78dc6a57741b74fcc54 +- entering group authorize {...} ++[preprocess] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "visit04", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 253 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 326 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data SSL: adding session 747bba71baba01650b81ddf7414a3fb3d5ac2e003f9d20859ffc9ec61d d8fe59 to cache [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 163 to 158.182.118.234 port 43514 EAP-Message = 0x0106004119001403010001011603010030eb029049a915c4eed9864c 22405237450831a8c271e7d0df2892e87916cd8c988d2f45f0d8295ee9b3a28fecb0b9cb26 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2451839f20579a76dd46fbeb200155bb Finished request 4. Going to the next request Waking up in 4.8 seconds. Cleaning up request 0 ID 159 with timestamp +1 Cleaning up request 1 ID 160 with timestamp +1 Cleaning up request 2 ID 161 with timestamp +1 Cleaning up request 3 ID 162 with timestamp +1 Cleaning up request 4 ID 163 with timestamp +1 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 44979, id=0, length=118 User-Name = "time1" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0200000a0174696d6531 Message-Authenticator = 0x92f180fdc088db77ec99a79a3853e8df +- entering group authorize {...} ++[preprocess] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "time1", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 0 length 10 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 0 to 127.0.0.1 port 44979 EAP-Message = 0x010100061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x916bee87916af76dd5fdb5b529c56e9d Finished request 5. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 44979, id=1, length=235 User-Name = "time1" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0201006d198000000063160301005e0100005a03014c36b9940675bc 6559c07769a84fd3181a44bc79b9976f0ae1362e9afe4bb177000032003900380035008800870084 00160013000a00330032002f00450044004100050004001500120009001400110008000600030201 00 State = 0x916bee87916af76dd5fdb5b529c56e9d Message-Authenticator = 0x8be06fd650f109fc2ad4ec626bcf639c +- entering group authorize {...} ++[preprocess] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "time1", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 109 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 99 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 005e], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 004a], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 084d], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange [peap] TLS_accept: SSLv3 write key exchange A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 1 to 127.0.0.1 port 44979 EAP-Message = 0x0102040019c000000abc160301004a0200004603014c36b9948fd417 c358d194f7f033ae8cc5ff244d77ca8166fc6881b774d94ef32044540d0f50e26d1444cb5ce1d6f3 d574fbc20b1cddb9a708567434fa1bebc167003901160301084d0b0008490008460003a8308203a4 3082028ca003020102020101300d06092a864886f70d010104050030818c310b3009060355040613 02434e310b300906035504081302484b310c300a06035504071303656475310d300b060355040a13 04484b42553127302506092a864886f70d0109011618726f6f7440667267756573742e686b62752e 6564752e686b312a302806035504031321484b425520477565 EAP-Message = 0x73742043412063657274202836346269742073657276657229302017 0d3130303632343033353835305a180f32303530303631343033353835305a308182310b30090603 5504061302434e310b300906035504081302484b310d300b060355040a1304484b4255312e302c06 035504031325484b4255204775657374207365727665722063657274696669636174652028363462 6974293127302506092a864886f70d0109011618726f6f7440667267756573742e686b62752e6564 752e686b30820122300d06092a864886f70d01010105000382010f003082010a0282010100c7649e e337738ce465aec9a12a375bd4d76fc3c2f50ac701065d1433 EAP-Message = 0x22c38dd78776d5ad0cb747a32f6b512dce6d26cccffefd49cf151767 0305c6cb6eee0b70c86cb259383ca439bf011e8d8689cd17c41e99498256f13e6f14282b8eeef46f 95e742d40254b69d7270d1d349e8cd41cff1dc98ea38fb494ea6007aed1575391d69e9f1c230fea9 125f09a28d544282e9520e4c5987f54ff43f94567991d6172f98bfd3a200aeb07e60345e40caff2f 1f34c52e77707e3321a774bc7601827ccbd723e044ee635de38dc174e37aea2640f5dbacb3454bd8 9bd2e03b81031365232fe8f014c069983950f75aa8fdcce7a9ee52d57dc7fec1512a57fabb3b993b 0203010001a317301530130603551d25040c300a06082b0601 EAP-Message = 0x0505070301300d06092a864886f70d01010405000382010100192613 ffaf84004131ad7ce0d3da7b42d8a594371b96058ea7dc28554921dfd279076ad03cbf83ab81d7d3 ac909202e97a3c22fdad6eee38f2961ef4e9cc9398c5e4bd8a0f41c9174d4fa44a1e77e95c887c06 5197300ea90c8ffc1d32c898c4e137b6a74834c769d7be8008fea4b3ca9c5a33505b588fd93fa440 584d00f8c0c11d62bd886037289e5f27cec1039a4c311a04a7cf75b9ed578b840c66993dea65d31a df591ffc290d98d6565e70a1d3d45ae3f0c877c5104d1def8c23a79f38c92731165bfb2a84759f2c 6c07e15ff75e4fe6f99e67dac4fc5ca7bf6cbdf849c44b77f6 EAP-Message = 0x614977256b1dcde1b92a76f3 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x916bee879069f76dd5fdb5b529c56e9d Finished request 6. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 44979, id=2, length=132 User-Name = "time1" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020200061900 State = 0x916bee879069f76dd5fdb5b529c56e9d Message-Authenticator = 0xd8afe5a5dd1ff493ea23d2bdcdf9ccde +- entering group authorize {...} ++[preprocess] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "time1", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 2 to 127.0.0.1 port 44979 EAP-Message = 0x010303fc1940d8d084a884e20a2a165c46af33618c22000498308204 943082037ca003020102020900a00b0c8b6ee723bb300d06092a864886f70d010105050030818c31 0b300906035504061302434e310b300906035504081302484b310c300a0603550407130365647531 0d300b060355040a1304484b42553127302506092a864886f70d0109011618726f6f744066726775 6573742e686b62752e6564752e686b312a302806035504031321484b425520477565737420434120 636572742028363462697420736572766572293020170d3130303632343033353833335a180f3230 3530303631343033353833335a30818c310b30090603550406 EAP-Message = 0x1302434e310b300906035504081302484b310c300a06035504071303 656475310d300b060355040a1304484b42553127302506092a864886f70d0109011618726f6f7440 667267756573742e686b62752e6564752e686b312a302806035504031321484b4255204775657374 204341206365727420283634626974207365727665722930820122300d06092a864886f70d010101 05000382010f003082010a0282010100c001917da3c962085a616702fa98c2bd794c7edfa3a1f038 258e018a126e736e3a61ae5120b956ab0566a9258b889d66e616e2d702b1a0f5ec79b1b484a9a9ec 5ff3ba49d31895a6073ac132c9aa28f3e9906d0a6e3c24e852 EAP-Message = 0x621586b8db41ce111ebf2befc143a5cc9d562d020594fe407135ec1c 068dd0303eca75e5c5dd9cab898af3e870072ea3eca78602644eea0bac0c5619925b56aba1b1c1fc 4c48fded87cdcf44d1b99a2c1f534e8b88e4a35f9d1ffa8a50cdb402743516a0cbce2a4796459501 875ec225357d4a362202e15ee12a0154f018e5b84a5e5884c268d3154ed41f7b78ea2f6df852e07b dd50a55c26467bcaf75c41d393bc78b27fb5170203010001a381f43081f1301d0603551d0e041604 14c134ca58d9d8f09b9207417630a08266b192ef523081c10603551d230481b93081b68014c134ca 58d9d8f09b9207417630a08266b192ef52a18192a4818f3081 EAP-Message = 0x8c310b300906035504061302434e310b300906035504081302484b31 0c300a06035504071303656475310d300b060355040a1304484b42553127302506092a864886f70d 0109011618726f6f7440667267756573742e686b62752e6564752e686b312a302806035504031321 484b42552047756573742043412063657274202836346269742073657276657229820900a00b0c8b 6ee723bb300c0603551d13040530030101ff300d06092a864886f70d010105050003820101000d81 bb75569e9ce10ee1cc274ce224d6d175d681f14079bdb2953b179dc9e15eedecd08f8d61f1759f3b b4c97458573e0b9b6b6be66954fc48d713a54ad949e99d806a EAP-Message = 0x400957b5cd394c74 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x916bee879368f76dd5fdb5b529c56e9d Finished request 7. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 44979, id=3, length=132 User-Name = "time1" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020300061900 State = 0x916bee879368f76dd5fdb5b529c56e9d Message-Authenticator = 0xea8dbecd0bbfd3fd3a2ecfa044306feb +- entering group authorize {...} ++[preprocess] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "time1", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 3 to 127.0.0.1 port 44979 EAP-Message = 0x010402d6190012c062cd3163799ab42c262a3b39ee4aadeba8ca0584 510b5f850ecbe4afc188b998b5b79ebc112998a4791842e212835761d44b5202634a16bdc8886be5 a2a6ddef1becbbaa64117a58fd73726f412c140197da3a29fc44aa1b67361c18f9f72312826067f6 4edc638e6a8b5511cd2c9eff129e700e0d88cb6de9ef5c6c909025dc37b4abdc9fdc643561bb06b1 e07e30de728a7e8a4dc07dda92896b8975d7907b85b66fedf2623b70b61a7757012cb421a8c76616 0301020d0c00020900808fcc5daaf65ec4b9ed53a13aa5563c3a857d7b01a0935ce18302cbbd8117 bdcee617438d810d33e6737c2b63ad1b1e728d85e9aa9c155d EAP-Message = 0x84c5499240de4a0574ca81181dd71a196f1dccceee978f8380d16b7e 6019d903f2d5ed2428b8649b958dbd4a5c52b8f99989c064eb651266552a0b7eab32727454b2eee7 89c78aee3b000102008006712a5b381bc117e45cbd7fab4a3f79b5de212697b11ea7050ea92387e2 bd8f55f1fcaed363ad2e59ac6ba4e20a502f5d9e320a4e67aa8a59c032fa7b1fa7c88ebf4f45a365 e247503763959d230aeba6d365560776fb3f1a37c7768df257ec6b8e874bbcc8725cc5cc3aabbf5a a607b1ddb9aadc912084a35431ffd12d72280100567b7a139ef0b540f469f3152ea29b1279ce2c0b e37d8b0589af62c0feabc70a4b75e169fbe19eaed05d94fd35 EAP-Message = 0x0487fa6a7fb0deb69a9441ff459df22b562e61aea5b6d6a925ebddd2 734c0f91be9589c39f74308377167856c63654257d3b82c3e1cd1dc2078af6428cd457be9f4f16f7 8a57f6726e9008ae8a91446703c2409b24f8c1dc43824cec7d78baeb1c4bdedd15e6e7d646c11261 1e5f2fca452578637f56d7f8bc7fb70a5046bc5855a58c1a478b3a0d815d5a7a679dcda704ee07e0 f998917389ac127708a67b52b700b8d6fcd2e2b07b12255a72e7daa1641063f71fd4071d842283ac dcf4f8cbafeb53d34c08874d672b4d0ed135e0948d32e316030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x916bee87926ff76dd5fdb5b529c56e9d Finished request 8. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 44979, id=4, length=334 User-Name = "time1" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020400d01980000000c6160301008610000082008033eddf5661f7ab ee16b84267fd8caedf21933f4765a74e0225225c1a0f0fa34073f798a1c6fb78d1d8cce2a7233f96 c0e46dee307cbcc4fafbfeefed0cee3d4ace2cda38f588d621182cf7784b5cfadf4ae002cb1229fe 3c25cf8a84d651b9f1a48d5c653f24078908b3f76eabcbaf0336110ea6b5ce43bce7e9806b21f497 e11403010001011603010030c0fad5b2a8620a03c368f400561a18aa1ef9c47c812975c1200ee4d9 1b6f7ab876a8328439a8d6c46b92a9d9675d5ab6 State = 0x916bee87926ff76dd5fdb5b529c56e9d Message-Authenticator = 0xcb67ce8cdef834a019f0bc172be79567 +- entering group authorize {...} ++[preprocess] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "time1", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 208 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 198 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data SSL: adding session 44540d0f50e26d1444cb5ce1d6f3d574fbc20b1cddb9a708567434fa1b ebc167 to cache [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 4 to 127.0.0.1 port 44979 EAP-Message = 0x010500411900140301000101160301003023d4aff3b00678962d4461 db9937f233d330e52eb786e7f491bf95a2ff34e61403a6af4475b47928a9a9dc5ed504a7db Message-Authenticator = 0x00000000000000000000000000000000 State = 0x916bee87956ef76dd5fdb5b529c56e9d Finished request 9. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 44979, id=5, length=132 User-Name = "time1" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020500061900 State = 0x916bee87956ef76dd5fdb5b529c56e9d Message-Authenticator = 0x6368b75534fe339b5807873da362c3ad +- entering group authorize {...} ++[preprocess] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "time1", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS ++[eap] returns handled Sending Access-Challenge of id 5 to 127.0.0.1 port 44979 EAP-Message = 0x0106002b19001703010020875473c93e0b7cb56d652eb5fe471f11d9 35542130e98f57a3704a1b29200490 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x916bee87946df76dd5fdb5b529c56e9d Finished request 10. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 44979, id=6, length=222 User-Name = "time1" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020600601900170301002031960254e6cb92dd55e739f57bf9821c52 1ba47d45a525945bf075364b02362c1703010030430376a22471040f6ae116593bc609d44298483d 275e06234fb07925c512cc8e21911dc9580157366992019cd0648de2 State = 0x916bee87946df76dd5fdb5b529c56e9d Message-Authenticator = 0xba24b8aee8858b6bfe01e4a0996df0d7 +- entering group authorize {...} ++[preprocess] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "time1", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 6 length 96 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Identity - time1 [peap] Got tunnled request EAP-Message = 0x0206000a0174696d6531 server (null) { PEAP: Got tunneled identity of time1 PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to time1 Sending tunneled request EAP-Message = 0x0206000a0174696d6531 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "time1" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" server inner-tunnel { +- entering group authorize {...} ++[mschap] returns noop [suffix] No '@' in User-Name = "time1", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 6 length 10 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail -%Y%m%d -> /var/log/radius/radacct/127.0.0.1/auth-detail-20100709 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expan ds to /var/log/radius/radacct/127.0.0.1/auth-detail-20100709 [auth_log] expand: %t -> Fri Jul 9 13:54:28 2010 ++[auth_log] returns ok [sql] expand: %{User-Name} -> time1 [sql] sql_set_user escaped user --> 'time1' rlm_sql (sql): Reserving sql socket id: 4 [sql] expand: (SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' and attribute != 'Cleartext-Password') UNION (SEL ECT id, username, attribute, aes_decrypt(value,'abc123456def'), op FROM radcheck WHERE username = '%{SQL-User-Name}' and attribute = 'Cleartext-Password') ORDER BY id -> (SELECT id, username, attribute, value, op FROM radcheck WHERE usern ame = 'time1' and attribute != 'Cleartext-Password') UNION (SELECT id, username, attribute, aes_decrypt(value,'abc123456def'), op FROM radcheck WHERE username = 'time1' and attribute = 'Cleartext-Password') ORDER BY id rlm_sql_mysql: query: (SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'time1' and attribute != 'Cleartext-Password') UNION (SELECT id, username, attribute, aes_decrypt(value,'abc123456def'), op FROM radcheck WHE RE username = 'time1' and attribute = 'Cleartext-Password') ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radrepl y WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE usern ame = 'time1' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'time1' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE user name = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'time1' ORDER BY prior ity rlm_sql_mysql: query: SELECT groupname FROM radusergroup WHE RE username = 'time1' ORDER BY priority rlm_sql (sql): Released sql socket id: 4 ++[sql] returns ok ++? if (!(control:Cleartext-Password)) ?? Evaluating (control:Cleartext-Password) -> TRUE ? Converting !TRUE -> FALSE ++? if (!(control:Cleartext-Password)) -> FALSE ++? elsif ((reply:acct_expiration) && ("%{reply:acct_expiration}" < "%D") ) ?? Evaluating (reply:acct_expiration) -> TRUE expand: %{reply:acct_expiration} -> 29991231 expand: %D -> 20100709 ?? Evaluating ("%{reply:acct_expiration}" < "%D") -> FALSE ++? elsif ((reply:acct_expiration) && ("%{reply:acct_expiration}" < "%D") ) -> FALSE ++? elsif ((reply:acct_expiration) && (reply:1st_login_date) && (reply:ticket_e xpiration) && ("%{reply:1st_login_date}" != "29991231") && ("%{reply:ticket_expi ration}" < "%D") ) ?? Evaluating (reply:acct_expiration) -> TRUE ?? Evaluating (reply:1st_login_date) -> TRUE ?? Evaluating (reply:ticket_expiration) -> TRUE expand: %{reply:1st_login_date} -> 20100601 ?? Evaluating ("%{reply:1st_login_date}" != "29991231") -> TRUE expand: %{reply:ticket_expiration} -> 20100830 expand: %D -> 20100709 ?? Evaluating ("%{reply:ticket_expiration}" < "%D") -> FALSE ++? elsif ((reply:acct_expiration) && (reply:1st_login_date) && (reply:ticket_e xpiration) && ("%{reply:1st_login_date}" != "29991231") && ("%{reply:ticket_expi ration}" < "%D") ) -> FALSE rlm_sqlcounter: Entering module authorize code sqlcounter_expand: 'SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='%{ User-Name}'' [noreset_time_counter] expand: SELECT SUM(AcctSessionTime) FROM radacct WHERE U serName='%{User-Name}' -> SELECT SUM(AcctSessionTime) FROM radacct WHERE UserNam e='time1' sqlcounter_expand: '%{sql:SELECT SUM(AcctSessionTime) FROM radacct WHERE UserNa me='time1'}' [noreset_time_counter] sql_xlat [noreset_time_counter] expand: %{User-Name} -> time1 [noreset_time_counter] sql_set_user escaped user --> 'time1' [noreset_time_counter] expand: SELECT SUM(AcctSessionTime) FROM radacct WHERE U serName='time1' -> SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='time 1' [noreset_time_counter] expand: /var/log/radius/sqltrace.sql -> /var/log/radius/ sqltrace.sql rlm_sql (sql): Reserving sql socket id: 3 rlm_sql_mysql: query: SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName=' time1' [noreset_time_counter] sql_xlat finished rlm_sql (sql): Released sql socket id: 3 [noreset_time_counter] expand: %{sql:SELECT SUM(AcctSessionTime) FROM radacct W HERE UserName='time1'} -> 205 rlm_sqlcounter: (Check item - counter) is less than zero rlm_sqlcounter: Rejected user time1, check_item=20, counter=205 ++[noreset_time_counter] returns reject ++? if (reject) ? Evaluating (reject) -> TRUE ++? if (reject) -> TRUE ++- entering if (reject) {...} +++[control] returns reject ++- if (reject) returns reject Invalid user (rlm_sqlcounter: Maximum never usage time reached): [time1/<via Aut h-Type = EAP>] (from client localhost port 0 cli 02-00-00-00-00-01 via TLS tunne l) } # server inner-tunnel [peap] Got tunneled reply code 3 1st_login_date := "20100601" acct_expiration := "29991231" ticket_days := "90" ticket_expiration := "20100830" Reply-Message = "Your maximum never usage time has been reached" [peap] Got tunneled reply RADIUS code 3 1st_login_date := "20100601" acct_expiration := "29991231" ticket_days := "90" ticket_expiration := "20100830" Reply-Message = "Your maximum never usage time has been reached" [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] returns handled Sending Access-Challenge of id 6 to 127.0.0.1 port 44979 EAP-Message = 0x0107003b190017030100300a7bc9169f55617f8b9404f23c70a22ec0 351e07fa46e1f17ec51bf9edddc23df774d9da16c92de9e5a5eb8ae95eaace Message-Authenticator = 0x00000000000000000000000000000000 State = 0x916bee87976cf76dd5fdb5b529c56e9d Finished request 11. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 44979, id=7, length=222 User-Name = "time1" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0207006019001703010020e87fc62cb04cb5a8db18300f4f10d851de 97490da264270001365b5b2474578517030100309b29d0ffe622d696ca430fd4b2c7a86c0040aaa1 70818dc976eeb7338151522559da71fff0361565af9fb778cccf58b8 State = 0x916bee87976cf76dd5fdb5b529c56e9d Message-Authenticator = 0x0132e061daaf8f9d3ae6d187066d3f04 +- entering group authorize {...} ++[preprocess] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "time1", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 7 length 96 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Received EAP-TLV response. [peap] Had sent TLV failure. User was rejected earlier in this session. SSL: Removing session 44540d0f50e26d1444cb5ce1d6f3d574fbc20b1cddb9a708567434fa 1bebc167 from the cache [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Login incorrect: [time1/<via Auth-Type = EAP>] (from client localhost port 0 cli 02-00-00-00-00-01) Using Post-Auth-Type Reject +- entering group REJECT {...} [sql] expand: %{User-Name} -> time1 [sql] sql_set_user escaped user --> 'time1' [sql] WARNING: Unknown module "inner.control" in string expansion "%{inner.contr ol:My-Err-Message}', '%S')" [sql] expand: INSERT INTO radpostauth (ID, username, password, nas_ip, auth_result, reply_message, authdate) VALUES (NULL, '%{User-Name}', aes_encrypt('NA', 'abc123456def'), '%{NAS-IP-ADD RESS}', '%{reply:Packet-Type}', '%{inner.control:My-Err-Message}', '%S') -> INSERT INTO radpostauth (ID, username, passw ord, nas_ip, auth_result, reply_message, authdate) VAL UES (NULL, 'time1', aes_enc rypt('NA', 'abc123456def'), '127.0.0.1', 'Access-Reject', '', '2010-07-09 13:54:28') [sql] expand: /var/log/radius/sqltrace.sql -> /var/log/radius/sqltrace.sql rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (ID, username, password, nas_ip, auth_result, reply_message, authdate) VALUES (NULL, 'time1', aes_encrypt('NA', 'abc123456def'), '127.0.0.1', 'Access-Reject', '', '2010- 07-09 13:54:28') rlm_sql (sql): Reserving sql socket id: 2 rlm_sql_mysql: query: INSERT INTO radpostauth (ID, us ername, password, nas_ip, auth_result, reply_message, authdate) VALUES (NULL, 'time1', aes_encrypt('NA', 'abc123456def'), '127.0.0.1', 'Access-Reject', '', '2010-07-09 13:54:28') rlm_sql (sql): Released sql socket id: 2 ++[sql] returns ok [reply_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/reply-detai l-%Y%m%d -> /var/log/radius/radacct/127.0.0.1/reply-detail-20100709 [reply_log] /var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d exp ands to /var/log/radius/radacct/127.0.0.1/reply-detail-20100709 [reply_log] expand: %t -> Fri Jul 9 13:54:28 2010 ++[reply_log] returns ok [attr_filter.access_reject] expand: %{User-Name} -> time1 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 12 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 12 Sending Access-Reject of id 7 to 127.0.0.1 port 44979 EAP-Message = 0x04070004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.9 seconds. Cleaning up request 5 ID 0 with timestamp +24 Cleaning up request 6 ID 1 with timestamp +24 Cleaning up request 7 ID 2 with timestamp +24 Cleaning up request 8 ID 3 with timestamp +24 Cleaning up request 9 ID 4 with timestamp +24 Cleaning up request 10 ID 5 with timestamp +24 Cleaning up request 11 ID 6 with timestamp +24 ----4. ends ------------------------- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html