On Mon, Sep 6, 2010 at 12:54 PM, Alan DeKok <al...@deployingradius.com> wrote: > Sion wrote: >> I've also tried outer.reply, but I'm still not seeing it show up in my logs. > > <sigh> And the debug log says... ?
rad_recv: Access-Request packet from host 192.168.196.13 port 32768, id=113, length=175 User-Name = "cc0086" Calling-Station-Id = "00-1B-77-94-57-72" Called-Station-Id = "00-0B-85-6D-BA-C0:eduroam" NAS-Port = 29 NAS-IP-Address = 192.168.196.13 NAS-Identifier = "llwacA105" Airespace-Wlan-Id = 2 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "115" EAP-Message = 0x0203000b01636330303836 Message-Authenticator = 0xfad76efcaaae1711153d00e8b66be682 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "cc0086", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 11 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 113 to 192.168.196.13 port 32768 EAP-Message = 0x010400061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcd901d8ccd9404e11d6b7c064faf8b1f Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.196.13 port 32768, id=114, length=297 User-Name = "cc0086" Calling-Station-Id = "00-1B-77-94-57-72" Called-Station-Id = "00-0B-85-6D-BA-C0:eduroam" NAS-Port = 29 NAS-IP-Address = 192.168.196.13 NAS-Identifier = "llwacA105" Airespace-Wlan-Id = 2 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "115" EAP-Message = 0x0204007319800000006916030100640100006003014c84aaed46f925dbf010684571f2a65f8665099d1535eb4dafd7b34ccf5c382c000018002f00350005000ac013c014c009c00a00320038001300040100001f0000000b0009000006636330303836000a0006000400170018000b00020100 State = 0xcd901d8ccd9404e11d6b7c064faf8b1f Message-Authenticator = 0x723f90602e22add50d84204eb9c29fbb +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "cc0086", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 115 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 105 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0064], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 002a], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 06e5], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 114 to 192.168.196.13 port 32768 EAP-Message = 0x0105040019c000000722160301002a0200002603014c84aaeabbefb79f979e0bc448a7508f277b89b07cd68280544ad5af8234c25d00002f0016030106e50b0006e10006de0003c1308203bd30820326a0030201020210571735f114d0297747dec8e1dc855028300d06092a864886f70d01010505003081c4310b3009060355040613025a41311530130603550408130c5765737465726e204361706531123010060355040713094361706520546f776e311d301b060355040a131454686177746520436f6e73756c74696e6720636331283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e311930 EAP-Message = 0x1706035504031310546861777465205365727665722043413126302406092a864886f70d01090116177365727665722d6365727473407468617774652e636f6d301e170d3037303932383030303030305a170d3130303932373233353935395a3081d231293027060355040a132063656e7472616c69617330312e696e7465726e616c2e757769632e61632e756b313b3039060355040b1332476f20746f2068747470733a2f2f7777772e7468617774652e636f6d2f7265706f7369746f72792f696e6465782e68746d6c31223020060355040b13195468617774652053534c31323320636572746966696361746531193017060355040b1310446f6d EAP-Message = 0x61696e2056616c696461746564312930270603550403132063656e7472616c69617330312e696e7465726e616c2e757769632e61632e756b30819f300d06092a864886f70d010101050003818d0030818902818100bea4ab1bcde08208fc9823ce022556c90f5c3bfdc79c0a9ae2ba2aa110017a67c67fbd2fbd1e6304853e51cc8f7b3ce4d5ad36b6a420d028b7902935c9d14eb0f880839faf3509f1b23be0c6820e60e8dd4e35b1f3f6b57df2655f379468e63958406874dd2a19700be6638c73cc20eccb85863be0dcd8af40386f900835c88b0203010001a3819f30819c300c0603551d130101ff0402300030390603551d1f04323030302ea02c EAP-Message = 0xa02a8628687474703a2f2f63726c2e7468617774652e636f6d2f54686177746553657276657243412e63726c301d0603551d250416301406082b0601050507030106082b06010505070302303206082b0601050507010104263024302206082b060105050730018616687474703a2f2f6f6373702e7468617774652e636f6d300d06092a864886f70d0101050500038181002f4b29c37eb54ba62bd16de5c09a6f3f258c10fd90177df8f37186799e2ba3832bed398f85c2623d5568257c3df4225e49c4327704d7ec1393ee5e03ce7e5a53ae45e6d58b6752212544ea79baef771d921f39169dba3c0a219fea40fef8422456026a51942acbcb90d677 EAP-Message = 0x323d4fe9cf449ea6dc0def99 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcd901d8ccc9504e11d6b7c064faf8b1f Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.196.13 port 32768, id=115, length=188 User-Name = "cc0086" Calling-Station-Id = "00-1B-77-94-57-72" Called-Station-Id = "00-0B-85-6D-BA-C0:eduroam" NAS-Port = 29 NAS-IP-Address = 192.168.196.13 NAS-Identifier = "llwacA105" Airespace-Wlan-Id = 2 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "115" EAP-Message = 0x020500061900 State = 0xcd901d8ccc9504e11d6b7c064faf8b1f Message-Authenticator = 0x5f2a4775f7523e28fdc4a11f71f87c46 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "cc0086", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 115 to 192.168.196.13 port 32768 EAP-Message = 0x010603321900b2abee6bd1b7966fef000317308203133082027ca003020102020101300d06092a864886f70d01010405003081c4310b3009060355040613025a41311530130603550408130c5765737465726e204361706531123010060355040713094361706520546f776e311d301b060355040a131454686177746520436f6e73756c74696e6720636331283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e3119301706035504031310546861777465205365727665722043413126302406092a864886f70d01090116177365727665722d6365727473407468617774652e636f6d301e170d39 EAP-Message = 0x36303830313030303030305a170d3230313233313233353935395a3081c4310b3009060355040613025a41311530130603550408130c5765737465726e204361706531123010060355040713094361706520546f776e311d301b060355040a131454686177746520436f6e73756c74696e6720636331283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e3119301706035504031310546861777465205365727665722043413126302406092a864886f70d01090116177365727665722d6365727473407468617774652e636f6d30819f300d06092a864886f70d010101050003818d003081890281 EAP-Message = 0x8100d3a4506ec8ff566be6cf5db6ea0c687547a2aac2da8425fca8f44751da85b5207494861e0f75c9e90861f5066d306e151902e952c062db4d999ee26a0c4438cdfebee3640970c5feb16b29b62f49c83bd427042510972fe7906dc0284299d74c43dec3f5216d549f5dc358e1c0e4d95bb0b8dcb47bdf363ac2b5662212d6870d0203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010405000381810007fa4c695cfb95cc46ee85834d21308ecad9a86f491ae6da51e360706c846111a11ac8483e59437d4f953da18bb70b62987a758add884e4e9e40dba8cc3274b96f0dc6e3b3440bd98a6f9a299b99 EAP-Message = 0x18283bd1e340289a5a3cd5b5e7201b8bcaa4ab8de951d9e24c2c59a9dab9b2751bf642f2efc7f218f989bca3ff8a232e704716030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcd901d8ccf9604e11d6b7c064faf8b1f Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.196.13 port 32768, id=116, length=390 User-Name = "cc0086" Calling-Station-Id = "00-1B-77-94-57-72" Called-Station-Id = "00-0B-85-6D-BA-C0:eduroam" NAS-Port = 29 NAS-IP-Address = 192.168.196.13 NAS-Identifier = "llwacA105" Airespace-Wlan-Id = 2 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "115" EAP-Message = 0x020600d01980000000c6160301008610000082008093cef56e526dc8b390fac8cbe14d42b058bdf1f449a9c84ef8963a17f673c87c266231e2452377abf4b62f47ab87f21c08ff5b37c978df65dc2d650b92b646fa2df83fc87d60a05d0fb12cd632408c95849f19eeea78037685018463ed491c1f61a26590b03639a4edf5be80083b938ad3141c54f34e93ffda247cc27d68e16f14030100010116030100309a8e34a5520a23ef7fffa50009c9fa90a1c38b3e7515b2650b2f2b2a77570063ace6d5bc2d931992283c5f0bf3ff33d0 State = 0xcd901d8ccf9604e11d6b7c064faf8b1f Message-Authenticator = 0xac104a34afffac97df350e54c4175593 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "cc0086", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 6 length 208 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 198 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 116 to 192.168.196.13 port 32768 EAP-Message = 0x010700411900140301000101160301003044a5568519b90fc4f025402fba4d748c554186ad5fe16e5222b5a6697cc48c24961ce6376c7b771c9b6a337e0d47700a Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcd901d8cce9704e11d6b7c064faf8b1f Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.196.13 port 32768, id=117, length=188 User-Name = "cc0086" Calling-Station-Id = "00-1B-77-94-57-72" Called-Station-Id = "00-0B-85-6D-BA-C0:eduroam" NAS-Port = 29 NAS-IP-Address = 192.168.196.13 NAS-Identifier = "llwacA105" Airespace-Wlan-Id = 2 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "115" EAP-Message = 0x020700061900 State = 0xcd901d8cce9704e11d6b7c064faf8b1f Message-Authenticator = 0xf2deda649560b5cdfc1b28b03cb37304 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "cc0086", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 7 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS ++[eap] returns handled Sending Access-Challenge of id 117 to 192.168.196.13 port 32768 EAP-Message = 0x0108002b19001703010020aa320f1d031012a0ec51ec99585bc62c72a3bb786e053e80aed6daa644ec2cae Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcd901d8cc99804e11d6b7c064faf8b1f Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.196.13 port 32768, id=118, length=225 User-Name = "cc0086" Calling-Station-Id = "00-1B-77-94-57-72" Called-Station-Id = "00-0B-85-6D-BA-C0:eduroam" NAS-Port = 29 NAS-IP-Address = 192.168.196.13 NAS-Identifier = "llwacA105" Airespace-Wlan-Id = 2 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "115" EAP-Message = 0x0208002b19001703010020c2e8be5361c10411cadf5f701b6de7446814f8b7903ac77bbda1c316b4c1109c State = 0xcd901d8cc99804e11d6b7c064faf8b1f Message-Authenticator = 0xcf4cacaadd8e256aa927a8a06156d459 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "cc0086", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 8 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Identity - cc0086 [peap] Got tunneled request EAP-Message = 0x0208000b01636330303836 server { PEAP: Got tunneled identity of cc0086 PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to cc0086 Sending tunneled request EAP-Message = 0x0208000b01636330303836 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "cc0086" Calling-Station-Id = "00-1B-77-94-57-72" Called-Station-Id = "00-0B-85-6D-BA-C0:eduroam" NAS-Port = 29 NAS-IP-Address = 192.168.196.13 NAS-Identifier = "llwacA105" Airespace-Wlan-Id = 2 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "115" server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "cc0086", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 8 length 11 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group EAP {...} expand: %{reply:MS-CHAP-Error} -> ++[outer.control] returns reject [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010900201a0109001b10bb9e7492a6bc73d959be9d902d7078bc636330303836 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x30652915306c3399cd1bddd466afcc03 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010900201a0109001b10bb9e7492a6bc73d959be9d902d7078bc636330303836 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x30652915306c3399cd1bddd466afcc03 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 118 to 192.168.196.13 port 32768 EAP-Message = 0x0109004b190017030100401213bdb66fec8786c2ab048f0d729335d1a60bb7acea3150fa728d019f3fcd9a3f1464c301eb2437265a3daed8380523c6befa216915bc6b7843be09551a6038 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcd901d8cc89904e11d6b7c064faf8b1f Finished request 5. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.196.13 port 32768, id=119, length=289 User-Name = "cc0086" Calling-Station-Id = "00-1B-77-94-57-72" Called-Station-Id = "00-0B-85-6D-BA-C0:eduroam" NAS-Port = 29 NAS-IP-Address = 192.168.196.13 NAS-Identifier = "llwacA105" Airespace-Wlan-Id = 2 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "115" EAP-Message = 0x0209006b190017030100606a82d39c737d6a30e594e2c787d1073c23a24c3d5f1db005caaf72f2416199902efc72ca3c0ef4443030910f7523fd335b79600d5cfdf952a7da1b1ab9e06dcead14e078053d7337c8ebe9b7caa440c1052a78c903d0ff4cfe5e3595274d8060 State = 0xcd901d8cc89904e11d6b7c064faf8b1f Message-Authenticator = 0xdf7b0162c26571a79f0b2a6670c7c289 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "cc0086", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 9 length 107 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020900411a0209003c31378805df2ace774051ee17d8f0bfe5670000000000000000b2be976261221bc6be689240cbfd3adba42fd0aa01d3e83800636330303836 server { PEAP: Setting User-Name to cc0086 Sending tunneled request EAP-Message = 0x020900411a0209003c31378805df2ace774051ee17d8f0bfe5670000000000000000b2be976261221bc6be689240cbfd3adba42fd0aa01d3e83800636330303836 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "cc0086" State = 0x30652915306c3399cd1bddd466afcc03 Calling-Station-Id = "00-1B-77-94-57-72" Called-Station-Id = "00-0B-85-6D-BA-C0:eduroam" NAS-Port = 29 NAS-IP-Address = 192.168.196.13 NAS-Identifier = "llwacA105" Airespace-Wlan-Id = 2 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "115" server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "cc0086", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 9 length 65 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group EAP {...} expand: %{reply:MS-CHAP-Error} -> ++[outer.control] returns reject [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] Told to do MS-CHAPv2 for cc0086 with NT-Password [mschap] expand: %{Stripped-User-Name} -> [mschap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [mschap] expand: %{User-Name:-None} -> cc0086 [mschap] expand: --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} -> --username=cc0086 [mschap] mschap2: bb [mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=3b6854cde18f868d [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=b2be976261221bc6be689240cbfd3adba42fd0aa01d3e838 Exec-Program output: Logon failure (0xc000006d) Exec-Program-Wait: plaintext: Logon failure (0xc000006d) Exec-Program: returned: 1 [mschap] External script failed. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. } # server inner-tunnel [peap] Got tunneled reply code 3 MS-CHAP-Error = "\tE=691 R=1" EAP-Message = 0x04090004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Got tunneled reply RADIUS code 3 MS-CHAP-Error = "\tE=691 R=1" EAP-Message = 0x04090004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] returns handled Sending Access-Challenge of id 119 to 192.168.196.13 port 32768 EAP-Message = 0x010a002b190017030100200887b3d6f1a7645507824e43d00bcec006de93ac841e5e28c531d69324a9e9b2 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcd901d8ccb9a04e11d6b7c064faf8b1f Finished request 6. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 192.168.196.13 port 32768, id=120, length=225 User-Name = "cc0086" Calling-Station-Id = "00-1B-77-94-57-72" Called-Station-Id = "00-0B-85-6D-BA-C0:eduroam" NAS-Port = 29 NAS-IP-Address = 192.168.196.13 NAS-Identifier = "llwacA105" Airespace-Wlan-Id = 2 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "115" EAP-Message = 0x020a002b190017030100208fbe14e5d82d8325e5e12f19bfd63620fb14f4082357311d9bedba574eb14dca State = 0xcd901d8ccb9a04e11d6b7c064faf8b1f Message-Authenticator = 0xe0d14b40638deb9cb37b71ea21685c5e +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "cc0086", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 10 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Received EAP-TLV response. [peap] Had sent TLV failure. User was rejected earlier in this session. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> cc0086 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated [testlinelog] expand: /var/log/radius/testlinelog -> /var/log/radius/testlinelog [testlinelog] expand: %S %{reply:Packet-Type} %{User-Name} %{Calling-Station-Id} %{Called-Station-Id} %{NAS-Identifier} %{Packet-Src-IP-Address} %{reply:Reply-Message} %{reply:MS-CHAP-Error} %{MS-CHAP-Error}%{reply:Tunnel-Type} %{reply:Tunnel-Private-Group-Id} -> 2010-09-06 09:48:42 Access-Reject cc0086 00-1B-77-94-57-72 00-0B-85-6D-BA-C0:eduroam llwacA105 192.168.196.13 ++[testlinelog] returns ok Delaying reject of request 7 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 7 Sending Access-Reject of id 120 to 192.168.196.13 port 32768 EAP-Message = 0x040a0004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.7 seconds. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html