Hello, Could I explain in more detail? I want proxying PEAP, with old server which can not deal with EAP. This worked on 2.0.4 but didn't work on 2.1.10. I can't understand what's wrong.
Compared those debug output, I noticed difference, after ''[eap] Passing reply back for EAP-MS-CHAP-V2'' mschap_postproxy() was called in 2.0.4, but not in 2.0.10. thanks. -------- configuration prefix = /usr exec_prefix = /usr sysconfdir = /etc localstatedir = /var sbindir = ${exec_prefix}/sbin logdir = /var/log/freeradius raddbdir = /etc/freeradius radacctdir = ${logdir}/radacct name = freeradius confdir = ${raddbdir} run_dir = ${localstatedir}/run/${name} db_dir = ${raddbdir} libdir = /usr/lib/freeradius pidfile = ${run_dir}/${name}.pid max_request_time = 30 cleanup_delay = 5 max_requests = 1024 hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes checkrad = ${sbindir}/checkrad proxy_requests = yes listen { type = auth ipaddr = * port = 0 } log { destination = files file = ${logdir}/radius.log syslog_facility = daemon stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } realm legacy { authhost = 192.168.1.5:1645 secret = testing123 } client 10.0.0.0/8 { secret = testing456 shortname = priv10 nastype = other } thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { eap { default_eap_type = mschapv2 timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 2048 tls { certdir = ${confdir}/certs cadir = ${confdir}/certs private_key_password = tetest123 private_key_file = ${certdir}/server.key certificate_file = ${certdir}/server.pem CA_file = ${cadir}/ca.pem dh_file = ${certdir}/dh random_file = ${certdir}/random cipher_list = "DEFAULT" cache { enable = no lifetime = 24 # hours max_entries = 255 } } peap { default_eap_type = mschapv2 copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = no virtual_server = "inner-tunnel" } mschapv2 { } } } server inner-tunnel { authorize { update control { Proxy-To-Realm := legacy } } authenticate { eap } post-proxy { eap } } authorize { eap { ok = return } } authenticate { eap } post-proxy { eap } -------- debug output FreeRADIUS Version 2.1.10, for host i486-pc-linux-gnu, built on Feb 16 2011 at 10:52:08 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf main { allow_core_dumps = no } including dictionary file /etc/freeradius/dictionary main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/freeradius/freeradius.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### realm legacy { authhost = 192.168.1.5:1645 secret = testing123 } radiusd: #### Loading Clients #### client 10.0.0.0/8 { require_message_authenticator = no secret = "testing456" shortname = "priv10" nastype = "other" } radiusd: #### Instantiating modules #### radiusd: #### Loading Virtual Servers #### server inner-tunnel { # from file /etc/freeradius/radiusd.conf modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /etc/freeradius/radiusd.conf eap { default_eap_type = "mschapv2" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 2048 } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/etc/freeradius/certs/server.key" certificate_file = "/etc/freeradius/certs/server.pem" CA_file = "/etc/freeradius/certs/ca.pem" private_key_password = "tetest123" dh_file = "/etc/freeradius/certs/dh" random_file = "/etc/freeradius/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" cache { enable = no lifetime = 24 max_entries = 255 } } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = no virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Checking post-proxy {...} for more modules to load } # modules } # server server { # from file /etc/freeradius/radiusd.conf modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Checking post-proxy {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } Listening on authentication address * port 1812 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 10.1.2.3 port 53932, id=0, length=126 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0200000e01616e6f6e796d6f7573 Message-Authenticator = 0x91266a66dc1560f4b180f267046f49cb # Executing section authorize from file /etc/freeradius/radiusd.conf +- entering group authorize {...} [eap] EAP packet type response id 0 length 14 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/radiusd.conf +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 0 to 10.1.2.3 port 53932 EAP-Message = 0x010100231a0101001e10fe76bcb9c6b236ae40e3adc55e66f46f616e6f6e796d6f7573 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc93753dfc93649d1dbf26d3ddaf88693 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.1.2.3 port 53932, id=1, length=136 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020100060319 State = 0xc93753dfc93649d1dbf26d3ddaf88693 Message-Authenticator = 0xdeaac1d575e4baf3e91cb822c6b3dc2d # Executing section authorize from file /etc/freeradius/radiusd.conf +- entering group authorize {...} [eap] EAP packet type response id 1 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/radiusd.conf +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/peap [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 1 to 10.1.2.3 port 53932 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc93753dfc8354ad1dbf26d3ddaf88693 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.1.2.3 port 53932, id=2, length=235 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0202006919800000005f160301005a0100005603014d5b0126eb0b34c231395606b2889596742fb84cc68a448175351ed334f887c100002800390038003500160013000a00330032002f000500040015001200090014001100080006000300ff020100000400230000 State = 0xc93753dfc8354ad1dbf26d3ddaf88693 Message-Authenticator = 0xef9b9bf03448e138a16225eb9800d247 # Executing section authorize from file /etc/freeradius/radiusd.conf +- entering group authorize {...} [eap] EAP packet type response id 2 length 105 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/radiusd.conf +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 95 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 005a], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 0031], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 06f0], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange [peap] TLS_accept: SSLv3 write key exchange A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 2 to 10.1.2.3 port 53932 EAP-Message = 0x0103040019c00000094616030100310200002d03014d5b01261ae097d7b7ad205191e6391b387ab027f7c81d26cd53e97cc1462e32000039010005ff0100010016030106f00b0006ec0006e90003b6308203b23082031ba003020102020101300d06092a864886f70d010105050030819b310b3009060355040613024a50310f300d060355040813064e6167616e6f31133011060355040a130a4550534f4e2f5342544d31163014060355040b130d4e6574776f726b2041646d696e311a30180603550403131163612e7362746d2e6570736f6e2e6e65743132303006092a864886f70d01090116236d617473757a6177612e6b656e69636869726f40 EAP-Message = 0x6578632e6570736f6e2e636f2e6a70301e170d3130303732313030323235305a170d3138303732313030323235305a3081a0310b3009060355040613024a50310f300d060355040813064e6167616e6f31133011060355040a130a4550534f4e2f5342544d31163014060355040b130d4e6574776f726b2041646d696e311f301d06035504031316657069747564652e7362746d2e6570736f6e2e6e65743132303006092a864886f70d01090116236d617473757a6177612e6b656e69636869726f406578632e6570736f6e2e636f2e6a7030820122300d06092a864886f70d01010105000382010f003082010a0282010100b6fa8a6044b5d42e5d59 EAP-Message = 0x0fd3f162aadf1970cae3e4044f79a73b6167e78a34fbeeddd5c345f270ce53bb0755b27705683afc2b443a11c949ae57d4224753e5da91473b6d602cd1d222d5ea1dd6f6630c94963964c39812463c93db79f261a07855239fffec8441d686adaa3480529be7d95df55130d538072cf55f2a995435a96e5f7cb5fe4227e3fe3dfe866a4cac1d8ff384188ac4cb04f88310a966eb53cc6efcdfe5daf4f709956f26c0f72dc7729272add4fa3ca4ceee3de8f7b801f61869f03f9d3d7d739990dd8fa25f5b2b945c25de40eaf50943a67b7f1da86ddf6a1f962ea054732b731d537ac9ee87508e94bf25d5070dd5d3424d5e546f0061850203010001a37b EAP-Message = 0x307930090603551d1304023000302c06096086480186f842010d041f161d4f70656e53534c2047656e657261746564204365727469666963617465301d0603551d0e04160414e9873373dbc0100cca4b8dc5daf3f8cb1bd25a4f301f0603551d23041830168014ff2917752399ff77b0d9660a8b76b304e1b5e430300d06092a864886f70d0101050500038181006c79497d775f6fa7129a769381c8b45136270a6462af9bf340d9667d19274f32702299f51833350e7e82cd86711195b248d30251945558e4b914049da65ee6ddae7f9fc860c995f3c07850a809cde91864b4799701dba0a2605c0d2771d012db3e202dcae23274b4ee2e753a576b5a EAP-Message = 0x35b397c3989cc525cf33cc0c Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc93753dfcb344ad1dbf26d3ddaf88693 Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.1.2.3 port 53932, id=3, length=136 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020300061900 State = 0xc93753dfcb344ad1dbf26d3ddaf88693 Message-Authenticator = 0x19b455b774785afdcd942e93c3759284 # Executing section authorize from file /etc/freeradius/radiusd.conf +- entering group authorize {...} [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/radiusd.conf +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 3 to 10.1.2.3 port 53932 EAP-Message = 0x010403fc1940c07f0c9fce00032d3082032930820292a003020102020100300d06092a864886f70d010105050030819b310b3009060355040613024a50310f300d060355040813064e6167616e6f31133011060355040a130a4550534f4e2f5342544d31163014060355040b130d4e6574776f726b2041646d696e311a30180603550403131163612e7362746d2e6570736f6e2e6e65743132303006092a864886f70d01090116236d617473757a6177612e6b656e69636869726f406578632e6570736f6e2e636f2e6a70301e170d3130303732303039303230305a170d3133303731393039303230305a30819b310b3009060355040613024a50310f EAP-Message = 0x300d060355040813064e6167616e6f31133011060355040a130a4550534f4e2f5342544d31163014060355040b130d4e6574776f726b2041646d696e311a30180603550403131163612e7362746d2e6570736f6e2e6e65743132303006092a864886f70d01090116236d617473757a6177612e6b656e69636869726f406578632e6570736f6e2e636f2e6a7030819f300d06092a864886f70d010101050003818d0030818902818100bd99ddea067ab5c99c910c310f73bccc10ef2456008d7151d366932202341ad6fd1dc136925489fef51e242401b22aa7a8aca7842b7eec55f765b9981440e0657ed5db9f8772906e2a0d41937475ad1ecd176909 EAP-Message = 0x051fa71db5139164ca9acbda56761308919dc2001252e5b1a827a5f24ac18604ca23b5c30bf6e4d139420a850203010001a37b307930090603551d1304023000302c06096086480186f842010d041f161d4f70656e53534c2047656e657261746564204365727469666963617465301d0603551d0e04160414ff2917752399ff77b0d9660a8b76b304e1b5e430301f0603551d23041830168014ff2917752399ff77b0d9660a8b76b304e1b5e430300d06092a864886f70d01010505000381810018bd4f1763a2965ee8de2f4cde966cf09669508c2171dd08e088e5ee5e3967177af52216b926ee8cf5931019deda92d3b6353c99b731b6fb0f903e11 EAP-Message = 0x0af01f015b6df59297cded690adef79c2d523fdd1c08e08e8e4483dff64eb3b71d201db5567a2e1630c9f892b7baa3ed577317e60dc5883e22cab34a0c99164c252178b8160301020d0c0002090080a4c47d05e1daa33ff9a80d58172117ecf5ae49f018a000b0b71d781e7b883dcc6c03903321927a500d9cdc4602cd092b9a4a86ac99857e171422d238e3f3202c56a0f5bbe7b46263faf4c70f99a251e07b9b915cb8a7d5eed8836050176a430c53b8ce0f6be396ba7604cf073362ad829ccf6d4ad7b12e23bd4b6a492e039033000102008006c47e66c0fb2f82a6e2e534fca5f85c3b48c0f4fab817722a253128e7bf8e7b57ffbf4a510e0c622e EAP-Message = 0x8afb26e9fe80edb5 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc93753dfca334ad1dbf26d3ddaf88693 Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.1.2.3 port 53932, id=4, length=136 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020400061900 State = 0xc93753dfca334ad1dbf26d3ddaf88693 Message-Authenticator = 0xd39c3c8109213e51672010199a0870ac # Executing section authorize from file /etc/freeradius/radiusd.conf +- entering group authorize {...} [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/radiusd.conf +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 4 to 10.1.2.3 port 53932 EAP-Message = 0x01050160190061c912c36b2165cf1a239301310855ad81b7b860d4110cb7a4be573dea8d517c924e457905742e9aa16e40abf5dfda77ac776d0f332fd9dcf5f8f292d8baf633a418e3d9a6e5b74625d6e7f2e23d3e0100737511255bd24cf728fceeb7ccfb4f7f4a26a0b082c76a9f4f3a6d53eff7966daf4d211bfda853740b3bfb6884183f72f4b0ac810d61c314284bf5020ad0dcfcf66ce68bd81c68dc0c0227e35ca16db15a6f8fd0b90cfbe78345eb8b66b6a2ed9d14ee5614c96eadfa155fd6d0c3f7e8e7044e29a35afee458bb603967c17a2d0f16e78f5f17594ee2f9f625fe3d97c2a08e6f5ac8484bcd934f9138fdf89b85016ee221f1fe EAP-Message = 0x3364d4cf0903e62ae1f34421cf0681798655d2db77706eb086246040dd2ad28971747a80db9f92cc008ef36f5965585d14c590024a612ffd357d6852f94365a1d99019cfd6802be247a9bb188372b55987be699f1d290784e09816030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc93753dfcd324ad1dbf26d3ddaf88693 Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.1.2.3 port 53932, id=5, length=338 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020500d01980000000c616030100861000008200800981f81ae3cd35f3a3971747e253480d8ccfd725b293088467b2c223c8bf8efe60d1937a436e1437c93484d52c54bba8c4e708f90b159034005359ab2af17da5e934a0375b87408c9179b904ae61db47c9a134f4b0ce467c522c484d43eabb2e92d5444d941950caab012f29afd86cf4662da8be658c56ecb48db7912a88303c1403010001011603010030c257ac05008e9b2b659c79c4c17c6a0d4a0ad6aaac10af0662e5d8ba7bb225dd470ddaa06db836b439466ab80539b599 State = 0xc93753dfcd324ad1dbf26d3ddaf88693 Message-Authenticator = 0x3bb0fea544806206b3685b7cb195aa64 # Executing section authorize from file /etc/freeradius/radiusd.conf +- entering group authorize {...} [eap] EAP packet type response id 5 length 208 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/radiusd.conf +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 198 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 5 to 10.1.2.3 port 53932 EAP-Message = 0x01060041190014030100010116030100306fa84b71fad492af87f8a5e11025acca4d1b0d95e2c44cdd36dd7f40d4e101a2aa061d8bc3b6282e49e95d295b2f2d53 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc93753dfcc314ad1dbf26d3ddaf88693 Finished request 5. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.1.2.3 port 53932, id=6, length=136 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020600061900 State = 0xc93753dfcc314ad1dbf26d3ddaf88693 Message-Authenticator = 0xdc2f3864a660fa4113a3192cf7f105d8 # Executing section authorize from file /etc/freeradius/radiusd.conf +- entering group authorize {...} [eap] EAP packet type response id 6 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/radiusd.conf +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS [peap] Session established. Decoding tunneled attributes. [peap] Peap state TUNNEL ESTABLISHED ++[eap] returns handled Sending Access-Challenge of id 6 to 10.1.2.3 port 53932 EAP-Message = 0x0107002b190017030100209d5d7425f026a1f645310b814af57e7e0900f663b20b163033316466c3adc4a3 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc93753dfcf304ad1dbf26d3ddaf88693 Finished request 6. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.1.2.3 port 53932, id=7, length=226 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x02070060190017030100207f737a9d48c1143a532fc83d0f5338fa6e8c1156490566a273890465a1f8b49a17030100307a3ecfc7e51e42647369ec31959395e0256306e8a66e9b9bbd3a151fb2cbf0b054f88118d7bde8c143d84e371173f25f State = 0xc93753dfcf304ad1dbf26d3ddaf88693 Message-Authenticator = 0x0279ebc7ebc97234254458b36cf86753 # Executing section authorize from file /etc/freeradius/radiusd.conf +- entering group authorize {...} [eap] EAP packet type response id 7 length 96 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/radiusd.conf +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - testuser1 [peap] Got inner identity 'testuser1' [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x0207000c0139353732393037 server { PEAP: Setting User-Name to testuser1 Sending tunneled request EAP-Message = 0x0207000c0139353732393037 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "testuser1" server inner-tunnel { # Executing section authorize from file /etc/freeradius/radiusd.conf +- entering group authorize {...} ++[control] returns notfound } # server inner-tunnel [peap] Got tunneled reply code 0 PEAP: Calling authenticate in order to initiate tunneled EAP session. # Executing group from file /etc/freeradius/radiusd.conf +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled PEAP: Cancelling proxy to realm legacy until the tunneled EAP session has been established [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010800211a0108001c109daef7bb0892bcb96f4dfeccdf4a10be39353732393037 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x688571cd688d6b54446bcd4ca98084f6 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 7 to 10.1.2.3 port 53932 EAP-Message = 0x0108004b19001703010040ff16c45a2ce5393c0acb3826003af0124949f4a66127990679643164dfb9e6409dbfe408c25e347a101477f5891e9b3328dedbaeb5c92cc6262bcdadd59076b0 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc93753dfce3f4ad1dbf26d3ddaf88693 Finished request 7. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.1.2.3 port 53932, id=8, length=258 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020800801900170301002062cf7f5b217fd63ad2fe213494f63a6ad86b7e445418beb080f7952df21a71d81703010050ef2bea5015abb6d99b198701b94c7c436100fe12e499ecd550270ffb544aacbf1a664e20bd55fe3d185747de90246b248d4da9efb6d30fd075720bf9c392a961b5d0118cd0e74677a185ec8d1af99bf2 State = 0xc93753dfce3f4ad1dbf26d3ddaf88693 Message-Authenticator = 0x4aaf30054d7a126cfc58a1fe4f8b78d2 # Executing section authorize from file /etc/freeradius/radiusd.conf +- entering group authorize {...} [eap] EAP packet type response id 8 length 128 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/radiusd.conf +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020800421a0208003d31828a2d7a21903addce73462073635e330000000000000000a7790a0fabf812d9ff5952be61bb960e426380e5cbaea5710039353732393037 server { PEAP: Setting User-Name to testuser1 Sending tunneled request EAP-Message = 0x020800421a0208003d31828a2d7a21903addce73462073635e330000000000000000a7790a0fabf812d9ff5952be61bb960e426380e5cbaea5710039353732393037 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "testuser1" State = 0x688571cd688d6b54446bcd4ca98084f6 server inner-tunnel { # Executing section authorize from file /etc/freeradius/radiusd.conf +- entering group authorize {...} ++[control] returns notfound } # server inner-tunnel [peap] Got tunneled reply code 0 PEAP: Calling authenticate in order to initiate tunneled EAP session. # Executing group from file /etc/freeradius/radiusd.conf +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [eap] Not-EAP proxy set. Not composing EAP ++[eap] returns handled PEAP: Tunneled authentication will be proxied to legacy PEAP: Remembering to do EAP-MS-CHAP-V2 post-proxy. [eap] Tunneled session will be proxied. Not doing EAP. ++[eap] returns handled WARNING: Empty pre-proxy section. Using default return values. Sending Access-Request of id 243 to 192.168.1.5 port 1645 User-Name = "testuser1" MS-CHAP-Challenge = 0x9daef7bb0892bcb96f4dfeccdf4a10be MS-CHAP2-Response = 0x0835828a2d7a21903addce73462073635e330000000000000000a7790a0fabf812d9ff5952be61bb960e426380e5cbaea571 Proxy-State = 0x38 Proxying request 8 to home server 192.168.1.5 port 1645 Sending Access-Request of id 243 to 192.168.1.5 port 1645 User-Name = "testuser1" MS-CHAP-Challenge = 0x9daef7bb0892bcb96f4dfeccdf4a10be MS-CHAP2-Response = 0x0835828a2d7a21903addce73462073635e330000000000000000a7790a0fabf812d9ff5952be61bb960e426380e5cbaea571 Proxy-State = 0x38 Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Accept packet from host 192.168.1.5 port 1645, id=243, length=122 MS-CHAP2-Success = 0x08533d38413537333944413130374135454330333631464545323132444239413845354142324133384331 Service-Type = Framed-User Framed-Protocol = PPP Proxy-State = 0x38 Class = 0x434953434f4143533a30313432386463662f38353961333537622f39353732393037 # Executing section post-proxy from file /etc/freeradius/radiusd.conf +- entering group post-proxy {...} [eap] Doing post-proxy callback [eap] Passing reply from proxy back into the tunnel. server inner-tunnel { [eap] Passing reply back for EAP-MS-CHAP-V2 # Executing section post-proxy from file /etc/freeradius/radiusd.conf +- entering group post-proxy {...} ++[eap] returns noop WARNING: Empty post-auth section. Using default return values. } # server inner-tunnel [eap] Final reply from tunneled session code 2 MS-CHAP2-Success = 0x08533d38413537333944413130374135454330333631464545323132444239413845354142324133384331 Service-Type = Framed-User Framed-Protocol = PPP Proxy-State = 0x38 Class = 0x434953434f4143533a30313432386463662f38353961333537622f39353732393037 [eap] Got reply 2 [eap] Got tunneled reply RADIUS code 2 MS-CHAP2-Success = 0x08533d38413537333944413130374135454330333631464545323132444239413845354142324133384331 Service-Type = Framed-User Framed-Protocol = PPP Proxy-State = 0x38 Class = 0x434953434f4143533a30313432386463662f38353961333537622f39353732393037 [eap] Tunneled authentication was successful. [eap] SUCCESS [eap] Reply was handled ++[eap] returns ok Found Auth-Type = EAP Found Auth-Type = Accept Warning: Found 2 auth-types on request for user 'anonymous' Auth-Type = Accept, accepting the user WARNING: Empty post-auth section. Using default return values. Sending Access-Challenge of id 8 to 10.1.2.3 port 53932 EAP-Message = 0x0109003b19001703010030640e81acec93c51e59bba8ce414fb9bd6a1460257e048338092073395b6a7212c29694ceab37a8f51493b9d9dda31900 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc93753dfc13e4ad1dbf26d3ddaf88693 Finished request 8. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.1.2.3 port 53932, id=9, length=226 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0209006019001703010020b3bd77af125e8598b4d0fa4500fe192b9e3549d4bf505ecda2c577b4442b441f1703010030fac4e8e250747ad2eacfce0a984d1ac4f01a995522125078e1a5e26d9c623d0ac843b8849872911fc94a64f72c2b2355 State = 0xc93753dfc13e4ad1dbf26d3ddaf88693 Message-Authenticator = 0x44bc1230fec13f85ae315e404f550d88 # Executing section authorize from file /etc/freeradius/radiusd.conf +- entering group authorize {...} [eap] EAP packet type response id 9 length 96 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/radiusd.conf +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv success [peap] Received EAP-TLV response. [peap] Client rejected our response. The password is probably incorrect. [peap] We sent a success, but received something weird in return. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Delaying reject of request 9 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 9 Sending Access-Reject of id 9 to 10.1.2.3 port 53932 EAP-Message = 0x04090004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.8 seconds. Cleaning up request 0 ID 0 with timestamp +17 Cleaning up request 1 ID 1 with timestamp +17 Cleaning up request 2 ID 2 with timestamp +17 Cleaning up request 3 ID 3 with timestamp +17 Cleaning up request 4 ID 4 with timestamp +17 Cleaning up request 5 ID 5 with timestamp +17 Cleaning up request 6 ID 6 with timestamp +17 Cleaning up request 7 ID 7 with timestamp +17 Cleaning up request 8 ID 8 with timestamp +17 Waking up in 1.0 seconds. Cleaning up request 9 ID 9 with timestamp +17 Ready to process requests. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html