I must be doing something wrong in my filtering because it keeps dumping me into unclassified instead of passing the group I assigned. I have setup a security group specifically for this test and i am indeed in the group.
I set it up like this in sites-enabled/inner-tunnel because it seemed this manner was a little more flexible for our needs: post-auth { if (Ldap-Group == "CN=STNE_Wireless_Authentication,ou=Security Groups,ou=test,ou=test,dc=AD,dc=ne,dc=gov") { update reply { Filter-Id := networking } } else { update reply { Filter-Id := secure-unclassified } } here is my radius -X: FreeRADIUS Version 2.1.7, for host x86_64-redhat-linux-gnu, built on Mar 31 2010 at 00:14:28 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/sql_log including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/krb5 including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/modules/ldap including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/smsotp including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/modules/cui including configuration file /etc/raddb/modules/detail.example.com including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/perl including configuration file /etc/raddb/modules/ntlm_auth including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/expiration including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/inner-eap including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/modules/passwd including configuration file /etc/raddb/modules/mac2ip including configuration file /etc/raddb/modules/sradutmp including configuration file /etc/raddb/modules/ldap.save including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/modules/otp including configuration file /etc/raddb/modules/unix including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/modules/detail including configuration file /etc/raddb/modules/ippool including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/modules/pap including configuration file /etc/raddb/modules/files including configuration file /etc/raddb/modules/sqlcounter_expire_on_login including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/control-socket including configuration file /etc/raddb/sites-enabled/default including configuration file /etc/raddb/sites-enabled/inner-tunnel group = radiusd user = radiusd including dictionary file /etc/raddb/dictionary main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log/radius" libdir = "/usr/lib64/freeradius" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = "/var/run/radiusd/radiusd.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 require_message_authenticator = no zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 irt = 2 mrt = 16 mrc = 5 mrd = 30 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } client 10.200.1.0/24 { require_message_authenticator = no secret = "testing321" shortname = "TestingNetwork" } client 10.175.255.11 { require_message_authenticator = no secret = "doomkey" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server inner-tunnel { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating chap Module: Linked to module rlm_mschap Module: Instantiating mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username= %{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-STN} --challenge=%{mschap:Challenge:-00} --nt-response= %{mschap:NT-Response:-00}" } Module: Instantiating ntlm_auth exec ntlm_auth { wait = yes program = "/usr/bin/ntlm_auth --request-nt-key --domain=STN --username= %{mschap:User-Name} --password=%{User-Password}" input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_unix Module: Instantiating unix unix { radwtmp = "/var/log/radius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 2048 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/etc/raddb/certs/server.pem" certificate_file = "/etc/raddb/certs/server.pem" CA_file = "/etc/raddb/certs/ca.pem" private_key_password = "whatever" dh_file = "/etc/raddb/certs/dh" random_file = "/etc/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/etc/raddb/certs/bootstrap" cache { enable = no lifetime = 24 max_entries = 255 } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating suffix realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating files files { usersfile = "/etc/raddb/users" acctusersfile = "/etc/raddb/acct_users" preproxy_usersfile = "/etc/raddb/preproxy_users" compat = "no" } Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating radutmp radutmp { filename = "/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating attr_filter.access_reject attr_filter attr_filter.access_reject { attrsfile = "/etc/raddb/attrs.access_reject" key = "%{User-Name}" } } # modules } # server server { modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = "/etc/raddb/huntgroups" hints = "/etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Linked to module rlm_ldap Module: Instantiating ldap ldap { server = "AD.ne.gov" port = 389 password = "XXXXXXXXXX" identity = "stn\seth.doty" net_timeout = 1 timeout = 4 timelimit = 3 tls_mode = no start_tls = no tls_require_cert = "allow" tls { start_tls = no require_cert = "allow" } basedn = "CN=STNE_Wireless_Authentication,ou=Security Groups,ou=test,ou=test,dc=AD,dc=ne,dc=gov" filter = "(CN=%{%{Stripped-User-Name}:-%{User-Name}})" base_filter = "(objectclass=radiusprofile)" auto_header = no access_attr_used_for_allow = yes groupname_attribute = "cn" groupmembership_filter = "(&(objectClass=group)(member= %{Ldap-UserDn}))" groupmembership_attribute = "memberOf" dictionary_mapping = "/etc/raddb/ldap.attrmap" ldap_debug = 0 ldap_connections_number = 5 compare_check_items = no do_xlat = yes set_auth_type = yes } rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: Over-riding set_auth_type, as there is no module ldap listed in the "authenticate" section. rlm_ldap: reading ldap<->radius mappings from file /etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-Id conns: 0x1f3cc40 Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating detail detail { detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m% d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating attr_filter.accounting_response attr_filter attr_filter.accounting_response { attrsfile = "/etc/raddb/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } listen { type = "control" listen { socket = "/var/run/radiusd/radiusd.sock" } } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /var/run/radiusd/radiusd.sock Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 10.175.255.11 port 32794, id=237, length=171 User-Name = "seth.doty" NAS-IP-Address = 10.200.3.252 NAS-Port = 0 NAS-Identifier = "10.200.3.252" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "C417FE62A790" Called-Station-Id = "000B8661628C" Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x0202000e01736574682e646f7479 Aruba-Essid-Name = "NEW_TEST" Aruba-Location-Id = "test-ap-41" Message-Authenticator = 0x0a5981cd35cccccec08916dd42a81088 +- entering group authorize {...} ++[preprocess] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "seth.doty", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 14 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry DEFAULT at line 1 ++[files] returns ok [ldap] performing user authorization for seth.doty [ldap] expand: %{Stripped-User-Name} -> [ldap] expand: %{User-Name} -> seth.doty [ldap] expand: (CN=%{%{Stripped-User-Name}:-%{User-Name}}) -> (CN=seth.doty) [ldap] expand: CN=STNE_Wireless_Authentication,ou=Security Groups,ou=test,ou=test,dc=AD,dc=ne,dc=gov -> CN=STNE_Wireless_Authentication,ou=Security Groups,ou=test,ou=test,dc=AD,dc=ne,dc=gov rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to AD.ne.gov:389, authentication 0 rlm_ldap: bind as stn\seth.doty/XXXXXXXXXX to AD.ne.gov:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in CN=STNE_Wireless_Authentication,ou=Security Groups,ou=test,ou=test,dc=AD,dc=ne,dc=gov, with filter (CN=seth.doty) rlm_ldap: object not found [ldap] search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns notfound ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 237 to 10.175.255.11 port 32794 EAP-Message = 0x0103001604107a6ee0a2d4f6e763d8c1574a0cfc74b1 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9780c3129783c71452e59c48c6e32104 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.175.255.11 port 32794, id=238, length=181 User-Name = "seth.doty" NAS-IP-Address = 10.200.3.252 NAS-Port = 0 NAS-Identifier = "10.200.3.252" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "C417FE62A790" Called-Station-Id = "000B8661628C" Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x020300060319 State = 0x9780c3129783c71452e59c48c6e32104 Aruba-Essid-Name = "NEW_TEST" Aruba-Location-Id = "test-ap-41" Message-Authenticator = 0xf1a25dd0282fb3e8789fdd1535a883e8 +- entering group authorize {...} ++[preprocess] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "seth.doty", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry DEFAULT at line 1 ++[files] returns ok [ldap] performing user authorization for seth.doty [ldap] expand: %{Stripped-User-Name} -> [ldap] expand: %{User-Name} -> seth.doty [ldap] expand: (CN=%{%{Stripped-User-Name}:-%{User-Name}}) -> (CN=seth.doty) [ldap] expand: CN=STNE_Wireless_Authentication,ou=Security Groups,ou=test,ou=test,dc=AD,dc=ne,dc=gov -> CN=STNE_Wireless_Authentication,ou=Security Groups,ou=test,ou=test,dc=AD,dc=ne,dc=gov rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in CN=STNE_Wireless_Authentication,ou=Security Groups,ou=test,ou=test,dc=AD,dc=ne,dc=gov, with filter (CN=seth.doty) rlm_ldap: object not found [ldap] search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns notfound ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/peap [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 238 to 10.175.255.11 port 32794 EAP-Message = 0x010400061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9780c3129684da1452e59c48c6e32104 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.175.255.11 port 32794, id=239, length=329 User-Name = "seth.doty" NAS-IP-Address = 10.200.3.252 NAS-Port = 0 NAS-Identifier = "10.200.3.252" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "C417FE62A790" Called-Station-Id = "000B8661628C" Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x0204009a198000000090160301008b0100008703014dd66ed50762ee33a7976c83e0756515c3ff0a4122274a986df878b78df1dbaa201a0f0000a2009ce306eae11299284ffcaef3f1d8b00911c239ea4ad50e8bd4f0003a00390038008800870035008400160013000a00330032009a009900450044002f00960041000500040015001200090014001100080006000300ff0100000400230000 State = 0x9780c3129684da1452e59c48c6e32104 Aruba-Essid-Name = "NEW_TEST" Aruba-Location-Id = "test-ap-41" Message-Authenticator = 0x7257f430f878922484dfd20a4d3340db +- entering group authorize {...} ++[preprocess] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "seth.doty", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 154 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 144 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 008b], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 0031], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 085e], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange [peap] TLS_accept: SSLv3 write key exchange A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 239 to 10.175.255.11 port 32794 EAP-Message = 0x0105040019c000000ab416030100310200002d03014dd66d8b275b1943f63378135507aee60b0c76455aecd715912137ef1b5ba8c7000039000005ff01000100160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c65204365727469666963617465204175 EAP-Message = 0x74686f72697479301e170d3131303530343135333734365a170d3132303530333135333734365a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100ba51dfeaa0e694984adbd379eeb8d714f564a5cda8c964b6876be6eea84b5bd383dea5aa665fe538bb3afddb5422a42b78c390002369e8 EAP-Message = 0x0ebc106cc115d6fe402791fd1f85984032be6de2d6c009ee6ebbdbecf2cd8770954af6e6a53cc4a70025fbf8a6ecbdc0da9ddb59d5936ca40c266d9f771ace1143b703fd3b1224ed62cb7e0af09e535400721104a3962bfc8326d35791cbaaa2139e13c25a1f1bbf7f56143874eb38f9c457f4b486b75759a7df825b2a9876c2bc9c710a389f8b6b6ba075a5f2626c3a3101e2024bd316bdcf93ac5b774fdaa0e4571ff2e7eaa7302edf4f354a1d4fdffeb310a54bae83c92e769f5cb698e82d8b0d81b16b69ddda210203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010405000382010100298b EAP-Message = 0x7ba7aad7e4a264f9fdbfa1948e45890fa22b0f972da2b171dcf75abbfc4ec7abc4489bb51dbc5567a96ba67ca1521a5a5517e425b7dccd8dc99949707fa70f0291e383d08ae2d4cf9bc2a685407643b8833884aedaf85fa30382712b7825df924ad85a29349b6ce3fd94c1f41d58a3b03ab2376881aa167b0c4949665391808389c694c458f52d23e8b06a4abb5d73e1f12795ce4d45eab6b23c4a0746af074d9c794bb134f2e58a8c3e94dffcb74405d3ef873afee46642f8a9d8a8106c745c8f5824fc5d978b6aedecf6e60aaea1d72fb945f39d9a172b770b130d811497db106506756f0a9571be4e3594e5e07c6cb2626043b7b408fdb9ec47acea EAP-Message = 0xd60004ab308204a73082038f Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9780c3129585da1452e59c48c6e32104 Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.175.255.11 port 32794, id=240, length=181 User-Name = "seth.doty" NAS-IP-Address = 10.200.3.252 NAS-Port = 0 NAS-Identifier = "10.200.3.252" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "C417FE62A790" Called-Station-Id = "000B8661628C" Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x020500061900 State = 0x9780c3129585da1452e59c48c6e32104 Aruba-Essid-Name = "NEW_TEST" Aruba-Location-Id = "test-ap-41" Message-Authenticator = 0x441273cb354ca32d27b088777c92f92c +- entering group authorize {...} ++[preprocess] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "seth.doty", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 240 to 10.175.255.11 port 32794 EAP-Message = 0x010603fc1940a003020102020900e1797e341d7647f0300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3131303530343135333734365a170d3132303530333135333734365a308193310b3009060355040613024652310f300d0603550408130652616469757331 EAP-Message = 0x12301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100c541964f0b7edd9eb6eb30d8a4e3e705d04883f87a4b9781915c5c1eec3d57bf199083571cb73f4a79f0feabec036986e06df29a731a1ff7b2f63540116c4d819c58d3fb478da985170fa7b9e29c5911f10deed8f1515f349ed8f0d485bd367a0158ef9c957354d9 EAP-Message = 0x297bdc576e11ded0b556de5f713dd4b2f74f393952c73beabf05f04b5bb67651199303ae0220608cb6299b1c4ebd6b5db3c4193a3e400977ea7a7b94f0d5819044c6d8858f79e024c73ed18d69b92907ea0753ad9043d9209e527bfd7f125c5897045476c9f9d7ff7cb81b1d40833315f8505db055dff86aa8ffdc4d2089e562b43a1214ede86e9b778d97c19af6efbe851f1104f43774170203010001a381fb3081f8301d0603551d0e04160414033a2d25cc1a31fa79331f903b38dccc6f7579ce3081c80603551d230481c03081bd8014033a2d25cc1a31fa79331f903b38dccc6f7579cea18199a48196308193310b300906035504061302465231 EAP-Message = 0x0f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900e1797e341d7647f0300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100a9344eeaacc42d6dfe1d9581432318dc8565dbd0c83984a32df5a043b7cd2452cd928cca0ae28c335264d4cca0f3f8e1a9d73ebe78345aadbea604a67fb433983647bff1bccbae5965611f EAP-Message = 0xab093a6369691c7f Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9780c3129486da1452e59c48c6e32104 Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.175.255.11 port 32794, id=241, length=181 User-Name = "seth.doty" NAS-IP-Address = 10.200.3.252 NAS-Port = 0 NAS-Identifier = "10.200.3.252" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "C417FE62A790" Called-Station-Id = "000B8661628C" Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x020600061900 State = 0x9780c3129486da1452e59c48c6e32104 Aruba-Essid-Name = "NEW_TEST" Aruba-Location-Id = "test-ap-41" Message-Authenticator = 0xc41800b8f9423e2c1cb0e0211f015223 +- entering group authorize {...} ++[preprocess] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "seth.doty", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 6 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 241 to 10.175.255.11 port 32794 EAP-Message = 0x010702ce190009f92939f065236be103eca09ccef89c594a5feecab3530d8831838d04078bff07e92f1818bea39bcd5ef87f4012bb956d83f9115d163ce560dc643195e21b92905268eb331182a38977cab87f5f7276f6e03fcd6969b4e7dd74f4dba308a368be4775fc9e5e296fea95635a557d531afcb4a76db16eed9cd1768021fd480947ddfab8a514ec99d74319f2a5ff5adc2716b1397d0b296207568f0749f85c3b22f108bdfe6155fac712d443af91160301020d0c0002090080b25f99ce7aef446d59e7ae66080f5f026c11e7d739695298b525f718983bdcc86f3a4ddc36d96595b332e8b70b4a63cc7edb011892efdcbd69517617027114 EAP-Message = 0x8f0d81bef71309b48beae5e0469ee27eff4f2f2ced3b86b9971d4df37e54b038dbd98e8cfdaf78dfaae9b9cf6c55bd75c89d49f4ee993f47005100af3cd3b5447b0001020080774c91e11e5648fc7fcd3ccecbe1e6ef9f6b439a618480032bf4879b10cbc368986ecffbded8c62087167bd3f1ebcfd95e416a918191592f975774a6b6e1242b91901f62503cd05ed8305e93ddd8af2e8d06579f8d3140e9318e63cdc358bcb40af1b3e6bd7ef0cb9683baaa9b5af8795dbbbddfd014205471327cb076a61da70100b4cb00bd78b087ac6cf032891a713e92deb3137d19ced8dd30631ae4e9d3e0930fa1f4adf1c7bca7b7df46f0aa19d0d8f3b7db668f EAP-Message = 0x187851f1cc89c646eb38751c6288c891b07ed01d7d888fb2d50d153517f854c9114504088092dcd2c32faba168e66f59b51dc4e718e96618019789c33a4ef2ad76929d8c6fc945710aa350c22dce3f21fc81a2023eaf0ae906fc748dc2e47e2c5894eb49a6f206a3d326438fc8b7bde52f9675f8f1594a350bc040495fd96e46317e760d3d7d879ecc4d16602095e442262defbc9e63ee0dc28c491eaad9a8b310f1262c982faf8840a5f5ef377e61a8b0632b58f17ad6f4c900c13661549f5143f48a1f65ef4e6ca37c8e16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9780c3129387da1452e59c48c6e32104 Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.175.255.11 port 32794, id=242, length=383 User-Name = "seth.doty" NAS-IP-Address = 10.200.3.252 NAS-Port = 0 NAS-Identifier = "10.200.3.252" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "C417FE62A790" Called-Station-Id = "000B8661628C" Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x020700d01980000000c616030100861000008200802107622ebf4b8c5e63e4520592841ea7d4b52fd0ded2de0c70b7102e112455b3f03bd63f3ef0698f373d6769f891aedd9a745f2c52c85f3460031c3c873013c8b8ec7cbb65dbc7421bde06575e73193afbaf37f56abf6de0008dd11fae7d2f0c5543ae5223426ff7c7629345e550398fc6c73720654ef83e7e3106822315c2fc1403010001011603010030fb8d5afaf87b62d13d80b6e7121b59458c56b273735d0ba915104b608ade2e4ff2420e9055bcad9f8524104ad5205faa State = 0x9780c3129387da1452e59c48c6e32104 Aruba-Essid-Name = "NEW_TEST" Aruba-Location-Id = "test-ap-41" Message-Authenticator = 0x61ca90433840534121034f7e04373532 +- entering group authorize {...} ++[preprocess] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "seth.doty", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 7 length 208 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 198 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 242 to 10.175.255.11 port 32794 EAP-Message = 0x01080041190014030100010116030100306e78d4a3fbc91bee1e1d5d532e0d3972f792abab0a29cc96e47d1b9db8576c9df490e8d5bc9692995826b8bce70f77fb Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9780c3129288da1452e59c48c6e32104 Finished request 5. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.175.255.11 port 32794, id=243, length=181 User-Name = "seth.doty" NAS-IP-Address = 10.200.3.252 NAS-Port = 0 NAS-Identifier = "10.200.3.252" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "C417FE62A790" Called-Station-Id = "000B8661628C" Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x020800061900 State = 0x9780c3129288da1452e59c48c6e32104 Aruba-Essid-Name = "NEW_TEST" Aruba-Location-Id = "test-ap-41" Message-Authenticator = 0xe3c222fec06228e6c36609c8e43e8117 +- entering group authorize {...} ++[preprocess] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "seth.doty", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 8 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS ++[eap] returns handled Sending Access-Challenge of id 243 to 10.175.255.11 port 32794 EAP-Message = 0x0109002b1900170301002026d6755b4b91f4b56e47ccb8af04efb3f5064beeb03dd375e1a737fe69b97f7e Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9780c3129189da1452e59c48c6e32104 Finished request 6. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.175.255.11 port 32794, id=244, length=255 User-Name = "seth.doty" NAS-IP-Address = 10.200.3.252 NAS-Port = 0 NAS-Identifier = "10.200.3.252" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "C417FE62A790" Called-Station-Id = "000B8661628C" Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x02090050190017030100202a153e005d218c64bac4c6ae60a4a47ae0b7eb863a243ae455402455c8d1a0da1703010020e05e87b384eb1cf4b7dfcf67aba1a804182ab45e8ec023c90a97af98d5d774c5 State = 0x9780c3129189da1452e59c48c6e32104 Aruba-Essid-Name = "NEW_TEST" Aruba-Location-Id = "test-ap-41" Message-Authenticator = 0x609e26344fc806d31db36b5a883c6da2 +- entering group authorize {...} ++[preprocess] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "seth.doty", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 9 length 80 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Identity - seth.doty [peap] Got tunneled request EAP-Message = 0x0209000e01736574682e646f7479 server { PEAP: Got tunneled identity of seth.doty PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to seth.doty Sending tunneled request EAP-Message = 0x0209000e01736574682e646f7479 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "seth.doty" server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "seth.doty", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 9 length 14 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry DEFAULT at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010a00231a010a001e10d6b726f89e7c1dc2455dcb969bffefb1736574682e646f7479 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc020639cc02a799f2402da1e2bf686a2 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010a00231a010a001e10d6b726f89e7c1dc2455dcb969bffefb1736574682e646f7479 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc020639cc02a799f2402da1e2bf686a2 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 244 to 10.175.255.11 port 32794 EAP-Message = 0x010a004b190017030100404b9e4baea80d1d20ab90eeab01cf3501d752cbd5549687f3922f255fe49c5ca0fd2cc0bebf23656ddce51502dd83713f5748451cdcfe245ef8ba92e2a4741811 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9780c312908ada1452e59c48c6e32104 Finished request 7. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.175.255.11 port 32794, id=245, length=319 User-Name = "seth.doty" NAS-IP-Address = 10.200.3.252 NAS-Port = 0 NAS-Identifier = "10.200.3.252" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "C417FE62A790" Called-Station-Id = "000B8661628C" Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x020a0090190017030100208c10c1ba2871d2d5e20afef609ddcf4d74fecb1af44a5e8b96d13b04b9f098481703010060468f6eb13698dd642845884bade0b9281b10ec721e078fa0b360fe5a9c0f7a571dfb8ab1ff5d4c8520bd15a7eac8f904428537ed2e897f4f1355f2572d45b3832296cda77b86b38e7625e8b79df1caa1a564b22bc0d4fb655a54a532dd4387c4 State = 0x9780c312908ada1452e59c48c6e32104 Aruba-Essid-Name = "NEW_TEST" Aruba-Location-Id = "test-ap-41" Message-Authenticator = 0xe1dac00b193956d298b5db160cbe61c4 +- entering group authorize {...} ++[preprocess] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "seth.doty", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 10 length 144 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020a00441a020a003f3180cd1ba748241f27f3b6d138e34e5022000000000000000020d0bdcfe838860d435e92ce6dee7d6ee83a61639f30852600736574682e646f7479 server { PEAP: Setting User-Name to seth.doty Sending tunneled request EAP-Message = 0x020a00441a020a003f3180cd1ba748241f27f3b6d138e34e5022000000000000000020d0bdcfe838860d435e92ce6dee7d6ee83a61639f30852600736574682e646f7479 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "seth.doty" State = 0xc020639cc02a799f2402da1e2bf686a2 server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "seth.doty", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 10 length 68 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry DEFAULT at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] Told to do MS-CHAPv2 for seth.doty with NT-Password [mschap] expand: --username=%{mschap:User-Name:-None} -> --username=seth.doty [mschap] No NT-Domain was found in the User-Name. [mschap] expand: %{mschap:NT-Domain} -> [mschap] expand: --domain=%{%{mschap:NT-Domain}:-STN} -> --domain=STN [mschap] mschap2: d6 [mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=48fb695c32de49e3 [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=20d0bdcfe838860d435e92ce6dee7d6ee83a61639f308526 Exec-Program output: NT_KEY: 7D06A715A9FD45DB57D634E70486CDEB Exec-Program-Wait: plaintext: NT_KEY: 7D06A715A9FD45DB57D634E70486CDEB Exec-Program: returned: 0 [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok MSCHAP Success ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010b00331a030a002e533d46334433334145443433344541303143313836434644343539464337424130373636464339444638 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc020639cc12b799f2402da1e2bf686a2 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010b00331a030a002e533d46334433334145443433344541303143313836434644343539464337424130373636464339444638 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc020639cc12b799f2402da1e2bf686a2 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 245 to 10.175.255.11 port 32794 EAP-Message = 0x010b005b1900170301005024162ce85f39c2256bf2754dc6ffe339f37849a4f2bb127618172a0b431aa09821f11a0547dd875555bd24498706bb0375123e584219ee9678b993363cac4b343b5c428ce257d4275349df839762572b Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9780c3129f8bda1452e59c48c6e32104 Finished request 8. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.175.255.11 port 32794, id=246, length=255 User-Name = "seth.doty" NAS-IP-Address = 10.200.3.252 NAS-Port = 0 NAS-Identifier = "10.200.3.252" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "C417FE62A790" Called-Station-Id = "000B8661628C" Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x020b005019001703010020f46c4aa9b900c096bbe02e439cca2ee2bc60aa24eeb2913dcf7a08178e21d46d1703010020551fbf04f9dc4dedbf509014d6153eb6a11ede632045982a84af03243bf94b45 State = 0x9780c3129f8bda1452e59c48c6e32104 Aruba-Essid-Name = "NEW_TEST" Aruba-Location-Id = "test-ap-41" Message-Authenticator = 0x74a755dd934383272d0713bb75b75851 +- entering group authorize {...} ++[preprocess] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "seth.doty", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 11 length 80 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020b00061a03 server { PEAP: Setting User-Name to seth.doty Sending tunneled request EAP-Message = 0x020b00061a03 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "seth.doty" State = 0xc020639cc12b799f2402da1e2bf686a2 server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "seth.doty", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 11 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry DEFAULT at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [eap] Freeing handler ++[eap] returns ok +- entering group post-auth {...} ++? if (Ldap-Group == "CN=STNE_Wireless_Authentication,ou=Security Groups,ou=test,ou=test,dc=AD,dc=ne,dc=gov") rlm_ldap: Entering ldap_groupcmp() expand: CN=STNE_Wireless_Authentication,ou=Security Groups,ou=test,ou=test,dc=AD,dc=ne,dc=gov -> CN=STNE_Wireless_Authentication,ou=Security Groups,ou=test,ou=test,dc=AD,dc=ne,dc=gov expand: %{Stripped-User-Name} -> expand: %{User-Name} -> seth.doty expand: (CN=%{%{Stripped-User-Name}:-%{User-Name}}) -> (CN=seth.doty) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in CN=STNE_Wireless_Authentication,ou=Security Groups,ou=test,ou=test,dc=AD,dc=ne,dc=gov, with filter (CN=seth.doty) rlm_ldap: object not found rlm_ldap::ldap_groupcmp: search failed rlm_ldap: ldap_release_conn: Release Id: 0 ? Evaluating (Ldap-Group == "CN=STNE_Wireless_Authentication,ou=Security Groups,ou=test,ou=test,dc=AD,dc=ne,dc=gov") -> FALSE ++? if (Ldap-Group == "CN=STNE_Wireless_Authentication,ou=Security Groups,ou=test,ou=test,dc=AD,dc=ne,dc=gov") -> FALSE ++- entering else else {...} +++[reply] returns noop ++- else else returns noop } # server inner-tunnel [peap] Got tunneled reply code 2 EAP-Message = 0x030b0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "seth.doty" Filter-Id = "secure-unclassified" [peap] Got tunneled reply RADIUS code 2 EAP-Message = 0x030b0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "seth.doty" Filter-Id = "secure-unclassified" [peap] Tunneled authentication was successful. [peap] SUCCESS ++[eap] returns handled Sending Access-Challenge of id 246 to 10.175.255.11 port 32794 EAP-Message = 0x010c002b1900170301002056502beade5135038021ed5d2f0d10e78a91e501c5d58a96af0fcdb3310726fc Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9780c3129e8cda1452e59c48c6e32104 Finished request 9. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.175.255.11 port 32794, id=247, length=255 User-Name = "seth.doty" NAS-IP-Address = 10.200.3.252 NAS-Port = 0 NAS-Identifier = "10.200.3.252" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "C417FE62A790" Called-Station-Id = "000B8661628C" Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x020c0050190017030100208011c6fbb25eeb4e04454b45afc64844f4781f5599cd67c45edf61c5820f03f21703010020c5bf37365af4f1c5dd2bda857e262cd94c871bfce6454aa1c643cf2fe1343630 State = 0x9780c3129e8cda1452e59c48c6e32104 Aruba-Essid-Name = "NEW_TEST" Aruba-Location-Id = "test-ap-41" Message-Authenticator = 0xc3017bd2df835a35b048be614209c833 +- entering group authorize {...} ++[preprocess] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "seth.doty", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 12 length 80 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Received EAP-TLV response. [peap] Success [eap] Freeing handler ++[eap] returns ok +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 247 to 10.175.255.11 port 32794 MS-MPPE-Recv-Key = 0x250a9d4675dee09162bf7de49a5a94f97186120e1cc8448f2fcfc134b7a1323e MS-MPPE-Send-Key = 0xab393dc3cdf464673e9189ccb1910bb3469472970ab4c92f6d5ccd4eb102efa4 EAP-Message = 0x030c0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "seth.doty" Finished request 10. Going to the next request Waking up in 4.8 seconds. Cleaning up request 0 ID 237 with timestamp +246 Cleaning up request 1 ID 238 with timestamp +246 Cleaning up request 2 ID 239 with timestamp +246 Cleaning up request 3 ID 240 with timestamp +246 Cleaning up request 4 ID 241 with timestamp +246 Cleaning up request 5 ID 242 with timestamp +246 Cleaning up request 6 ID 243 with timestamp +246 Cleaning up request 7 ID 244 with timestamp +246 Cleaning up request 8 ID 245 with timestamp +246 Cleaning up request 9 ID 246 with timestamp +246 Cleaning up request 10 ID 247 with timestamp +246 Ready to process requests. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html