SOLVED - Re: xp sp3 and freeradius 2.0.5
Hello. Thanks to all for your accurate replies, Lech was right, the problem with 4500 is the handshake (dis)function, it works like a charm!!, so does cisco gear too!!, both with the same setup at FR 2.0.5 and with all clients, XP SP2/SP3, Vista, Win2KX. BUT, 5500 is not working, the characteristics of this switch are: 5500G-EI - 3CR17254-91 os 3.02.04s168 bootrom v 4.0.3 This firmware versión is the latest available as today, and doesn't have the option to disable handshake, so it doesn't work at all, for any soul out there trying to make this switch work, help me out to ask 3COM to correct their software and allow to disable handshake as 4500's do.. Best regards, to all of you, this software and this list rocks!!! Oxiel El Vie 08 Ago 2008, Lech Karol Pawłaszek escribió: Arran Cudbard-Bell wrote: I let the client to stay on VLAN1, not moving to other vlan, the same behavior, the PC gets ACCESS-ACCEPT but then it tries again, until the exclamation icon appears, no ping to the client at all. What can it be ?, what i'm doing wrong ? is the problem XP SP3 ?, or is 3COM 5500G-EI ? Didn't we have exactly the same problem on the list, like a week ago ? You have upgraded to the latest firmware for your 3COM switch right ? Yup. It's me who had this problem. Actually my switches are from 4500 family and Oxiel's are 5500 however those families are kind of similar. Oxiel: use the newest available firmware for your switches (the one from 12th of May) - namely 3.03.1. Then disable handshake (dis)funcion. 5500 system-view [5500] undo dot1x handshake enable And - because I've found another bug - you'll have to use port based authentication method instead of the default mac based [5500] dot1x port-method portbased If you will have any further questions - feel free to ask. Kind regards, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: xp sp3 and freeradius 2.0.5
Hello Ivan. While negotiating, XP SP3 and switch shows this traffic: [1 User-name ] [26] [host/pccen115.cosmart.bo] [32 NAS-Identifier ] [14] [001cc5363882] [5 NAS-Port] [6 ] [268439553] [87 NAS_Port_Id ] [34] [unit=1;subslot=0;port=1;vlanid=1] [61 NAS-Port-Type ] [6 ] [15] [31 Caller-ID ] [16] [303030352D356437622D38643561] *0.40057968 5500G-EI RDS/8/DEBUG:- 1 - [40 Acct-Status-Type] [6 ] [2] [45 Acct-Authentic ] [6 ] [1] [44 Acct-Session-Id ] [15] [110500011106f] [4 NAS-IP-Address ] [6 ] [192.168.100.245] [55 Event-Timestamp ] [6 ] [1104577657] [3com-26 Connect_ID ] [6 ] [35] *0.40057969 5500G-EI RDS/8/DEBUG:- 1 - [3com-29 Input_Peak_Rate ] [6 ] [0] [3com-2 Input_Average_Rate ] [6 ] [0] [3com-4 Output_Peak_Rate ] [6 ] [0] [3com-5 Output_Average_Rate ] [6 ] [0] [3com-22 Priority ] [6 ] [0] [3com-60 Ip-Host-Addr ] [27] [0.0.0.0 00:05:5d:7b:8d:5a] *0.40057969 5500G-EI RDS/8/DEBUG:- 1 - [46 Acct-Session-Time ] [6 ] [97] [41 Acct-Delay-Time ] [6 ] [0] [42 Acct-Input-Octets ] [6 ] [93000] [47 Acct-Input-Packets ] [6 ] [352] [43 Acct-Output-Octets ] [6 ] [126726] [48 Acct-Output-Packets ] [6 ] [698] *0.40057970 5500G-EI RDS/8/DEBUG:- 1 - [52 Acct_Input_Gigawords] [6 ] [0] [53 Acct_Output_Gigawords ] [6 ] [0] [49 Terminate-Cause ] [6 ] [2] I let the client to stay on VLAN1, not moving to other vlan, the same behavior, the PC gets ACCESS-ACCEPT but then it tries again, until the exclamation icon appears, no ping to the client at all. What can it be ?, what i'm doing wrong ? is the problem XP SP3 ?, or is 3COM 5500G-EI ? Regards. Oxiel El Martes 08 Jul 2008, Ivan Kalik escribió: As you noted the client gets Access-Accept once, but then for some reason i don't know, it looses connection and never gets access to the network, on windows the network icon, shows trying to connect then later get the exclamation sign on the icon, first thought it was something with the vlan assignation, so removed it, and let it stay on vlan 1, but the same behavior . Certificates are fine, radius server is fine. Your NAS is dropping the connection. Debug the NAS and see what is it complaining about. It's quite normal for Windows domain access to authenticate machine first and user later, once machine is on the network. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Whether the FreeRADIUS supports switch 3Com 5500G-EI ?
Hello Gennadiy. I'm trying hard to achieve what you did, but with no success. Could you please let me know which firmware were you using on this switch, against what clients (native windows xp service pack 3 or windows vista radius client maybe ?) I'm trying to authenticate through PEAP with native radius client on windows xp sp3 and windows vista with FR2.0.5 with PEAP, and this model of 3com 5500G-EI : 5500G-EIdis version 3Com Corporation SuperStack 4 Switch 5500G-EI Software Version 3Com OS V3.02.04s168 Copyright (c) 2004-2007 3Com Corporation and its licensors, All rights reserved. SuperStack 4 Switch 5500G-EI uptime is 0 week, 0 day, 11 hours, 41 minutes 3Com SuperStack 4 Switch 5500G-EI 24-Port with 1 MIPS Processor 128Mbytes SDRAM 16384K bytes Flash Memory Config Register points to FLASH Hardware Version is REV.C CPLD Version is 002 Bootrom Version is 4.03 [Subslot 0] 24GE+4SFP Hardware Version is REV.C [Subslot 2] 2 STACK Hardware Version is REV.C Did you change something else on your switches or is only what you uploaded on the list, maybe something on windows or FR ? Best regards. Oxiel El Miércoles 11 Jun 2008, Gennadiy Redko escribió: Krzysztof Olędzki wrote: OK, we absolutely need some more info: - display vlan - display vlan ... (2?) - display interface ... (G7/0/40?) - display port-security interface ... (G7/0/40) Hi,Krzysztof Viktor Guk wrote: skip All too most, only with the letter G. [5500G-EI]disp vlan The following VLANs exist: 1(default), 2 [5500G-EI]disp vlan 2 VLAN ID: 2 VLAN Type: static Route Interface: not configured Description: vlan2 Name: vlan2 Tagged Ports: none Untagged Ports: GigabitEthernet7/0/39GigabitEthernet7/0/47 [5500G-EI]display interface GigabitEthernet 7/0/40 GigabitEthernet7/0/40 current state : DOWN IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 001a-c147-8e68 Media type is twisted pair, loopback not set Port hardware type is 1000_BASE_T Unknown-speed mode, unknown-duplex mode Link speed type is autonegotiation, link duplex type is autonegotiation Flow-control is not enabled The Maximum Frame Length is 1522 Broadcast MAX-pps: 3000 Unicast MAX-ratio: 100% Multicast MAX-ratio: 100% Forbid jumbo frame to pass PVID: 1 Mdi type: auto Port link-type: access Tagged VLAN ID : none Untagged VLAN ID : 1 Last 300 seconds input: 0 packets/sec 7 bytes/sec Last 300 seconds output: 0 packets/sec 48 bytes/sec Input(total): 23 packets, 2240 bytes 2 broadcasts, 12 multicasts, 0 pauses Input(normal): - packets, - bytes - broadcasts, - multicasts, - pauses Input: 0 input errors, 0 runts, 0 giants, - throttles, 0 CRC - frame, - overruns, 0 aborts, - ignored, - parity errors Output(total): 151 packets, 14501 bytes 89 broadcasts, 50 multicasts, 0 pauses Output(normal): - packets, - bytes - broadcasts, - multicasts, - pauses Output: 0 output errors, - underruns, - buffer failures 0 aborts, 0 deferred, 0 collisions, 0 late collisions 0 lost carrier, - no carrier [5500G-EI]display port-security interface GigabitEthernet 7/0/40 GigabitEthernet7/0/40 is link-down Port mode is noRestriction NeedtoKnow mode is disabled Intrusion mode is no action Max mac-address num is not configured Stored mac-address num is 0 Authorization is permit With the options offered by you the stand too has not earned BTW: There is no need to add and use TMT802, freeradius already comes with all what you need here: Tunnel-Type = VLAN Tunnel-Medium-Type = IEEE-802 Tunnel-Private-Group-ID = ... Best regards, Krzysztof Olędzki Best regards. Gennadii Redko - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: xp sp3 and freeradius 2.0.5
Hello Alan. further to previous post - your log shows several WARNING entries - fix those. Yes, fixed with eap.conf indications. finally, read eap.conf - especially the part about Windows systems not responding to EAP challenges...which is what your log looks like I've read it again, this time consciously, but i think is already there, maybe i'm loosing something, please correct me; as i know, sp3 already brings the patch needed with sp2. As you noted the client gets Access-Accept once, but then for some reason i don't know, it looses connection and never gets access to the network, on windows the network icon, shows trying to connect then later get the exclamation sign on the icon, first thought it was something with the vlan assignation, so removed it, and let it stay on vlan 1, but the same behavior . Other things that made me doubt was the username received by fr, most of the time is the machine name: host/caja02.cosmart.bo, instead of the domain username: COSMART\\jat, so as Tom pointed in previous email, i'm using wired configuration service on windows services, i'm not doing wireless at all, so disabled MPPE keys, put use_mppe = no on mschap module, but it continues to appear messages like these with radiusd -X MS-MPPE-Recv-Key = 0xbc92e431af5c7ffb4d5b7995391751603d37b0f0ff4b90fbfecd1785d2d987b9 MS-MPPE-Send-Key = 0x298436d731ecef7178d901f10b1654124cb4b52e1e1ed23fd33b1ec32476b480 Last i will regenerate the certs with the new way, sorry i stayed with 1.X long ago and recently upgraded to 2.0.5, what i did was to copy the certs directory from my previous working setup, guess there's something different. I'll let you know as soon as possible. Best regards. Oxiel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: VLAN assigment and Alcatel Omniswitch 7800
Hello Marcel. I'm afraid you added it in the wrong place, dictionary.alcatel does not contain the VSAs for Omniswitches (Alcatel-Lucent has multiple dictionaries for different products, dictionary.alcatel appears to be for a BRAS, not for an enterprise switch). The dictionary you're looking for is dictionary.xylan; the easiest way is to use Xylan-Auth-Group for sending your VLAN (The name isn't really that important, what is important is that the number for the attribute is correct (1 in this case) and that it is defined with the proper vendor number (800 for Omniswitches)). Right, indeed used Xylan-Auth-Group and worked perfectly, i'm so happy a tear fell down :) Many thanks. Oxiel Chiacchiera con i tuoi amici in tempo reale! http://it.yahoo.com/mail_it/foot/*http://it.messenger.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[SOLVED] - Re: VLAN assigment and Alcatel Omniswitch 7800
Hello Santa. This worked great!!! I was doing 802.1x only, no AVLAN. For any soul out there trying to implement 802.1x with FreeRadius on OpenSuSE10.1 and Omniswitch 7800 and Active Directory as taught on: http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO Take note of the following points: 1) If you use PEAP, install the patch from MS to Radius as noted on the FAQ, you need someone with Gold Support from M$ to get it or email me off the list :) http://wiki.freeradius.org/FreeRADIUS_Wiki:FAQ#PEAP_Doesn.27t_Work 2) If PEAP is your election, install the CA and generate the certificates on the Radius server. 3) Modify the permissions of execution for the winbind daemon in order to acomplish the ntlm_auth process, FIXME, now using root permissions. 4) Use Xylan-Auth-Group as VSA in /etc/raddb/users as the attribute for assigning VLAN, or generate the new dictionary.alcatel as Santa Yeh described below, and then use Alcatel-Auth-Group as the attribute for VLAN 5) Use the setup for omniswitch as described below by Santa Yeh 6) Thank all these great people who develop and support this great software. Thanks Alan, A.L.M., Jeremy, Marcel and Santa. Best regards Oxiel El Miércoles, 14 de Febrero de 2007 11:19, Santa Yeh escribió: Hello Oxiel, Are you doing AVLAN or 802.1x? 1. I created a new file - dictionary.alcatel # # dictionary.alcatel # # Alcatel VSAs # VENDORAlcatel800 # # Standard attribute # ATTRIBUTEAlcatel-Auth-Group1integerAlcatel ATTRIBUTEAlcatel-Slot-Port2stringAlcatel ATTRIBUTEAlcatel-Time-of-Day3stringAlcatel ATTRIBUTEAlcatel-Client-IP-Addr4ipaddrAlcatel ATTRIBUTEAlcatel-Group-Desc5stringAlcatel ATTRIBUTEAlcatel-Port-Desc6stringAlcatel VALUEAcct-AuthenticAUTH-AVCLIENT4 VALUEAcct-AuthenticAUTH-TELNET5 VALUEAcct-AuthenticAUTH-HTTP6 2. For users file user1Auth-Type := Local, Password = user1 Alcatel-Auth-Group = 3 3. For AVLAN vlan 3 authentication enable vlan port mobile 1/1 bpdu ignore enable vlan port 1/1 authenticate enable ip interface vlan3 address 192.168.11.254 mask 255.255.255.0 vlan 3 aaa radius-server rad1 host 192.168.10.211 key radkey aaa authentication vlan single-mode rad1 aaa accounting vlan rad1 aaa avlan default dhcp 192.168.11.254 aaa avlan dns alcatel avlan 3 auth-ip 192.168.11.253 4. For 802.1x (Sorry, just from my memory) vlan 3 802.1x enable vlan port mobile 1/1 bpdu ignore enable vlan port 1/1 802.1x enable ip interface vlan3 address 192.168.11.254 mask 255.255.255.0 vlan 3 aaa radius-server rad1 host 192.168.10.211 key radkey aaa authentication 802.1x rad1 aaa accounting 802/1x rad1 Chiacchiera con i tuoi amici in tempo reale! http://it.yahoo.com/mail_it/foot/*http://it.messenger.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: VLAN assigment and Alcatel Omniswitch 7800
Hello Marcel I suggest you look into chapter 22 of your 7700/7800/8800 Network Configuration Guide, where dot1x is explained. Somewhere in the first few pages of this chapter is an explanation of assigning users to VLANs based on RADIUS authentication. Authenticated VLAN appears to be something completely different (although it uses RADIUS and assigns VLANs to users, the methods are different, probably more like a captive portal). It looks like you'll need to provide the VLAN number in a VSA (see chapter 20). I did read it, that's why i began to try this setup at the first place, but i've to confess my ignorance about the VSA topic, didn't understand it completely until recently, thanks a lot for your help. Because I work at Alcatel-Lucent (as you can probably see from my e-mail address), a big fat disclaimer is in place: This mail does not represent Alcatel-Lucent in any way. Everything I have written in this mail is either my opinion or information I interpreted from publically available documents (I found the manuals through Google on a server that, judging from its name, is open for public access). I don't work in a department that has anything to do with Omniswitches and have not used them myself. Because of that, this information may be inaccurate or even plain wrong, Alcatel-Lucent is not responsible for the accuracy of this information. I'm just trying to be helpful here based on what I know. Indeed you were right, and i was wrong, at least according to what i was told from support at first consult. For your tranquillity and my happiness :) it happens that no licenses were needed to support this task, i'll let you know what is the final setup and solution. Thanks for your help again. Best regards Oxiel Chiacchiera con i tuoi amici in tempo reale! http://it.yahoo.com/mail_it/foot/*http://it.messenger.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: VLAN assigment and Alcatel Omniswitch 7800
Hello Santa. El Domingo, 11 de Febrero de 2007 22:57, Santa Yeh escribió: You can not use the standard attributes : Tunnel-Type:0 += VLAN Tunnel-Medium-Type:0 += IEEE-802 Tunnel-Private-Group-Id:0 += 3 The VSA for Alcatel switches is Alcatel-Auth-Group, that is why you should check the user manual. I've added the Alcatel-Auth-Group attribute to dictionary.alcatel like these: ATTRIBUTE Alcatel-Auth-Group 134 integer and modified users file like these: Tunnel-Type += 13, Tunnel-Medium-Type += 6, Alcatel-Auth-Group += 3 now i see the Access-Accept part of the log which is sent it with the attribute, but nothing happens. Sending Access-Accept of id 181 to 192.168.10.20 port 1074 Tunnel-Type:0 += VLAN Tunnel-Medium-Type:0 += IEEE-802 Alcatel-Auth-Group += 3 MS-MPPE-Recv-Key = 0xc90404d5af28944ae97417b2336cf56e204fe5afab5c7c7e7e50045ec24473b3 MS-MPPE-Send-Key = 0xc990b966cc4bed66c7be062e54795ddb253efe28c8426ecbb298d302c64b9359 EAP-Message = 0x030d0004 Message-Authenticator = 0x User-Name = MYDOMAIN\\jose Finished request 8 Could you please pass me the relevant parts of your switch setup ? vlan port mobile vlan authentication aaa Is it necessary to defina vlan rules on the switch in order to move the mobile port to the vlan designed with Alcatel-Auth-Group ? Thanks and best regards Oxiel Chiacchiera con i tuoi amici in tempo reale! http://it.yahoo.com/mail_it/foot/*http://it.messenger.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: VLAN assigment and Alcatel Omniswitch 7800
Hello Jeremy. Have you checked the documentation for the Omniswitch to verify that it supports this? If I send back the same attributes on my wireless access points, it works perfectly (we do this in production). The AP's, however, support that. I'll check it again, it's became difficult to talk to tech support from Alcatel, in the mean time they've told me that i'll need some sort of license to support vlan assignment, i think they call it Authenticated VLAN, even more, they've suggested me another radius server Steel-Belted Radius from Funk Software which now happens to be part of Juniper, disgusting ... , i'm reluclant to use it, i'm starting to learn a lot with freeradius, and won't change it. If it's true, i wonder why this brand (and model) of switch, been so expensive, needs an extra license to do something which is free with others (cisco, 3com, etc ) ? Well i'm dissappointed, maybe someone from Alcatel could give me a better explanation. Best regards to all of you. Oxiel Chiacchiera con i tuoi amici in tempo reale! http://it.yahoo.com/mail_it/foot/*http://it.messenger.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: VLAN assigment and Alcatel Omniswitch 7800
Hello Alan. Thank you, as you adviced i've changed users file, now it's : MYDOMAIN\\jose Tunnel-Type += VLAN, Tunnel-Medium-Type += IEEE-802, Tunnel-Private-Group-Id += 3 The Access-Accept part of radiusd -X is now sending the switch the correct information: modcall[authenticate]: module eap returns ok for request 8 modcall: leaving group authenticate (returns ok) for request 8 Sending Access-Accept of id 1 to 192.168.10.20 port 1068 Tunnel-Type:0 += VLAN Tunnel-Medium-Type:0 += IEEE-802 Tunnel-Private-Group-Id:0 += 3 MS-MPPE-Recv-Key = 0x2c003c698c883936e741aeed8974f40eb012d38af20400bdd0815dac46dc2e0b MS-MPPE-Send-Key = 0x92807250a6760157aa6a39f9a05239c3d28bce8c5b7dc3563bd2ddc7cae2893e EAP-Message = 0x030a0004 Message-Authenticator = 0x User-Name = MYDOMAIN\\jose Finished request 8 But still the VLAN is not assigned, what else can it be ? Best regards. Oxiel Don't set Auth-Type. Ever. Tunnel-Type += VLAN, Tunnel-Medium-Type += IEEE-802, Tunnel-Private-Group-Id += 3 But the port is never assigned to VLAN 3 for the user jose. Because that information isn't being sent back to the NAS. Is it possible to assign VLAN's with Alcatel ? I presume so. See the Alacatel documentation. It seems to me, that the VLAN parameters are never returned to the switch in the Access-Accept parth of this the result from radiusd -X. Yes. The username in the request is MYDOMAIN\\jose, not jose. Chiacchiera con i tuoi amici in tempo reale! http://it.yahoo.com/mail_it/foot/*http://it.messenger.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
VLAN assigment and Alcatel Omniswitch 7800
Helo gurus. I'm new to radius, but willing to learn :) Using OpenSuSE 10.1 and freeradius-1.1.0-19 and Windows2K as AD and Alcatel Omniswitch 7800 with 802.1x and Port Mobility features enabled. I've followed the steps from: http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO The authentication of WindowsXP Supplicants with EAP/PEAP is working great, now i need to assign VLANs to this setup, i've searched the list and google and found this setting for /etc/raddb/users: jose Auth-Type == EAP Tunnel-Type += VLAN, Tunnel-Medium-Type += IEEE-802, Tunnel-Private-Group-Id += 3 But the port is never assigned to VLAN 3 for the user jose. Is it possible to assign VLAN's with Alcatel ? Do i need any extra license ? Anybody have this running ? It seems to me, that the VLAN parameters are never returned to the switch in the Access-Accept parth of this the result from radiusd -X. oxiel:/etc/raddb # radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = /usr main: localstatedir = /var main: logdir = /var/log/radius main: libdir = /usr/lib/freeradius main: radacctdir = /var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /var/run/radiusd/radiusd.pid main: user = root main: group = root main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib/freeradius Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = yes mschap: passwd = (null) mschap: authtype = MS-CHAP mschap: ntlm_auth = /usr/bin/ntlm_auth --username=%{mschap:User-Name} --request-nt-key --domain=%{mschap:NT-Domain} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} Module: Instantiated mschap (mschap) Module: Loaded eap eap: default_eap_type = peap eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = Password: gtc: auth_type = PAP rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = (null) tls: pem_file_type = yes tls: private_key_file = /etc/raddb/certs/cert-srv.pem tls: certificate_file = /etc/raddb/certs/cert-srv.pem tls: CA_file = /etc/raddb/certs/demoCA/cacert.pem tls: private_key_password = whatever tls: dh_file = /etc/raddb/certs/dh tls: random_file = /dev/urandom tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = (null) rlm_eap_tls: Loading the certificate file as a chain rlm_eap: Loaded and initialized type tls peap: default_eap_type = mschapv2 peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = /etc/raddb/huntgroups preprocess: hints = /etc/raddb/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format =