Hi all, I need to authorize wireless users by the protocol EAP-PEAP on Cisco Air 350, but, unfortunately, the radius of the billing system can not EAP-PEAP. Freeradius server in proxy mode terminates the tunnel TLS, and requests the radius of the billing system goes on algorithm mschapv2.
All right, authorization correct, but one problem: freeradius does not pass attribute FRAMED-IP-Address to Win wireless client. Show, what my mistake, please! 192.168.2.252 - IP address server port 1645 for freeradius auth packets ports 1812,1813 for billing radius 10.1.1.30 - Cisco Air 350 wireless AP ========================= FreeRadius Configs ============================== ______________ proxy.conf __________________________ proxy server { default_fallback = no } home_server BGBILLING { type = auth+acct ipaddr = 192.168.2.252 port = 1812 secret = bgbilling zombie_period=30 response_window=20 status_check = none ping_check = none } realm BGBILLING { nostrip authhost = 192.168.2.252:1812 accthost = 192.168.2.252:1813 secret = bgbilling type = radius } _______________________ epa.conf ____________________________ eap { default_eap_type = mschapv2 timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 2048 md5 { } leap { } gtc { auth_type = PAP } tls { certdir = ${confdir}/certs cadir = ${confdir}/certs private_key_password = whatever private_key_file = ${certdir}/server.pem certificate_file = ${certdir}/server.pem CA_file = ${cadir}/ca.pem dh_file = ${certdir}/dh random_file = ${certdir}/random cipher_list = "DEFAULT" make_cert_command = "${certdir}/bootstrap" cache { enable = no lifetime = 24 # hours max_entries = 255 } } ttls { default_eap_type = md5 copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } peap { default_eap_type = mschapv2 copy_request_to_tunnel = yes use_tunneled_reply = yes proxy_tunneled_request_as_eap = no virtual_server = "proxy-inner-tunnel" } mschapv2 { } } _____________________ proxy-inner-tunnel _________________________ server proxy-inner-tunnel { authorize { update control { Proxy-To-Realm := "BGBILLING" } } authenticate { eap } post-proxy { eap } } ============= output listing /usr/local/sbin/radiusd -X =============== ..... Listening on authentication address * port 1645 Listening on command file /var/run/radiusd/radiusd.sock Listening on proxy address * port 1647 Ready to process requests. rad_recv: Access-Request packet from host 10.1.1.30 port 1645, id=72, length=160 User-Name = "user1" Framed-MTU = 1400 Called-Station-Id = "0040.9645.a099" Calling-Station-Id = "001a.73f3.d763" Cisco-AVPair = "ssid=hotel" Service-Type = Login-User Message-Authenticator = 0x494e97d46fe81b971dc73dd31ff16394 EAP-Message = 0x0202000b016b6e79726b6f NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "265" NAS-Port = 265 NAS-IP-Address = 10.1.1.30 NAS-Identifier = "wifi-tur" +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radacct/10.1.1.30/auth-detail-20100608 [auth_log] /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radacct/10.1.1.30/auth-detail-20100608 [auth_log] expand: %t -> Tue Jun 8 11:31:01 2010 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "user1", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 11 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 72 to 10.1.1.30 port 1645 EAP-Message = 0x010300201a0103001b109438e3fc9d17289fae6cb63fc00e7aa66b6e79726b6f Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb96e281cb96d3292c40f2d5bd304aa6d Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.1.1.30 port 1645, id=73, length=173 User-Name = "user1" Framed-MTU = 1400 Called-Station-Id = "0040.9645.a099" Calling-Station-Id = "001a.73f3.d763" Cisco-AVPair = "ssid=hotel" Service-Type = Login-User Message-Authenticator = 0x5da76e7269b5dfd3bc0e5c1e22572792 EAP-Message = 0x020300060319 NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "265" NAS-Port = 265 State = 0xb96e281cb96d3292c40f2d5bd304aa6d NAS-IP-Address = 10.1.1.30 NAS-Identifier = "wifi-tur" +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radacct/10.1.1.30/auth-detail-20100608 [auth_log] /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radacct/10.1.1.30/auth-detail-20100608 [auth_log] expand: %t -> Tue Jun 8 11:31:01 2010 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "user1", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/peap [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 73 to 10.1.1.30 port 1645 EAP-Message = 0x010400061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb96e281cb86a3192c40f2d5bd304aa6d Finished request 1. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.1.1.30 port 1645, id=74, length=282 User-Name = "user1" Framed-MTU = 1400 Called-Station-Id = "0040.9645.a099" Calling-Station-Id = "001a.73f3.d763" Cisco-AVPair = "ssid=hotel" Service-Type = Login-User Message-Authenticator = 0xb109fb190497ea0d7fc6b2c278edde68 EAP-Message = 0x0204007319800000006916030100640100006003014c0db953af95c919c15ef30ba4aac16c460fb4eab05a9f6dd857d064cd90464a000018002f00350005000ac013c014c009c00a00320038001300040100001f0000000b00090000066b6e79726b6f000a0006000400170018000b00020100 NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "265" NAS-Port = 265 State = 0xb96e281cb86a3192c40f2d5bd304aa6d NAS-IP-Address = 10.1.1.30 NAS-Identifier = "wifi-tur" +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radacct/10.1.1.30/auth-detail-20100608 [auth_log] /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radacct/10.1.1.30/auth-detail-20100608 [auth_log] expand: %t -> Tue Jun 8 11:31:01 2010 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "user1", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 115 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 105 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0064], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 002a], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 085e], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 74 to 10.1.1.30 port 1645 EAP-Message = 0x0105040019c00000089b160301002a0200002603014c0db9756b6e53c47cac8e4dc2ebce5c1ba29354bbea9e75f6770d61e9f4955000002f00160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479 EAP-Message = 0x301e170d3130303132353036343530305a170d3131303132353036343530305a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100d604f22bbe85c388ea55a91233f374414ad7858a481168372c824bff2a89e7592c4cb557215bab8a2770319bee2edee12a077119a3c546c6556a6542cd17 EAP-Message = 0x314c3aa522f28d353c376f57bda10dc1d885dbdf1998881a5cc849eb9d690afe4acf5f9788e57bf697a69f79982fed14deb5c818fede3a2738889cef2bdef52ee3b66b7515522624c4c2966968f402ca83cbbf9d54ebbba44f61b10770671d05bdcd61986de0a69bf70f86da40d45d7b73d544aa90fd621c9be16feefccfd9a63c25fe8b162e96e2e125c976ed97e1fd35a180c3f00ad95c3f1e17ba0f2689c4a2315641dfa3c305df06ce967569aecf6bcba740dc1bd887848ff36dbe8e39c914d50203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010104050003820101006330573529444d8fdf EAP-Message = 0x8af16f441adc5fb781962cdea7037b1f61da6aa7c39dd35b0d396d056dc8fbd74f808fa96a6a3891f18cd4b97c22758a5f66fa66222d2b5edeaac355ee75ea406e7a5504480c9a04dc22925cd13f5976b12f12c3674d3ded930dd3494f7aadd44f265d49452e9987b37b89d08baeb9ad871d3b0540fe55fa8f5ae666fa003459cc392b8fcacc1e79db91a91cab9cb7d5fc7acd7c14fc970e81962ea223a66160865aab8aacec6a91f71d536cd2912d4eb47f2ca9395639e81378559fce55e89c85eea597e02983b3526b8200f8609c05ea9530386e52885a542e4f7c57f7636cceff67da659a12656ac8d27669919d193e57f0de1319d50004ab308204 EAP-Message = 0xa73082038fa0030201020209 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb96e281cbb6b3192c40f2d5bd304aa6d Finished request 2. Going to the next request Waking up in 4.5 seconds. rad_recv: Access-Request packet from host 10.1.1.30 port 1645, id=75, length=173 User-Name = "user1" Framed-MTU = 1400 Called-Station-Id = "0040.9645.a099" Calling-Station-Id = "001a.73f3.d763" Cisco-AVPair = "ssid=hotel" Service-Type = Login-User Message-Authenticator = 0xf52ad6f161d75123fe2abd219470982e EAP-Message = 0x020500061900 NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "265" NAS-Port = 265 State = 0xb96e281cbb6b3192c40f2d5bd304aa6d NAS-IP-Address = 10.1.1.30 NAS-Identifier = "wifi-tur" +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radacct/10.1.1.30/auth-detail-20100608 [auth_log] /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radacct/10.1.1.30/auth-detail-20100608 [auth_log] expand: %t -> Tue Jun 8 11:31:01 2010 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "user1", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 75 to 10.1.1.30 port 1645 EAP-Message = 0x010603fc194000c3450bd4360aab67300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3130303132353036343530305a170d3131303132353036343530305a308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504 EAP-Message = 0x071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a02820101009b7df1a9d164a4f3318491a72fa28eea6be0c1392b9b588f84feea33f7fa75cf049eebc9405629ce22a20761bfb6b0cf8fc3e697477054ebd67b858244c5d866a7857fc1653f98b1d77f8c415464b2935d10b11cdfe8845478255176b5799ef2e5fdf1984c294b1c0bc31d62f1d6ee EAP-Message = 0xf35530f7ffd88a635cb52a3c0e8918fb11b1900ecd2ee9efc69aaf37eef2c1eb371a5746fe973edcedd4378a36acc5ec8790ab337b05a7a20ae549e82782c438aad5cf54147d4b9237c75f092de3480b464049b10325903b95c37252cb9926d1fcf8bb68e6aa7cd3fa89bd4899561b55cf28babe2b4b437742a80ed66c742c88dd838084e004dae70e902a4afabb346d110203010001a381fb3081f8301d0603551d0e04160414e6fea2d5a6e9fbc8ae6f3fc410711fd9545a86603081c80603551d230481c03081bd8014e6fea2d5a6e9fbc8ae6f3fc410711fd9545a8660a18199a48196308193310b3009060355040613024652310f300d06035504 EAP-Message = 0x0813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900c3450bd4360aab67300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100810219eb113cdb3c6ec57eefd1bf89d806132cdc04936328f3a8ef700999921f6e16119c2c138cbcd0ad519af85a8810981a5acadd77946cebdbc402511806fdb457c3b7e2d6c68d0fd57c5373830fb9ed35 EAP-Message = 0x5c9187d4a4579346 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb96e281cba683192c40f2d5bd304aa6d Finished request 3. Going to the next request Waking up in 4.2 seconds. rad_recv: Access-Request packet from host 10.1.1.30 port 1645, id=76, length=173 User-Name = "user1" Framed-MTU = 1400 Called-Station-Id = "0040.9645.a099" Calling-Station-Id = "001a.73f3.d763" Cisco-AVPair = "ssid=hotel" Service-Type = Login-User Message-Authenticator = 0x26fdb62570e22ae7e620484a395896af EAP-Message = 0x020600061900 NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "265" NAS-Port = 265 State = 0xb96e281cba683192c40f2d5bd304aa6d NAS-IP-Address = 10.1.1.30 NAS-Identifier = "wifi-tur" +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radacct/10.1.1.30/auth-detail-20100608 [auth_log] /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radacct/10.1.1.30/auth-detail-20100608 [auth_log] expand: %t -> Tue Jun 8 11:31:01 2010 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "user1", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 6 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 76 to 10.1.1.30 port 1645 EAP-Message = 0x010700b5190044f055e573d738d504987b55f6f03e1948e7d2d7dbacb011aaf5aebdf9065f187c0b5e96b54bc0b364423644b9d3c23312fce681f932ce3118bcb897f86b8baf7a29503854fb791fb2719f21318b6ec050d76ffe34e6a187f7930586ceb74de1640d8e390bc753e5b39e4a3d2ebbc10c09fb22aba90160a193b8a52c1a8917ba83a3fd6f21824c02f19bee53a7ad1fb5768e24db328f22f1ff2d71d26e57a6d06f50ce04ac0616030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb96e281cbd693192c40f2d5bd304aa6d Finished request 4. Going to the next request Waking up in 4.1 seconds. rad_recv: Access-Request packet from host 10.1.1.30 port 1645, id=77, length=505 User-Name = "user1" Framed-MTU = 1400 Called-Station-Id = "0040.9645.a099" Calling-Station-Id = "001a.73f3.d763" Cisco-AVPair = "ssid=hotel" Service-Type = Login-User Message-Authenticator = 0x1ad2ffe0e14528adc87c4041553f7a82 EAP-Message = 0x0207015019800000014616030101061000010201007cc01f9338d7c2cea8976ad3beb12743f5fb7ff61ba23633ec80147334d13d83ddb24878e2e18a3c622ed34d35793dfc411c2959d2570c2d55a06d3b0ec982f1422d6460794c8036fab4635d162a6ed6d6b271a36f0180caa8ef319ec5220769fefa599e4ac1cded6832959067126cdaac4a04a4093924cfa504cf7f880cab76f51262a643eff2c64d93ceea0e7904758dd77bc11f183f00cab15f249f0f493fa425f5967bb610338201b317e5bd81231dae0e378205a2f9b4ca00114e61cd0889b4d52967f0ef3d2064c132d1c84cd1645129726856cb17c1dcad50ede110b476fba41cb17ff9ba EAP-Message = 0xa7a034091776d1a06bb859db6d710abed6407ab76869fa07140301000101160301003060b0129d6f502b4a4baf38296ef7870dd58319111bba5aafe2b339a2244d5099ec2fabe68c6b150e8798833e08be47a7 NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "265" NAS-Port = 265 State = 0xb96e281cbd693192c40f2d5bd304aa6d NAS-IP-Address = 10.1.1.30 NAS-Identifier = "wifi-tur" +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radacct/10.1.1.30/auth-detail-20100608 [auth_log] /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radacct/10.1.1.30/auth-detail-20100608 [auth_log] expand: %t -> Tue Jun 8 11:31:02 2010 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "user1", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 7 length 253 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 326 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 77 to 10.1.1.30 port 1645 EAP-Message = 0x010800411900140301000101160301003059bf40066161ba7b9bc89876ddca50e8dac6ffdebb75de45834d3df7b033b094bfab27efb9bcf049c6cc5d3102e62340 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb96e281cbc663192c40f2d5bd304aa6d Finished request 5. Going to the next request Waking up in 3.9 seconds. rad_recv: Access-Request packet from host 10.1.1.30 port 1645, id=78, length=173 User-Name = "user1" Framed-MTU = 1400 Called-Station-Id = "0040.9645.a099" Calling-Station-Id = "001a.73f3.d763" Cisco-AVPair = "ssid=hotel" Service-Type = Login-User Message-Authenticator = 0x6f002e36d5971bf5cd3dd1aa9ea9d130 EAP-Message = 0x020800061900 NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "265" NAS-Port = 265 State = 0xb96e281cbc663192c40f2d5bd304aa6d NAS-IP-Address = 10.1.1.30 NAS-Identifier = "wifi-tur" +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radacct/10.1.1.30/auth-detail-20100608 [auth_log] /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radacct/10.1.1.30/auth-detail-20100608 [auth_log] expand: %t -> Tue Jun 8 11:31:02 2010 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "user1", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 8 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS ++[eap] returns handled Sending Access-Challenge of id 78 to 10.1.1.30 port 1645 EAP-Message = 0x0109002b19001703010020240976f4b60da3fa472d90bc15dff92ea15d0c0dd63f4b6e793e08b31f1479e2 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb96e281cbf673192c40f2d5bd304aa6d Finished request 6. Going to the next request Waking up in 3.6 seconds. rad_recv: Access-Request packet from host 10.1.1.30 port 1645, id=79, length=210 User-Name = "user1" Framed-MTU = 1400 Called-Station-Id = "0040.9645.a099" Calling-Station-Id = "001a.73f3.d763" Cisco-AVPair = "ssid=hotel" Service-Type = Login-User Message-Authenticator = 0x1b2a6ee5e33e06c80dffba188c743fc6 EAP-Message = 0x0209002b190017030100201246827da5deb469c615b1f6612fc7e0efd1a6cf80bd60db6e0ba481b3ec86eb NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "265" NAS-Port = 265 State = 0xb96e281cbf673192c40f2d5bd304aa6d NAS-IP-Address = 10.1.1.30 NAS-Identifier = "wifi-tur" +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radacct/10.1.1.30/auth-detail-20100608 [auth_log] /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radacct/10.1.1.30/auth-detail-20100608 [auth_log] expand: %t -> Tue Jun 8 11:31:02 2010 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "user1", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 9 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Identity - user1 [peap] Got tunneled request EAP-Message = 0x0209000b016b6e79726b6f server { PEAP: Got tunneled identity of user1 PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to user1 Sending tunneled request EAP-Message = 0x0209000b016b6e79726b6f FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "user1" Framed-MTU = 1400 Called-Station-Id = "0040.9645.a099" Calling-Station-Id = "001a.73f3.d763" Cisco-AVPair = "ssid=hotel" Service-Type = Login-User NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "265" NAS-Port = 265 NAS-IP-Address = 10.1.1.30 NAS-Identifier = "wifi-tur" server proxy-inner-tunnel { +- entering group authorize {...} ++[control] returns notfound } # server proxy-inner-tunnel [peap] Got tunneled reply code 0 PEAP: Calling authenticate in order to initiate tunneled EAP session. +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled PEAP: Cancelling proxy to realm BGBILLING until the tunneled EAP session has been established [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010a00201a010a001b106c8016823c336d61519e51fc4ee6c0036b6e79726b6f Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc76f110ac7650b9c62c6ece3f4691f2d [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 79 to 10.1.1.30 port 1645 EAP-Message = 0x010a004b19001703010040c74e658780df12a4060414a2d457aeaee36041d6d5b2b538fbe076b655db122a0c5ce268f4fecb5c90e76e1ba4f33d54f5a3898f5a53b5f366d61973b18c0aba Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb96e281cbe643192c40f2d5bd304aa6d Finished request 7. Going to the next request Waking up in 3.2 seconds. rad_recv: Access-Request packet from host 10.1.1.30 port 1645, id=80, length=274 User-Name = "user1" Framed-MTU = 1400 Called-Station-Id = "0040.9645.a099" Calling-Station-Id = "001a.73f3.d763" Cisco-AVPair = "ssid=hotel" Service-Type = Login-User Message-Authenticator = 0xc899033d21dca9e2fa7980f5a74228c1 EAP-Message = 0x020a006b19001703010060b1e61384342076d9a4394fa854e80636ec4f86c7cffd5120ea58f87445d83e78080812186d5ad9919030e664b9d0e66a4196d66ef0100d062c10e33a80e4f078eb2256c4a2a93b93755c7f296995bcb9f487258f62dc704c8e637244f2c29c2f NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "265" NAS-Port = 265 State = 0xb96e281cbe643192c40f2d5bd304aa6d NAS-IP-Address = 10.1.1.30 NAS-Identifier = "wifi-tur" +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radacct/10.1.1.30/auth-detail-20100608 [auth_log] /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radacct/10.1.1.30/auth-detail-20100608 [auth_log] expand: %t -> Tue Jun 8 11:31:03 2010 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "user1", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 10 length 107 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020a00411a020a003c31b0ee06e46d905e4ed7d763609a5a2535000000000000000019b2ed0e1ce1f5198d7f46cd0ef0c16551cfcdf7e5ac8937006b6e79726b6f server { PEAP: Setting User-Name to user1 Sending tunneled request EAP-Message = 0x020a00411a020a003c31b0ee06e46d905e4ed7d763609a5a2535000000000000000019b2ed0e1ce1f5198d7f46cd0ef0c16551cfcdf7e5ac8937006b6e79726b6f FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "user1" State = 0xc76f110ac7650b9c62c6ece3f4691f2d Framed-MTU = 1400 Called-Station-Id = "0040.9645.a099" Calling-Station-Id = "001a.73f3.d763" Cisco-AVPair = "ssid=hotel" Service-Type = Login-User NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "265" NAS-Port = 265 NAS-IP-Address = 10.1.1.30 NAS-Identifier = "wifi-tur" server proxy-inner-tunnel { +- entering group authorize {...} ++[control] returns notfound } # server proxy-inner-tunnel [peap] Got tunneled reply code 0 PEAP: Calling authenticate in order to initiate tunneled EAP session. +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [eap] Not-EAP proxy set. Not composing EAP ++[eap] returns handled PEAP: Tunneled authentication will be proxied to BGBILLING PEAP: Remembering to do EAP-MS-CHAP-V2 post-proxy. [eap] Tunneled session will be proxied. Not doing EAP. ++[eap] returns handled Sending Access-Request of id 0 to 192.168.2.252 port 1812 User-Name = "user1" Framed-MTU = 1400 Called-Station-Id = "0040.9645.a099" Calling-Station-Id = "001a.73f3.d763" Cisco-AVPair = "ssid=hotel" Service-Type = Login-User NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "265" NAS-Port = 265 NAS-IP-Address = 10.1.1.30 NAS-Identifier = "wifi-tur" MS-CHAP-Challenge = 0x6c8016823c336d61519e51fc4ee6c003 MS-CHAP2-Response = 0x0a6eb0ee06e46d905e4ed7d763609a5a2535000000000000000019b2ed0e1ce1f5198d7f46cd0ef0c16551cfcdf7e5ac8937 Proxy-State = 0x3830 Proxying request 8 to home server 192.168.2.252 port 1812 Sending Access-Request of id 0 to 192.168.2.252 port 1812 User-Name = "user1" Framed-MTU = 1400 Called-Station-Id = "0040.9645.a099" Calling-Station-Id = "001a.73f3.d763" Cisco-AVPair = "ssid=hotel" Service-Type = Login-User NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "265" NAS-Port = 265 NAS-IP-Address = 10.1.1.30 NAS-Identifier = "wifi-tur" MS-CHAP-Challenge = 0x6c8016823c336d61519e51fc4ee6c003 MS-CHAP2-Response = 0x0a6eb0ee06e46d905e4ed7d763609a5a2535000000000000000019b2ed0e1ce1f5198d7f46cd0ef0c16551cfcdf7e5ac8937 Proxy-State = 0x3830 Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Accept packet from host 192.168.2.252 port 1812, id=0, length=207 Acct-Interim-Interval = 60 Proxy-State = 0x3830 Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = 10.1.2.199 MS-MPPE-Send-Key = 0x198c7e625f58d59e8a2bdbc3430e5754 MS-MPPE-Recv-Key = 0x8fffb24fe737a4f5e91764e1112e87a9 MS-CHAP2-Success = 0x3f533d42373644303537323430393544334131333434353245353237443933373439364645303536303245 MS-MPPE-Encryption-Types = 0x00000004 MS-MPPE-Encryption-Policy = 0x00000001 +- entering group post-proxy {...} [eap] Doing post-proxy callback [eap] Passing reply from proxy back into the tunnel. server proxy-inner-tunnel { [eap] Passing reply back for EAP-MS-CHAP-V2 +- entering group post-proxy {...} [eap] Doing post-proxy callback rlm_eap_mschapv2: Passing reply from proxy back into the tunnel 0x801157240 2. rlm_eap_mschapv2: Authentication succeeded. MSCHAP Success ++[eap] returns ok } # server proxy-inner-tunnel [eap] Final reply from tunneled session code 11 Acct-Interim-Interval = 60 Proxy-State = 0x3830 Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = 10.1.2.199 EAP-Message = 0x010b00331a030a002e533d42373644303537323430393544334131333434353245353237443933373439364645303536303245 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc76f110ac6640b9c62c6ece3f4691f2d [eap] Got reply 11 [eap] Got tunneled reply RADIUS code 11 Acct-Interim-Interval = 60 Proxy-State = 0x3830 Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = 10.1.2.199 EAP-Message = 0x010b00331a030a002e533d42373644303537323430393544334131333434353245353237443933373439364645303536303245 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc76f110ac6640b9c62c6ece3f4691f2d [eap] Got tunneled Access-Challenge [eap] Saving tunneled attributes for later [eap] Reply was handled ++[eap] returns ok Sending Access-Challenge of id 80 to 10.1.1.30 port 1645 EAP-Message = 0x010b005b19001703010050dfe77e0a225e61d5455d1443bd5fd250ac27b94fcddb0a4a2c7fbd56c402cdb1bb1d7810323a0124f3b2856070d3d7682b110d546914df753e8db8d0b823b1412ab963a217719e3c3889b6f8f8bf0a13 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb96e281cb1653192c40f2d5bd304aa6d Finished request 8. Going to the next request Waking up in 2.8 seconds. rad_recv: Access-Request packet from host 10.1.1.30 port 1645, id=81, length=210 User-Name = "user1" Framed-MTU = 1400 Called-Station-Id = "0040.9645.a099" Calling-Station-Id = "001a.73f3.d763" Cisco-AVPair = "ssid=hotel" Service-Type = Login-User Message-Authenticator = 0xc0d3ce2339948cee0e870e4921cfc1d1 EAP-Message = 0x020b002b19001703010020a7612e29eb6c9a041989740818859639dc2e36389dac01b9ec1646e17fe16276 NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "265" NAS-Port = 265 State = 0xb96e281cb1653192c40f2d5bd304aa6d NAS-IP-Address = 10.1.1.30 NAS-Identifier = "wifi-tur" +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radacct/10.1.1.30/auth-detail-20100608 [auth_log] /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radacct/10.1.1.30/auth-detail-20100608 [auth_log] expand: %t -> Tue Jun 8 11:31:04 2010 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "user1", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 11 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020b00061a03 server { PEAP: Setting User-Name to user1 Sending tunneled request EAP-Message = 0x020b00061a03 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "user1" State = 0xc76f110ac6640b9c62c6ece3f4691f2d Framed-MTU = 1400 Called-Station-Id = "0040.9645.a099" Calling-Station-Id = "001a.73f3.d763" Cisco-AVPair = "ssid=hotel" Service-Type = Login-User NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "265" NAS-Port = 265 NAS-IP-Address = 10.1.1.30 NAS-Identifier = "wifi-tur" server proxy-inner-tunnel { +- entering group authorize {...} ++[control] returns notfound } # server proxy-inner-tunnel [peap] Got tunneled reply code 0 PEAP: Calling authenticate in order to initiate tunneled EAP session. +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [eap] Freeing handler ++[eap] returns ok [peap] Got tunneled reply RADIUS code 2 EAP-Message = 0x030b0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "user1" [peap] Tunneled authentication was successful. [peap] SUCCESS [peap] Saving tunneled attributes for later ++[eap] returns handled Sending Access-Challenge of id 81 to 10.1.1.30 port 1645 EAP-Message = 0x010c002b19001703010020f46739737b83372fd9351e206398bcff3b954696d2d82a5ee0d7b131ed5aee48 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb96e281cb0623192c40f2d5bd304aa6d Finished request 9. Going to the next request Waking up in 1.9 seconds. rad_recv: Access-Request packet from host 10.1.1.30 port 1645, id=82, length=210 User-Name = "user1" Framed-MTU = 1400 Called-Station-Id = "0040.9645.a099" Calling-Station-Id = "001a.73f3.d763" Cisco-AVPair = "ssid=hotel" Service-Type = Login-User Message-Authenticator = 0x5a6bdcacc004c7551aea1c950b1c57df EAP-Message = 0x020c002b1900170301002086e59e080b073e48dc4329f4b5ecd8c0f17b3de2518dc716f682f87afd0f3c8d NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "265" NAS-Port = 265 State = 0xb96e281cb0623192c40f2d5bd304aa6d NAS-IP-Address = 10.1.1.30 NAS-Identifier = "wifi-tur" +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radacct/10.1.1.30/auth-detail-20100608 [auth_log] /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radacct/10.1.1.30/auth-detail-20100608 [auth_log] expand: %t -> Tue Jun 8 11:31:04 2010 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "user1", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 12 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok NAS-Identifier = "wifi-tur" +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radacct/10.1.1.30/auth-detail-20100608 [auth_log] /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radacct/10.1.1.30/auth-detail-20100608 [auth_log] expand: %t -> Tue Jun 8 11:31:04 2010 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "user1", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 12 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Received EAP-TLV response. [peap] Success [peap] Using saved attributes from the original Access-Accept [eap] Freeing handler ++[eap] returns ok Login OK: [user1/<via Auth-Type = EAP>] (from client wifi-tur port 265 cli 001a.73f3.d763) +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 82 to 10.1.1.30 port 1645 User-Name = "user1" MS-MPPE-Recv-Key = 0x35342a56a23ada1ad2d9a47b9cdbf83772c622a3e9a106eb579826ab30c57309 MS-MPPE-Send-Key = 0x2562ae6db4deae0501fa49f229d6c49f8a1afdd34e7ec37a8e0e867c4efbfa89 EAP-Message = 0x030c0004 Message-Authenticator = 0x00000000000000000000000000000000 Finished request 10. ===================================================================================== _______________________ Cisco AP350 config about radius AAA __________________________ aaa new-model ! ! aaa group server radius rad_eap server 192.168.2.252 auth-port 1645 acct-port 1813 ! aaa group server radius rad_mac ! aaa group server radius rad_acct server 192.168.2.252 auth-port 1645 acct-port 1813 ! aaa group server radius rad_admin ! aaa group server tacacs+ tac_admin ! aaa group server radius rad_pmip ! aaa group server radius dummy ! aaa group server radius rad_eap1 ! aaa group server radius rad_acct1 ! aaa authentication login eap_methods group rad_eap aaa authorization exec default local aaa accounting network acct_methods start-stop group rad_acct aaa session-id common ! dot11 ssid hotel authentication open eap eap_methods authentication network-eap eap_methods accounting acct_methods guest-mode ! radius-server attribute 32 include-in-access-req format %h radius-server host 192.168.2.252 auth-port 1645 acct-port 1813 key 7 110B1E071E1E07050A2D radius-server vsa send accounting radius-server vsa send authentication Best regards Ilia Dreytser - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html