My other message did not make it through..... Perhaps people are sick of hearing about this :)
I grabbed the latest snapshot on friday. Recompiled. Reconfigured the default radiusd.conf file to use eap/peap.
I am still seeing fragmented Access Challenge packets. However the first access challenge was not fragmented. The ones after that were.
My config, dumps and debug are included.
radtest works with the unchanged default radiusd.conf returning stuff from the users file.
Sending Access-Request of id 123 to 127.0.0.1:1812
User-Name = "wer"
User-Password = "testtest"
NAS-IP-Address = hotspot
NAS-Port = 1
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=123, length=37
User-Name = "wer"
Framed-IP-Address = xxx.xxx.xxx.31
Framed-IP-Netmask = 255.255.255.255-----------------------------------------
Edit 1 to radiusd.conf: PEAP
Upon enabling peap (and thusly tls), radtest still works, but I get an access reject when attempting to use peap. I had to configure tls right? I used my certs. I changed the default type for eap to peap and the default type for peap to mschapv2....
At one point I added copy_request_to_tunnel to peap {} because I think I
misinterpreted the debug below. I think that change was moot though.I am back to a similar fragmented frame problem as well though I think the conversation made it further.
The first access challenge is not fragmented. However the second challenge is severely fragmented The supplicant says attempting to "authenticate the user" instead of just "validating user". So I think the the supplicant is responding to the challenge now with another request. However the next challenge is severely fragmented.
I am suspect of these lines, which is why at one point I tried the copy_request_to_tunnel (radiusd.conf Edit 2) but realized it probably didn't matter at this point (radiusd.conf Edit 3).
rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal access_denied TLS Alert read:fatal:access denied
-=Bill
cisco_dump_tunnel_radius
Description: Binary data
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/proxy.conf
Config: including file: /usr/local/etc/raddb/clients.conf
Config: including file: /usr/local/etc/raddb/snmp.conf
Config: including file: /usr/local/etc/raddb/sql.conf
main: prefix = "/usr/local"
main: localstatedir = "/usr/local/var"
main: logdir = "/usr/local/var/log/radius"
main: libdir = "/usr/local/lib"
main: radacctdir = "/usr/local/var/log/radius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/usr/local/var/log/radius/radius.log"
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
main: user = "(null)"
main: group = "(null)"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/local/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
Using deprecated clients file. Support for this will go away soon.
read_config_files: reading realms
Using deprecated realms file. Support for this will go away soon.
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: passwd = "(null)"
mschap: authtype = "MS-CHAP"
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = "(null)"
unix: shadow = "(null)"
unix: group = "(null)"
unix: radwtmp = "/usr/local/var/log/radius/radwtmp"
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = "peap"
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = "(null)"
tls: pem_file_type = yes
tls: private_key_file = "/usr/local/etc/raddb/thingything.thing.key"
tls: certificate_file = "/usr/local/etc/raddb/thingything.thing.crt"
tls: CA_file = "/usr/local/etc/raddb/thing.cacrt"
tls: private_key_password = "testtest"
tls: dh_file = "/usr/local/etc/raddb/my_imap.dh"
tls: random_file = "/usr/local/etc/raddb/random"
tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = no
rlm_eap: Loaded and initialized type tls
peap: default_eap_type = "mschapv2"
peap: copy_request_to_tunnel = yes
peap: use_tunneled_reply = no
rlm_eap: Loaded and initialized type peap
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups"
preprocess: hints = "/usr/local/etc/raddb/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = "suffix"
realm: delimiter = "@"
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = "/usr/local/etc/raddb/users"
files: acctusersfile = "/usr/local/etc/raddb/acct_users"
files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users"
files: compat = "no"
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address,
NAS-Port-Id"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile =
"/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = "/usr/local/var/log/radius/radutmp"
radutmp: username = "%{User-Name}"
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on 1814/udp.
Ready to process requests.
rad_recv: Access-Request packet from host xxx.xxx.xxx.30:1208, id=62, length=158
User-Name = "wer"
Cisco-AVPair = "ssid=Ntelos_AP_01"
NAS-IP-Address = xxx.xxx.xxx.30
Called-Station-Id = "000dbda1f1e9"
Calling-Station-Id = "000dbd05196d"
NAS-Identifier = "xxx.xxx.net"
NAS-Port = 37
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Service-Type = Login-User
EAP-Message = 0x0202000801776572
Message-Authenticator = 0x26e04fca9fcf09668093c9e54f0a3fd4
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
rlm_eap: EAP packet type response id 2 length 8
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 0
rlm_realm: No '@' in User-Name = "wer", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
users: Matched wer at 107
modcall[authorize]: module "files" returns ok for request 0
modcall[authorize]: module "mschap" returns noop for request 0
modcall: group authorize returns updated for request 0
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate for request 0
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns handled for request 0
modcall: group authenticate returns handled for request 0
Sending Access-Challenge of id 62 to xxx.xxx.xxx.30:1208
User-Name = "wer"
Framed-IP-Address = xxx.xxx.xxx.31
Framed-IP-Netmask = 255.255.255.255
EAP-Message = 0x010300061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x5fc6f7a787d9c8863e74e0d01e369ac1
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host xxx.xxx.xxx.30:1209, id=63, length=248
User-Name = "wer"
Cisco-AVPair = "ssid=Ntelos_AP_01"
NAS-IP-Address = xxx.xxx.xxx.30
Called-Station-Id = "000dbda1f1e9"
Calling-Station-Id = "000dbd05196d"
NAS-Identifier = "xxx.xxx.net"
NAS-Port = 37
Framed-MTU = 1400
State = 0x5fc6f7a787d9c8863e74e0d01e369ac1
NAS-Port-Type = Wireless-802.11
Service-Type = Login-User
EAP-Message =
0x0203005019800000004616030100410100003d03013fbd4004a80cca9f870a19467585016c0979f3f8cb00b948e13d7157c972e17f00001600040005000a000900640062000300060013001200630100
Message-Authenticator = 0x6b085d91fa95d93b3b562e64f591b5d7
modcall: entering group authorize for request 1
modcall[authorize]: module "preprocess" returns ok for request 1
modcall[authorize]: module "chap" returns noop for request 1
rlm_eap: EAP packet type response id 3 length 80
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 1
rlm_realm: No '@' in User-Name = "wer", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 1
users: Matched wer at 107
modcall[authorize]: module "files" returns ok for request 1
modcall[authorize]: module "mschap" returns noop for request 1
modcall: group authorize returns updated for request 1
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate for request 1
rlm_eap: Request found, released from the list
rlm_eap: EAP_TYPE - peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
undefined: before/accept initialization
TLS_accept: before/accept initialization
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello
TLS_accept: SSLv3 read client hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
TLS_accept: SSLv3 write server hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 06bc], Certificate
TLS_accept: SSLv3 write certificate A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
TLS_accept: SSLv3 write server done A
TLS_accept: SSLv3 flush data
TLS_accept:error in SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
modcall[authenticate]: module "eap" returns handled for request 1
modcall: group authenticate returns handled for request 1
Sending Access-Challenge of id 63 to xxx.xxx.xxx.30:1209
User-Name = "wer"
Framed-IP-Address = xxx.xxx.xxx.31
Framed-IP-Netmask = 255.255.255.255
EAP-Message =
0x0104040a19c000000719160301004a0200004603013fbd3fa2e7e266f9bd3736ff64ebe49c88b1eacb79e1ce41b8a39046850792132053f619bf64dc2e052e7cb875f8b2e3e7fe7d2c30deb84aa55231b76a32ba0cce00040016030106bc0b0006b80006b500031830820314308201fca003020102020109300d06092a864886f70d0101040500308183310b30090603550406130255533111300f0603550408130856697267696e6961311330110603550407130a5761796e6573626f726f31153013060355040a130c4e74656c6f732c20496e632e3111300f060355040b1308496e7465726e65743122302006092a864886f70d0109011613737973
EAP-Message =
0x61646d696e406e74656c6f732e6e6574301e170d3033313131303139343534385a170d3034313130393139343534385a30818b310b30090603550406130255533111300f0603550408130856697267696e696131153013060355040a130c4e74656c6f732c20496e632e3111300f060355040b1308576972656c657373311b301906035504031312686f7473706f742e6e74656c6f732e6e65743122302006092a864886f70d010901161373797361646d696e406e74656c6f732e6e657430819f300d06092a864886f70d010101050003818d0030818902818100ece233781aba2a23858462031e67a61108117f60b7e8da871401f69b83020e1ccda9
EAP-Message =
0x8aa540c113a4535a39e242f9a573f0855d56a81327587c1597e09bebaa69b3779e3d91b5bfac7c93adbb1617b948770eafdf2e3333530f4c4800cb6911c368c093b7058c6dfefdc220fb90e2635dd6654bbb6585e034b93b49c4eb7075c10203010001a30d300b30090603551d1304023000300d06092a864886f70d0101040500038201010060c440593e468daf6bc2bf90457bc807b678dffb141f82282a24f87e66ebac7f2565f2f3758592e7f2580902778fb8367b02199bd34707b86cfe768fb7288dfe05456f3576085fe5be517da02859b56b5911e6af3003096161bac9dbc95c5d8814dfa3e0b87311eda96a2639fc95b3493832ec003e93e4
EAP-Message =
0x7b9cd86fac8d5f8a426fc9e5257bcc325be17c6bfe6fbe1c47d949822bc8cf8a4fa664dad78a4b2e95ae65118a1e9a8670496a4e8d229aec5cfa75594c79bf8179716ee0f0662afd2bf6c3cd9590c073d23ede2a834cf1cbdcb4e089a3daec7bbc37cc1ff01e71a5a485b1d97e61e7c24aabea1ab17db7a1612df39f44ee3cee8279d11b73cb416047000397308203933082027ba003020102020100300d06092a864886f70d0101040500308183310b30090603550406130255533111300f0603550408130856697267696e6961311330110603550407130a5761796e6573626f726f31153013060355040a130c4e74656c6f732c20496e632e311130
EAP-Message = 0x0f060355040b1308496e7465726e6574312230200609
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc0efdbdc7e50636ca04823e160774c8b
Finished request 1
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host xxx.xxx.xxx.30:1210, id=64, length=174
User-Name = "wer"
Cisco-AVPair = "ssid=Ntelos_AP_01"
NAS-IP-Address = xxx.xxx.xxx.30
Called-Station-Id = "000dbda1f1e9"
Calling-Station-Id = "000dbd05196d"
NAS-Identifier = "uncklejam.cstone.net"
NAS-Port = 37
Framed-MTU = 1400
State = 0xc0efdbdc7e50636ca04823e160774c8b
NAS-Port-Type = Wireless-802.11
Service-Type = Login-User
EAP-Message = 0x020400061900
Message-Authenticator = 0x311bfc5903163668388d058a898ac360
modcall: entering group authorize for request 2
modcall[authorize]: module "preprocess" returns ok for request 2
modcall[authorize]: module "chap" returns noop for request 2
rlm_eap: EAP packet type response id 4 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 2
rlm_realm: No '@' in User-Name = "wer", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 2
users: Matched wer at 107
modcall[authorize]: module "files" returns ok for request 2
modcall[authorize]: module "mschap" returns noop for request 2
modcall: group authorize returns updated for request 2
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate for request 2
rlm_eap: Request found, released from the list
rlm_eap: EAP_TYPE - peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake fragment handler
eaptls_verify returned 1
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
modcall[authenticate]: module "eap" returns handled for request 2
modcall: group authenticate returns handled for request 2
Sending Access-Challenge of id 64 to xxx.xxx.xxx.30:1210
User-Name = "wer"
Framed-IP-Address = xxx.xxx.xxx.31
Framed-IP-Netmask = 255.255.255.255
EAP-Message =
0x0105031f19002a864886f70d010901161373797361646d696e406e74656c6f732e6e6574301e170d3033303733303139323530325a170d3035303732393139323530325a308183310b30090603550406130255533111300f0603550408130856697267696e6961311330110603550407130a5761796e6573626f726f31153013060355040a130c4e74656c6f732c20496e632e3111300f060355040b1308496e7465726e65743122302006092a864886f70d010901161373797361646d696e406e74656c6f732e6e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100c33159d379cc61ab604b236956978f2baa36
EAP-Message =
0xe76c6a14291f51268d9ec0984e68c0aefe5e1abea4fc1e82e9cc3285fcefaa80bb936dbf9d7c2f3cdad8977852ed551df4b6cc6a6548959cdc202d30646e24c157215488b236b766d7c3c7ca8cde5bd3c36233e336365e87265feb29ed548a319de95a9bf67c08ccc1bfe07cb844d944155284c8f0c5abf3b57e956015bcdf435695ecd9738ab299fc724d0afe8d07fb94be056a9ac7fb957a9be7641e2d13ffa6df9e8c8bf8fa8a119dc4c8c624c918f685b8a8f7350a932bfa8f0f10cf65869a1a1ce57b3accdd1ff0ed0fb58101695d9d648b4fcc2289eb6fc291cbbaaaf19fcfdc8ca83b0b5e4db8c1a670d50203010001a310300e300c0603551d
EAP-Message =
0x13040530030101ff300d06092a864886f70d0101040500038201010015723762243d8a22332c32ed86f12622e54f58b6be857102166be0e72a7ce511ec68100ec62def665b6212f73fd25b01d844f1cedfac3138513c92b3fdbe8b04f53b23582a2a4162389dc910f4bebc7b325430b44bd80b01018d2abec6451079b72f60dfc89799223b86b272a78edd3fdd4d2b3a9079de336f7a949aace9099f858fc2a6b7b6bf0dce923840b7af59bff9ed8d816b2c3ab48eddd2c03e68c816cd475243dbcd8b4ed09fb7c8da7217fb483e02bb3032e9854b90c40927a0b31fd4dba521dc94889743e8f69aa5adfa77fa704fe549b7b3f9881ae7bc7ddb3cd2a9
EAP-Message =
0xdeb6f7701b846ada59f8931510179bb8db7caf0198822bff8f2f3311a2ff6c16030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x7ea4e1defed445380d8af496c1bdecaa
Finished request 2
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host xxx.xxx.xxx.30:1211, id=65, length=360
User-Name = "wer"
Cisco-AVPair = "ssid=Ntelos_AP_01"
NAS-IP-Address = xxx.xxx.xxx.30
Called-Station-Id = "000dbda1f1e9"
Calling-Station-Id = "000dbd05196d"
NAS-Identifier = "uncklejam.cstone.net"
NAS-Port = 37
Framed-MTU = 1400
State = 0x7ea4e1defed445380d8af496c1bdecaa
NAS-Port-Type = Wireless-802.11
Service-Type = Login-User
EAP-Message =
0x020500c01980000000b616030100861000008200808f7f537c667852d60f81a4ec16adc1aceb541937632248a2c1b1e42a4271a5e50f659172f24098c79e60af8100ad1bb57f5819495669772378df6ff6103bd24a6ccbdd59b5e1a23302cf8eb0b51bacdc8b52a23aec0a38b599dbbf84ef518a7c0356ed2c234c74c07b19fa291be3c423fad770204d30c9654fcf4f423d1ba5a01403010001011603010020a548ab6cc387799d4f9519433eb3db9fb70b9854f57d415e2f869c2dfb0797f5
Message-Authenticator = 0x6528428e5155b0f5c29b366e768b95ef
modcall: entering group authorize for request 3
modcall[authorize]: module "preprocess" returns ok for request 3
modcall[authorize]: module "chap" returns noop for request 3
rlm_eap: EAP packet type response id 5 length 192
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 3
rlm_realm: No '@' in User-Name = "wer", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 3
users: Matched wer at 107
modcall[authorize]: module "files" returns ok for request 3
modcall[authorize]: module "mschap" returns noop for request 3
modcall: group authorize returns updated for request 3
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate for request 3
rlm_eap: Request found, released from the list
rlm_eap: EAP_TYPE - peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
TLS_accept: SSLv3 read client key exchange A
rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001]
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 read finished A
rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001]
TLS_accept: SSLv3 write change cipher spec A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 write finished A
TLS_accept: SSLv3 flush data
undefined: SSL negotiation finished successfully
SSL Connection Established
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
modcall[authenticate]: module "eap" returns handled for request 3
modcall: group authenticate returns handled for request 3
Sending Access-Challenge of id 65 to xxx.xxx.xxx.30:1211
User-Name = "wer"
Framed-IP-Address = xxx.xxx.xxx.31
Framed-IP-Netmask = 255.255.255.255
EAP-Message =
0x010600311900140301000101160301002090a86d9682e632c326abd282d9d4b676dee2fd0b120853cce052e3a6ac922278
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x6f086952b935c3b67f4b3b3820e5f804
Finished request 3
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host xxx.xxx.xxx.30:1212, id=66, length=201
User-Name = "wer"
Cisco-AVPair = "ssid=Ntelos_AP_01"
NAS-IP-Address = xxx.xxx.xxx.30
Called-Station-Id = "000dbda1f1e9"
Calling-Station-Id = "000dbd05196d"
NAS-Identifier = "uncklejam.cstone.net"
NAS-Port = 37
Framed-MTU = 1400
State = 0x6f086952b935c3b67f4b3b3820e5f804
NAS-Port-Type = Wireless-802.11
Service-Type = Login-User
EAP-Message =
0x020600211980000000171503010012df84e69cf6342b4b03bb475882c45b13d36a
Message-Authenticator = 0x31f114bcdb8f79d749c255e8068c3ffa
modcall: entering group authorize for request 4
modcall[authorize]: module "preprocess" returns ok for request 4
modcall[authorize]: module "chap" returns noop for request 4
rlm_eap: EAP packet type response id 6 length 33
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 4
rlm_realm: No '@' in User-Name = "wer", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 4
users: Matched wer at 107
modcall[authorize]: module "files" returns ok for request 4
modcall[authorize]: module "mschap" returns noop for request 4
modcall: group authorize returns updated for request 4
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate for request 4
rlm_eap: Request found, released from the list
rlm_eap: EAP_TYPE - peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Proceeding to decode tunneled attributes.
rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal access_denied
TLS Alert read:fatal:access denied
rlm_eap_peap: No data inside of the tunnel.
rlm_eap: Handler failed in EAP type 25
rlm_eap: Failed in EAP select
modcall[authenticate]: module "eap" returns invalid for request 4
modcall: group authenticate returns invalid for request 4
auth: Failed to validate the user.
Delaying request 4 for 1 seconds
Finished request 4
Going to the next request
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 62 with timestamp 3fbd3fa2
Cleaning up request 1 ID 63 with timestamp 3fbd3fa2
Cleaning up request 2 ID 64 with timestamp 3fbd3fa2
Cleaning up request 3 ID 65 with timestamp 3fbd3fa2
Sending Access-Reject of id 66 to xxx.xxx.xxx.30:1212
EAP-Message = 0x04060004
Message-Authenticator = 0x00000000000000000000000000000000
Cleaning up request 4 ID 66 with timestamp 3fbd3fa2
Nothing to do. Sleeping until we see a request.
prefix = /usr/local
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = ${prefix}/var
sbindir = ${exec_prefix}/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
log_file = ${logdir}/radius.log
libdir = ${exec_prefix}/lib
pidfile = ${run_dir}/radiusd.pid
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log_stripped_names = no
log_auth = no
log_auth_badpass = no
log_auth_goodpass = no
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
proxy_requests = yes
$INCLUDE ${confdir}/proxy.conf
$INCLUDE ${confdir}/clients.conf
snmp = no
$INCLUDE ${confdir}/snmp.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
pap {
encryption_scheme = crypt
}
chap {
authtype = CHAP
}
pam {
pam_auth = radiusd
}
unix {
cache = no
cache_reload = 600
radwtmp = ${logdir}/radwtmp
}
eap {
default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = no
md5 {
}
leap {
}
tls {
private_key_password = password
private_key_file = /usr/local/etc/raddb/thing.net.key
certificate_file = /usr/local/etc/raddb/thing.net.crt
CA_file = /usr/local/etc/raddb/thing.net
/usr/local/etc/raddb/my_imap.dh
random_file = /usr/local/etc/raddb/random
fragment_size = 1024
include_length = yes
}
peap {
default_eap_type = mschapv2
copy_request_to_tunnel = yes
}
mschapv2 {
}
}
mschap {
authtype = MS-CHAP
}
ldap {
server = "ldap.your.domain"
basedn = "o=My Org,c=UA"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
start_tls = no
access_attr = "dialupAccess"
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
}
realm realmslash {
format = prefix
delimiter = "/"
}
realm suffix {
format = suffix
delimiter = "@"
}
realm realmpercent {
format = suffix
delimiter = "%"
}
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
}
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
compat = no
}
detail {
detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
detailperm = 0600
}
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address,
NAS-Port-Id"
}
$INCLUDE ${confdir}/sql.conf
radutmp {
filename = ${logdir}/radutmp
username = %{User-Name}
case_sensitive = yes
check_with_nas = yes
perm = 0600
callerid = "yes"
}
radutmp sradutmp {
filename = ${logdir}/sradutmp
perm = 0644
callerid = "no"
}
attr_filter {
attrsfile = ${confdir}/attrs
}
counter daily {
filename = ${raddbdir}/db.daily
key = User-Name
count-attribute = Acct-Session-Time
reset = daily
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
allowed-servicetype = Framed-User
cache-size = 5000
}
always fail {
rcode = fail
}
always reject {
rcode = reject
}
always ok {
rcode = ok
simulcount = 0
mpp = no
}
expr {
}
digest {
}
exec {
wait = yes
input_pairs = request
}
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = request
output_pairs = reply
}
ippool main_pool {
range-start = 192.168.1.1
range-stop = 192.168.3.254
netmask = 255.255.255.0
cache-size = 800
session-db = ${raddbdir}/db.ippool
ip-index = ${raddbdir}/db.ipindex
override = no
}
}
instantiate {
expr
}
authorize {
preprocess
chap
eap
suffix
files
mschap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
unix
eap
}
preacct {
preprocess
suffix
files
}
accounting {
acct_unique
detail
radutmp
}
session {
radutmp
}
post-auth {
}
pre-proxy {
}
post-proxy {
eap
}
