Hi,
I have successfully authenticated a linux client (xsupplicant) with an ap running hostapd that talks to a radius server ( FreeRADIUS 0.9.3 debian/unstable) with eap-tls.
I have also successfully authenticated an win XP client, but after some 30 seconds the win XP client seems to send a new request and the radius server accepts, then the radius server starts to clean up requests and the win XP client drops its connection and I need to "Connect" the client again.
When I see this message the win XP client drops the connection:
Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 12 ID 98 with timestamp 40b31cc9 Cleaning up request 13 ID 99 with timestamp 40b31cc9 Cleaning up request 14 ID 100 with timestamp 40b31cc9 Cleaning up request 15 ID 101 with timestamp 40b31cc9 Cleaning up request 16 ID 102 with timestamp 40b31cc9 Cleaning up request 17 ID 103 with timestamp 40b31cc9
How can my linux client work perfectly, but the win XP client not? (well almost not)
/Regards Ulf
The win XP client has the latest WPA-patch from Mircosoft. I have attached the radius log and the radiusd.conf file.
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/freeradius/proxy.conf
Config: including file: /etc/freeradius/clients.conf
Config: including file: /etc/freeradius/snmp.conf
Config: including file: /etc/freeradius/sql.conf
main: prefix = "/usr"
main: localstatedir = "/var"
main: logdir = "/var/log/freeradius"
main: libdir = "/usr/lib/freeradius"
main: radacctdir = "/var/log/freeradius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/var/log/freeradius/radius.log"
main: log_auth = yes
main: log_auth_badpass = yes
main: log_auth_goodpass = yes
main: pidfile = "/var/run/freeradius/freeradius.pid"
main: user = "freerad"
main: group = "freerad"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
Using deprecated realms file. Support for this will go away soon.
radiusd: entering modules setup
Module: Library search path is /usr/lib/freeradius
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: passwd = "(null)"
mschap: authtype = "MS-CHAP"
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = "(null)"
unix: shadow = "/etc/shadow"
unix: group = "(null)"
unix: radwtmp = "/var/log/freeradius/radwtmp"
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = "tls"
eap: timer_expire = 60
rlm_eap: Loaded and initialized the type md5
rlm_eap: Loaded and initialized the type leap
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = "(null)"
tls: pem_file_type = yes
tls: private_key_file = "/etc/1x/server/server.pem"
tls: certificate_file = "/etc/1x/server/server.pem"
tls: CA_file = "/etc/1x/server/root.pem"
tls: private_key_password = "whatever"
tls: dh_file = "/etc/1x/DH"
tls: random_file = "/etc/1x/random"
tls: fragment_size = 1024
tls: include_length = yes
rlm_eap_tls: conf N ctx stored
rlm_eap: Loaded and initialized the type tls
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = "/etc/freeradius/huntgroups"
preprocess: hints = "/etc/freeradius/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = "suffix"
realm: delimiter = "@"
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = "/etc/freeradius/users"
files: acctusersfile = "/etc/freeradius/acct_users"
files: preproxy_usersfile = "/etc/freeradius/preproxy_users"
files: compat = "no"
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address,
NAS-Port-Id"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = "/var/log/freeradius/radutmp"
radutmp: username = "%{User-Name}"
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on 1814/udp.
Ready to process requests.
rad_recv: Access-Request packet from host 10.11.10.11:1026, id=86, length=150
User-Name = "username"
NAS-IP-Address = 127.0.0.1
NAS-Port = 1
Called-Station-Id = "11-22-33-44-55-66:test"
Calling-Station-Id = "AA-BB-CC-DD-EE-FF"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x0200000b016b6566666f36
Message-Authenticator = 0x943edcc4732aa542d3381f002a7567c6
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
rlm_eap: EAP packet type notification id 0 length 11
rlm_eap: EAP Start not found
modcall[authorize]: module "eap" returns updated for request 0
rlm_realm: No '@' in User-Name = "username", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
users: Matched DEFAULT at 153
users: Matched username at 228
modcall[authorize]: module "files" returns ok for request 0
modcall[authorize]: module "mschap" returns noop for request 0
modcall: group authorize returns updated for request 0
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate for request 0
rlm_eap: EAP packet type notification id 0 length 11
rlm_eap: EAP Start not found
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns ok for request 0
modcall: group authenticate returns ok for request 0
Login OK: [username/<no User-Password attribute>] (from client AP port 1 cli
AA-BB-CC-DD-EE-FF)
Sending Access-Challenge of id 86 to 10.11.10.11:1026
EAP-Message = 0x010100060d20
Message-Authenticator = 0x00000000000000000000000000000000
State =
0xd12a5ac9ae1c21cb347970e9fdc7aac6ba1cb34022646a60755838a9239379e23735b95d
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.11.10.11:1026, id=87, length=289
User-Name = "username"
NAS-IP-Address = 127.0.0.1
NAS-Port = 1
Called-Station-Id = "11-22-33-44-55-66:test"
Calling-Station-Id = "AA-BB-CC-DD-EE-FF"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message =
0x020100700d800000006616030100610100005d030140b31cbc3fabdae2afed328f4a87b98699dfa5018ae818d8b76bbe798dc21290203539fb0e66b32aa66f9621fd655618fb0412ad7e564c90f6d84e872b39c2049d001600040005000a000900640062000300060013001200630100
State =
0xd12a5ac9ae1c21cb347970e9fdc7aac6ba1cb34022646a60755838a9239379e23735b95d
Message-Authenticator = 0x6c4257773e64d688a990b1cbc8da26bb
modcall: entering group authorize for request 1
modcall[authorize]: module "preprocess" returns ok for request 1
modcall[authorize]: module "chap" returns noop for request 1
rlm_eap: EAP packet type notification id 1 length 112
rlm_eap: EAP Start not found
modcall[authorize]: module "eap" returns updated for request 1
rlm_realm: No '@' in User-Name = "username", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 1
users: Matched DEFAULT at 153
users: Matched username at 228
modcall[authorize]: module "files" returns ok for request 1
modcall[authorize]: module "mschap" returns noop for request 1
modcall: group authorize returns updated for request 1
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate for request 1
rlm_eap: EAP packet type notification id 1 length 112
rlm_eap: EAP Start not found
rlm_eap: Request found, released from the list
rlm_eap: EAP_TYPE - tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: Length Included
undefined: before/accept initialization
TLS_accept: before/accept initialization
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0061], ClientHello
TLS_accept: SSLv3 read client hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
TLS_accept: SSLv3 write server hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 070e], Certificate
TLS_accept: SSLv3 write certificate A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 00cb], CertificateRequest
TLS_accept: SSLv3 write certificate request A
TLS_accept: SSLv3 flush data
TLS_accept:error in SSLv3 read client certificate A
rlm_eap_tls: SSL_read Error
Error code is ..... 2
SSL Error ..... 2
modcall[authenticate]: module "eap" returns ok for request 1
modcall: group authenticate returns ok for request 1
Login OK: [username/<no User-Password attribute>] (from client AP port 1 cli
AA-BB-CC-DD-EE-FF)
Sending Access-Challenge of id 87 to 10.11.10.11:1026
EAP-Message =
0x0102040a0dc000000832160301004a02000046030140b31cba99578a66d06e4e9cd1cced5d396b7794491a526beb088588ea15be472050b949bb801f3d90868914aae5dc7e8e7339f37e1b0caa7347d62df454069937000400160301070e0b00070a0007070002f7308202f33082025ca003020102020103300d06092a864886f70d01010405003081b9310b3009060355040613024354311430120603550408130b436f6e6e65637469637574310f300d0603550407130643616e746f6e3120301e060355040a1317566976656e646920556e6976657273616c2047616d6573311e301c060355040b131546756e6e79626f6e6520496e746572616374
EAP-Message =
0x697665311e301c0603550403131546756e6e79626f6e6520576972656c6573732043413121301f06092a864886f70d0109011612726d636b617940767567616d65732e636f6d301e170d3034303432323134313730345a170d3035303432323134313730345a3081ab310b3009060355040613024354311430120603550408130b436f6e6e65637469637574310f300d0603550407130643616e746f6e3120301e060355040a1317566976656e646920556e6976657273616c2047616d6573311e301c060355040b131546756e6e79626f6e6520496e7465726163746976653110300e06035504031307736572766572323121301f06092a864886f70d
EAP-Message =
0x0109011612726d636b617940767567616d65732e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100b6533e2d20bcdf69fd6e47c4e4d8587dc6d90e151d5ad3609de50a8af404a32c990983ee15a8143e1eaa189fa36c202947bb150dcf1db55adbd5de928385ce56347a2421b0e1236a8c0c52e99e96c84c23191d6a6d1adac5b33f0908973e4ac6aa671f896703aceb6dd38ab388cb7db9da6aaddd6f0f4003d6c788ee0f1a99850203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010104050003818100a235d162ae97f19811dbbdcfcca7dcbecc4ee204260be386
EAP-Message =
0xa6082140881048c9e315d72481d649d8a778cf1fec0c58253872df14d9e5576fa4d14fd38bc154d62fa591ec8d1873a5ffd40f9035e183526cfe90c82e1ca7d16af068c34d6e97b9c75c01e79062284b1be05989715255473a8a50c945d05226505c146b1694abde00040a308204063082036fa003020102020100300d06092a864886f70d01010405003081b9310b3009060355040613024354311430120603550408130b436f6e6e65637469637574310f300d0603550407130643616e746f6e3120301e060355040a1317566976656e646920556e6976657273616c2047616d6573311e301c060355040b131546756e6e79626f6e6520496e746572
EAP-Message = 0x616374697665311e301c0603550403131546756e6e79
Message-Authenticator = 0x00000000000000000000000000000000
State =
0x6bfd381f6387e45e9ec24489d8871c49ba1cb340d1a43a026825dda2eb759fd681e893ec
Finished request 1
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.11.10.11:1026, id=88, length=183
User-Name = "username"
NAS-IP-Address = 127.0.0.1
NAS-Port = 1
Called-Station-Id = "11-22-33-44-55-66:test"
Calling-Station-Id = "AA-BB-CC-DD-EE-FF"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020200060d00
State =
0x6bfd381f6387e45e9ec24489d8871c49ba1cb340d1a43a026825dda2eb759fd681e893ec
Message-Authenticator = 0x34487632620182209c7fdaf235e58945
modcall: entering group authorize for request 2
modcall[authorize]: module "preprocess" returns ok for request 2
modcall[authorize]: module "chap" returns noop for request 2
rlm_eap: EAP packet type notification id 2 length 6
rlm_eap: EAP Start not found
modcall[authorize]: module "eap" returns updated for request 2
rlm_realm: No '@' in User-Name = "username", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 2
users: Matched DEFAULT at 153
users: Matched username at 228
modcall[authorize]: module "files" returns ok for request 2
modcall[authorize]: module "mschap" returns noop for request 2
modcall: group authorize returns updated for request 2
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate for request 2
rlm_eap: EAP packet type notification id 2 length 6
rlm_eap: EAP Start not found
rlm_eap: Request found, released from the list
rlm_eap: EAP_TYPE - tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: Received EAP-TLS ACK message
modcall[authenticate]: module "eap" returns ok for request 2
modcall: group authenticate returns ok for request 2
Login OK: [username/<no User-Password attribute>] (from client AP port 1 cli
AA-BB-CC-DD-EE-FF)
Sending Access-Challenge of id 88 to 10.11.10.11:1026
EAP-Message =
0x0103040a0dc000000832626f6e6520576972656c6573732043413121301f06092a864886f70d0109011612726d636b617940767567616d65732e636f6d301e170d3034303432323132313035315a170d3036303432323132313035315a3081b9310b3009060355040613024354311430120603550408130b436f6e6e65637469637574310f300d0603550407130643616e746f6e3120301e060355040a1317566976656e646920556e6976657273616c2047616d6573311e301c060355040b131546756e6e79626f6e6520496e746572616374697665311e301c0603550403131546756e6e79626f6e6520576972656c6573732043413121301f06092a
EAP-Message =
0x864886f70d0109011612726d636b617940767567616d65732e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100b635cda73b4798a345c557ef8d4f70d73e12097392f5bfbed69828c19010e6306a5dd257e0b5f3d72ada927adc4d26f34dfda8d66b02501f37ddc6f525305c747e727f13c8b16efe4d68c69081343ec60a397a7f3dab824faf25a1cb39fee4e61ceb2bc83a5919e7b8bb191f0cad82103018f9462ab28ddc9737e9416d7187990203010001a382011a30820116301d0603551d0e0416041481fbacd2a184831fb57c2f6d9783fd4f04c99c463081e60603551d230481de3081db801481fbacd2a184831f
EAP-Message =
0xb57c2f6d9783fd4f04c99c46a181bfa481bc3081b9310b3009060355040613024354311430120603550408130b436f6e6e65637469637574310f300d0603550407130643616e746f6e3120301e060355040a1317566976656e646920556e6976657273616c2047616d6573311e301c060355040b131546756e6e79626f6e6520496e746572616374697665311e301c0603550403131546756e6e79626f6e6520576972656c6573732043413121301f06092a864886f70d0109011612726d636b617940767567616d65732e636f6d820100300c0603551d13040530030101ff300d06092a864886f70d010104050003818100684a774f1dd49ecca6b237
EAP-Message =
0x4a6703abfb0680631f4c46f91f1054cdb30e75f4e2bb753828e4fb9d074ef4419eb28cc71b6c5c6df8ebefd787947098b0e902c283cc466b2bf26a88294e1e4e743ecba37b4434cb3dfc94756344c0372fab6e66a62f78203dcc4062f46c37735fbb27c80282b2264375ebc5ac9bd9093aa3023ac016030100cb0d0000c302010200be00bc3081b9310b3009060355040613024354311430120603550408130b436f6e6e65637469637574310f300d0603550407130643616e746f6e3120301e060355040a1317566976656e646920556e6976657273616c2047616d6573311e301c060355040b131546756e6e79626f6e6520496e7465726163746976
EAP-Message = 0x65311e301c0603550403131546756e6e79626f6e6520
Message-Authenticator = 0x00000000000000000000000000000000
State =
0xa22efe3e818aebfeccd0b2f4fa92a5e8ba1cb340ed7d1c18f017850f3c7827f65823463a
Finished request 2
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.11.10.11:1026, id=89, length=183
User-Name = "username"
NAS-IP-Address = 127.0.0.1
NAS-Port = 1
Called-Station-Id = "11-22-33-44-55-66:test"
Calling-Station-Id = "AA-BB-CC-DD-EE-FF"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020300060d00
State =
0xa22efe3e818aebfeccd0b2f4fa92a5e8ba1cb340ed7d1c18f017850f3c7827f65823463a
Message-Authenticator = 0x82bab654dcf57fd1b85aead01bffdfea
modcall: entering group authorize for request 3
modcall[authorize]: module "preprocess" returns ok for request 3
modcall[authorize]: module "chap" returns noop for request 3
rlm_eap: EAP packet type notification id 3 length 6
rlm_eap: EAP Start not found
modcall[authorize]: module "eap" returns updated for request 3
rlm_realm: No '@' in User-Name = "username", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 3
users: Matched DEFAULT at 153
users: Matched username at 228
modcall[authorize]: module "files" returns ok for request 3
modcall[authorize]: module "mschap" returns noop for request 3
modcall: group authorize returns updated for request 3
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate for request 3
rlm_eap: EAP packet type notification id 3 length 6
rlm_eap: EAP Start not found
rlm_eap: Request found, released from the list
rlm_eap: EAP_TYPE - tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: Received EAP-TLS ACK message
modcall[authenticate]: module "eap" returns ok for request 3
modcall: group authenticate returns ok for request 3
Login OK: [username/<no User-Password attribute>] (from client AP port 1 cli
AA-BB-CC-DD-EE-FF)
Sending Access-Challenge of id 89 to 10.11.10.11:1026
EAP-Message =
0x0104003c0d8000000832576972656c6573732043413121301f06092a864886f70d0109011612726d636b617940767567616d65732e636f6d0e000000
Message-Authenticator = 0x00000000000000000000000000000000
State =
0x2ed30d41053be8e6f98caf4ef6d4c47dba1cb34087d5b67c5ea24555ee1e8e3936415a24
Finished request 3
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.11.10.11:1026, id=90, length=1279
User-Name = "username"
NAS-IP-Address = 127.0.0.1
NAS-Port = 1
Called-Station-Id = "11-22-33-44-55-66:test"
Calling-Station-Id = "AA-BB-CC-DD-EE-FF"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message =
0x020404460d800000043c160301040c0b0002fc0002f90002f6308202f23082025ba003020102020107300d06092a864886f70d01010405003081b9310b3009060355040613024354311430120603550408130b436f6e6e65637469637574310f300d0603550407130643616e746f6e3120301e060355040a1317566976656e646920556e6976657273616c2047616d6573311e301c060355040b131546756e6e79626f6e6520496e746572616374697665311e301c0603550403131546756e6e79626f6e6520576972656c6573732043413121301f06092a864886f70d0109011612726d636b617940767567616d65732e636f6d301e170d3034303432
EAP-Message =
0x323134313135305a170d3035303432323134313135305a3081aa310b3009060355040613024354311430120603550408130b436f6e6e65637469637574310f300d0603550407130643616e746f6e3120301e060355040a1317566976656e646920556e6976657273616c2047616d6573311e301c060355040b131546756e6e79626f6e6520496e746572616374697665310f300d060355040313066b6566666f363121301f06092a864886f70d0109011612726d636b617940767567616d65732e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100c623b57dfd02034417421ffc875815374ac6a9e2f600469d69377a2c
EAP-Message =
0x535f4dee1edc0acee4eddfa1917ac50f4fae0e5c211c0e6dcac19212b5fa68d37fac598761a81d090504af0c560f69ad9bf2630f1210bfad75b927552632a09b064063c4e48a7a04a2815953a3d45ba63ce8f1ded0c8c19d6712591d4c34a06f60c56a850203010001a317301530130603551d25040c300a06082b06010505070302300d06092a864886f70d010104050003818100565d68fa4910f8553f17532f64e7fe46ed6215606d4ffe8e8b9c46d5c6b6014f99ad3782c7c87bfdcd234b462fd599df838eb9a799713a515688ff6fff0c86e3e8e0d8cb33664cd2d7bb40eb451cdbb2f246c73497a4f9f233900f9e7a6f957dfe3b6623d5c7bd36
EAP-Message =
0x6a7ee04d569e5d64ad3d87f78ce56e36e34d863437c028fe100000820080410d6abc0993dcb45c3f07139f01f4d3fd0b71e4193d8b92125ef633cd9e251b3fca0635e58bb7265bd3f4098b344a652ef491dd1ae3c484991c3525ba3a1c71b24039a9d9ff2bf158c1e59d1f96ed1777536d8dff8d527ea2ff9516987f31ef24595f0ccbcb1af528475ed66f03dc5dee4376fe7880b040df3f9e7fe12953e50f0000820080312a8994842cbf67ae12dd4438d5d7efdf44bec8c22c70d618e15f2b4235c679301aec83babf9240108af9f5764565d273b20cd79265bcb354d7fc93e03520af882be9731cdda7de147ef0823e89d86d28045bdba5deff69d8
EAP-Message =
0xa27420fdaca148dbae2f87bb3fc7dab6220b31989242fba3793b8c40c3a4bc0e8a687d4fa572a11403010001011603010020d3d29c618230fccb90b7c7095c8bff5ae63d0bfee4b530bcf163e4bafa387bbd
State =
0x2ed30d41053be8e6f98caf4ef6d4c47dba1cb34087d5b67c5ea24555ee1e8e3936415a24
Message-Authenticator = 0x9b3d4edad6a0fb5082f2107127402d55
modcall: entering group authorize for request 4
modcall[authorize]: module "preprocess" returns ok for request 4
modcall[authorize]: module "chap" returns noop for request 4
rlm_eap: EAP packet type notification id 4 length 1094
rlm_eap: EAP Start not found
modcall[authorize]: module "eap" returns updated for request 4
rlm_realm: No '@' in User-Name = "username", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 4
users: Matched DEFAULT at 153
users: Matched username at 228
modcall[authorize]: module "files" returns ok for request 4
modcall[authorize]: module "mschap" returns noop for request 4
modcall: group authorize returns updated for request 4
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate for request 4
rlm_eap: EAP packet type notification id 4 length 1094
rlm_eap: EAP Start not found
rlm_eap: Request found, released from the list
rlm_eap: EAP_TYPE - tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: Length Included
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0300], Certificate
chain-depth=1,
error=0
--> User-Name = username
--> BUF-Name = Funnybone Wireless CA
--> subject = /C=CT/ST=Connecticut/L=Canton/O=Vivendi Universal Games/OU=Funnybone
Interactive/CN=Funnybone Wireless CA/[EMAIL PROTECTED]
--> issuer = /C=CT/ST=Connecticut/L=Canton/O=Vivendi Universal Games/OU=Funnybone
Interactive/CN=Funnybone Wireless CA/[EMAIL PROTECTED]
--> verify return:1
chain-depth=0,
error=0
--> User-Name = username
--> BUF-Name = username
--> subject = /C=CT/ST=Connecticut/L=Canton/O=Vivendi Universal Games/OU=Funnybone
Interactive/CN=username/[EMAIL PROTECTED]
--> issuer = /C=CT/ST=Connecticut/L=Canton/O=Vivendi Universal Games/OU=Funnybone
Interactive/CN=Funnybone Wireless CA/[EMAIL PROTECTED]
--> verify return:1
TLS_accept: SSLv3 read client certificate A
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
TLS_accept: SSLv3 read client key exchange A
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], CertificateVerify
TLS_accept: SSLv3 read certificate verify A
rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001]
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 read finished A
rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001]
TLS_accept: SSLv3 write change cipher spec A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 write finished A
TLS_accept: SSLv3 flush data
undefined: SSL negotiation finished successfully
rlm_eap_tls: SSL_read Error
Error code is ..... 2
SSL Error ..... 2
modcall[authenticate]: module "eap" returns ok for request 4
modcall: group authenticate returns ok for request 4
Login OK: [username/<no User-Password attribute>] (from client AP port 1 cli
AA-BB-CC-DD-EE-FF)
Sending Access-Challenge of id 90 to 10.11.10.11:1026
EAP-Message =
0x010500350d800000002b14030100010116030100203d0039d91b03e35b16adeccc098eabeb0a8c46d59f4ec0db1fae7d27749fbc26
Message-Authenticator = 0x00000000000000000000000000000000
State =
0x61e2c044dacb14698b41db45e33640efba1cb340c77d048eff637f31bf0c4998d39e5229
Finished request 4
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.11.10.11:1026, id=91, length=183
User-Name = "username"
NAS-IP-Address = 127.0.0.1
NAS-Port = 1
Called-Station-Id = "11-22-33-44-55-66:test"
Calling-Station-Id = "AA-BB-CC-DD-EE-FF"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020500060d00
State =
0x61e2c044dacb14698b41db45e33640efba1cb340c77d048eff637f31bf0c4998d39e5229
Message-Authenticator = 0x3dd408bebc9e0a06401802d8c7e58131
modcall: entering group authorize for request 5
modcall[authorize]: module "preprocess" returns ok for request 5
modcall[authorize]: module "chap" returns noop for request 5
rlm_eap: EAP packet type notification id 5 length 6
rlm_eap: EAP Start not found
modcall[authorize]: module "eap" returns updated for request 5
rlm_realm: No '@' in User-Name = "username", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 5
users: Matched DEFAULT at 153
users: Matched username at 228
modcall[authorize]: module "files" returns ok for request 5
modcall[authorize]: module "mschap" returns noop for request 5
modcall: group authorize returns updated for request 5
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate for request 5
rlm_eap: EAP packet type notification id 5 length 6
rlm_eap: EAP Start not found
rlm_eap: Request found, released from the list
rlm_eap: EAP_TYPE - tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap: Freeing handler
modcall[authenticate]: module "eap" returns ok for request 5
modcall: group authenticate returns ok for request 5
Login OK: [username/<no User-Password attribute>] (from client AP port 1 cli
AA-BB-CC-DD-EE-FF)
Sending Access-Accept of id 91 to 10.11.10.11:1026
MS-MPPE-Recv-Key =
0xe900c6ee26d0f2b3c365db97916e2f577131543b0337eeb318477cfc61e4f1af
MS-MPPE-Send-Key =
0x20e213625226083e4c9a50105a97460e0b3b84b658c3e79f06d2f1250a59f0a0
EAP-Message = 0x03050004
Message-Authenticator = 0x00000000000000000000000000000000
Finished request 5
Going to the next request
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 86 with timestamp 40b31cba
Cleaning up request 1 ID 87 with timestamp 40b31cba
Cleaning up request 2 ID 88 with timestamp 40b31cba
Cleaning up request 3 ID 89 with timestamp 40b31cba
Cleaning up request 4 ID 90 with timestamp 40b31cba
Cleaning up request 5 ID 91 with timestamp 40b31cba
Nothing to do. Sleeping until we see a request.
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log/freeradius
raddbdir = /etc/freeradius
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/freeradius
log_file = ${logdir}/radius.log
libdir = /usr/lib/freeradius
pidfile = ${run_dir}/freeradius.pid
user = freerad
group = freerad
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log_stripped_names = no
log_auth = yes
log_auth_badpass = yes
log_auth_goodpass = yes
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
proxy_requests = yes
$INCLUDE ${confdir}/proxy.conf
$INCLUDE ${confdir}/clients.conf
snmp = no
$INCLUDE ${confdir}/snmp.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
pap {
encryption_scheme = crypt
}
chap {
authtype = CHAP
}
pam {
pam_auth = radiusd
}
unix {
cache = no
cache_reload = 600
shadow = /etc/shadow
radwtmp = ${logdir}/radwtmp
}
eap {
default_eap_type = tls
timer_expire = 60
md5 {
}
leap {
}
tls {
private_key_password = whatever
private_key_file = /etc/1x/server/server.pem
certificate_file = /etc/1x/server/server.pem
CA_file = /etc/1x/server/root.pem
dh_file = /etc/1x/DH
random_file = /etc/1x/random
fragment_size = 1024
include_length = yes
}
}
mschap {
authtype = MS-CHAP
}
ldap {
server = "ldap.your.domain"
basedn = "o=My Org,c=UA"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
start_tls = no
access_attr = "dialupAccess"
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
}
realm realmslash {
format = prefix
delimiter = "/"
}
realm suffix {
format = suffix
delimiter = "@"
}
realm realmpercent {
format = suffix
delimiter = "%"
}
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
}
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
compat = no
}
detail {
detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
detailperm = 0600
}
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address,
NAS-Port-Id"
}
$INCLUDE ${confdir}/sql.conf
radutmp {
filename = ${logdir}/radutmp
username = %{User-Name}
case_sensitive = yes
check_with_nas = yes
perm = 0600
callerid = "yes"
}
radutmp sradutmp {
filename = ${logdir}/sradutmp
perm = 0644
callerid = "no"
}
attr_filter {
attrsfile = ${confdir}/attrs
}
counter daily {
filename = ${raddbdir}/db.daily
key = User-Name
count-attribute = Acct-Session-Time
reset = daily
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
allowed-servicetype = Framed-User
cache-size = 5000
}
always fail {
rcode = fail
}
always reject {
rcode = reject
}
always ok {
rcode = ok
simulcount = 0
mpp = no
}
expr {
}
digest {
}
exec {
wait = yes
input_pairs = request
}
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = request
output_pairs = reply
}
ippool main_pool {
range-start = 192.168.1.1
range-stop = 192.168.3.254
netmask = 255.255.255.0
cache-size = 800
session-db = ${raddbdir}/db.ippool
ip-index = ${raddbdir}/db.ipindex
override = no
}
}
instantiate {
expr
}
authorize {
preprocess
chap
eap
suffix
files
mschap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
unix
eap
}
preacct {
preprocess
suffix
files
}
accounting {
acct_unique
detail
radutmp
}
session {
radutmp
}
post-auth {
}
pre-proxy {
}
post-proxy {
eap
}
