Hi,
I recently upgraded from the CVS version of freeradius to 1.0.0-pre3.
Since then, my previously functional EAP/TLS config has stopped working.
I've modified the config to reflect the new use of eap.conf, rather than
the built-in eap module. There have been no changes to the
certificates, no changes to the version of OpenSSL and no change to the
supplicant (Funk Odyssey 3.0 running on Windows XP SP1).
Below is the output from radiusd -X. I apologise that it's such a long
log. I believe that the relevant information is right at the end.
buddhist# radiusd -X
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/proxy.conf
Config: including file: /usr/local/etc/raddb/clients.conf
Config: including file: /usr/local/etc/raddb/snmp.conf
Config: including file: /usr/local/etc/raddb/eap.conf
main: prefix = "/usr/local"
main: localstatedir = "/usr/local/var"
main: logdir = "/usr/local/var/log/radius"
main: libdir = "/usr/local/lib"
main: radacctdir = "/usr/local/var/log/radius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 1812
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/usr/local/var/log/radius/radius.log"
main: log_auth = yes
main: log_auth_badpass = yes
main: log_auth_goodpass = no
main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
main: bind_address = 192.168.103.1 IP address [192.168.103.1]
main: user = "nobody"
main: group = "nobody"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/local/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = "(null)"
mschap: authtype = "MS-CHAP"
mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = "(null)"
unix: shadow = "(null)"
unix: group = "(null)"
unix: radwtmp = "/usr/local/var/log/radius/radwtmp"
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = "tls"
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = "(null)"
tls: pem_file_type = yes
tls: private_key_file = "/usr/local/etc/raddb/certs/radiusprivkey.pem"
tls: certificate_file = "/usr/local/etc/raddb/certs/radiuscert.pem"
tls: CA_file = "/usr/local/ssl/private/cacert.pem"
tls: private_key_password = "muzzy28"
tls: dh_file = "/usr/local/etc/raddb/certs/dh"
tls: random_file = "/usr/local/etc/raddb/certs/random"
tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = no
tls: check_cert_cn = "(null)"
rlm_eap: Loaded and initialized type tls
ttls: default_eap_type = "md5"
ttls: copy_request_to_tunnel = no
ttls: use_tunneled_reply = no
rlm_eap: Loaded and initialized type ttls
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups"
preprocess: hints = "/usr/local/etc/raddb/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = "suffix"
realm: delimiter = "@"
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = "/usr/local/etc/raddb/users"
files: acctusersfile = "/usr/local/etc/raddb/acct_users"
files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users"
files: compat = "no"
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile =
"/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = "/usr/local/var/log/radius/radutmp"
radutmp: username = "%{User-Name}"
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on authentication 192.168.103.1:1812
Listening on accounting 192.168.103.1:1813
Listening on proxy 192.168.103.1:1814
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.103.253:1590, id=68,
length=126
User-Name = "000d5499164e"
User-Password = "000d5499164e"
NAS-IP-Address = 192.168.103.253
Called-Station-Id = "004096311e3b"
NAS-Port = 38
NAS-Port-Type = Wireless-802.11
Cisco-AVPair = "ssid=IPARCH"
Calling-Station-Id = "000d5499164e"
NAS-Identifier = "Aironet"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "000d5499164e", looking up realm
NULL
rlm_realm: Found realm "NULL"
rlm_realm: Adding Stripped-User-Name = "000d5499164e"
rlm_realm: Proxying request from user 000d5499164e to realm NULL
rlm_realm: Adding Realm = "NULL"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "suffix" returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 0
modcall[authorize]: module "files" returns notfound for request 0
modcall: group authorize returns ok for request 0
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
auth: Failed to validate the user.
Login incorrect: [000d5499164e/000d5499164e] (from client Aironet port
38 cli 000d5499164e)
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
rad_recv: Access-Request packet from host 192.168.103.253:1591, id=69,
length=163
User-Name = "[EMAIL PROTECTED]"
Cisco-AVPair = "ssid=IPARCH"
NAS-IP-Address = 192.168.103.253
Called-Station-Id = "004096311e3b"
Calling-Station-Id = "000d5499164e"
NAS-Identifier = "Aironet"
NAS-Port = 38
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Service-Type = Login-User
EAP-Message = 0x027700140167757964406970617263682e6e6574
Message-Authenticator = 0x1c1de4a30edd950ba5bbea0f08f327ac
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
modcall[authorize]: module "preprocess" returns ok for request 1
modcall[authorize]: module "chap" returns noop for request 1
modcall[authorize]: module "mschap" returns noop for request 1
rlm_realm: Looking up realm "iparch.net" for User-Name =
"[EMAIL PROTECTED]"
rlm_realm: Found realm "iparch.net"
rlm_realm: Adding Stripped-User-Name = "guyd"
rlm_realm: Proxying request from user guyd to realm iparch.net
rlm_realm: Adding Realm = "iparch.net"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "suffix" returns noop for request 1
rlm_eap: EAP packet type response id 119 length 20
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 1
modcall[authorize]: module "files" returns notfound for request 1
modcall: group authorize returns updated for request 1
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Requiring client certificate
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns handled for request 1
modcall: group authenticate returns handled for request 1
Sending Access-Challenge of id 69 to 192.168.103.253:1591
EAP-Message = 0x017800060d20
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x59282ed36502e054ab4a17d0eae911ac
Finished request 1
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
rad_recv: Access-Request packet from host 192.168.103.253:1592, id=70,
length=259
User-Name = "[EMAIL PROTECTED]"
Cisco-AVPair = "ssid=IPARCH"
NAS-IP-Address = 192.168.103.253
Called-Station-Id = "004096311e3b"
Calling-Station-Id = "000d5499164e"
NAS-Identifier = "Aironet"
NAS-Port = 38
Framed-MTU = 1400
State = 0x59282ed36502e054ab4a17d0eae911ac
NAS-Port-Type = Wireless-802.11
Service-Type = Login-User
EAP-Message =
0x027800620d800000005816030100530100004f030140d9f16da7f3c425ed603d801a4f
8c930a7ac34f41c7f1dec1529d967929e19b00002800160013006600150012000a000500
040009006300650060006200610064001400110003000600080100
Message-Authenticator = 0x6fdf66c7c95156e555bf5082ec52dc8c
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
modcall[authorize]: module "preprocess" returns ok for request 2
modcall[authorize]: module "chap" returns noop for request 2
modcall[authorize]: module "mschap" returns noop for request 2
rlm_realm: Looking up realm "iparch.net" for User-Name =
"[EMAIL PROTECTED]"
rlm_realm: Found realm "iparch.net"
rlm_realm: Adding Stripped-User-Name = "guyd"
rlm_realm: Proxying request from user guyd to realm iparch.net
rlm_realm: Adding Realm = "iparch.net"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "suffix" returns noop for request 2
rlm_eap: EAP packet type response id 120 length 98
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 2
modcall[authorize]: module "files" returns notfound for request 2
modcall: group authorize returns updated for request 2
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 2
rlm_eap: Request found, released from the list
rlm_eap: EAP/tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
(other): before/accept initialization
TLS_accept: before/accept initialization
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0053], ClientHello
TLS_accept: SSLv3 read client hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
TLS_accept: SSLv3 write server hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0a1f], Certificate
TLS_accept: SSLv3 write certificate A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 00cc], CertificateRequest
TLS_accept: SSLv3 write certificate request A
TLS_accept: SSLv3 flush data
TLS_accept:error in SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
eaptls_process returned 13
modcall[authenticate]: module "eap" returns handled for request 2
modcall: group authenticate returns handled for request 2
Sending Access-Challenge of id 70 to 192.168.103.253:1592
EAP-Message =
0x0179040a0dc000000b44160301004a02000046030140d9f140c9f2f9b10f115fb8978f
78bd3b8ef72eaaec500975acf21bde64215f2022769f1829d25aa340446aefca8e137d73
6b8fe902412118e2eb4a9176b4a91e000a001603010a1f0b000a1b000a18000500308204
fc308203e4a00302010202011d300d06092a864886f70d01010405003081ba310b300906
0355040613024742311230100603550408130948616d7073686972653118301606035504
07130f4368757263682043726f6f6b68616d31193017060355040a131049502041726368
697465637475726573311e301c060355040b131543657274696669636174652041757468
6f72
EAP-Message =
0x697479311c301a06035504031313495020417263686974656374757265732043413124
302206092a864886f70d01090116154775792e446176696573406970617263682e6e6574
301e170d3034303330343232303932325a170d3035303330343232303932325a307e310b
3009060355040613024742311230100603550408130948616d7073686972653119301706
0355040a131049502041726368697465637475726573311a301806035504031311726164
6975732e6970617263682e6e65743124302206092a864886f70d01090116154775792e44
6176696573406970617263682e6e657430820122300d06092a864886f70d010101050003
8201
EAP-Message =
0x0f003082010a028201010099211990d8fc5630c997ef685779f73ba0eb916779762e5a
66114b544527cd8451bfd0de7b00abef2a780f28d5c0c5f9fdd071a46d06ac93f67387b4
a22d5b200f16336715b35d776c86335569ec49d536d6b07456cef63f5346ea49327d2b68
12632364c6287f7d64acd799129f7dd0e674990bd32b2fb252c103c87c1030f009c154d0
b4637a53adae931b685c3129e3901c040b873d60435b2a96b8ba217d26e8a0b4512f833e
fb9315973b491e18e772fb7d85cf96dec2da9a73b56ee1e124d4d7c277e39c3c3bb5715b
7ae3179bae1c20a913e8fbe9d9411a8608ab62da763db3a81289d9349a5bec271bec8f35
4c5b
EAP-Message =
0xb96c618c06f134d65f96cf0321110203010001a38201463082014230090603551d1304
023000302c06096086480186f842010d041f161d4f70656e53534c2047656e6572617465
64204365727469666963617465301d0603551d0e04160414135d72f0a12876b6af8fa476
15d69980279278b53081e70603551d230481df3081dc8014530b72f9875596a11561ae2f
9ca589781ce59e27a181c0a481bd3081ba310b3009060355040613024742311230100603
550408130948616d707368697265311830160603550407130f4368757263682043726f6f
6b68616d31193017060355040a131049502041726368697465637475726573311e301c06
0355
EAP-Message = 0x040b1315436572746966696361746520417574686f72
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc8990606d021a95d865fe859761a9804
Finished request 2
Going to the next request
--- Walking the entire request list ---
Sending Access-Reject of id 68 to 192.168.103.253:1590
Waking up in 4 seconds...
rad_recv: Access-Request packet from host 192.168.103.253:1593, id=71,
length=167
User-Name = "[EMAIL PROTECTED]"
Cisco-AVPair = "ssid=IPARCH"
NAS-IP-Address = 192.168.103.253
Called-Station-Id = "004096311e3b"
Calling-Station-Id = "000d5499164e"
NAS-Identifier = "Aironet"
NAS-Port = 38
Framed-MTU = 1400
State = 0xc8990606d021a95d865fe859761a9804
NAS-Port-Type = Wireless-802.11
Service-Type = Login-User
EAP-Message = 0x027900060d00
Message-Authenticator = 0xdf2986fe7157def30bdde9d136983fce
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 3
modcall[authorize]: module "preprocess" returns ok for request 3
modcall[authorize]: module "chap" returns noop for request 3
modcall[authorize]: module "mschap" returns noop for request 3
rlm_realm: Looking up realm "iparch.net" for User-Name =
"[EMAIL PROTECTED]"
rlm_realm: Found realm "iparch.net"
rlm_realm: Adding Stripped-User-Name = "guyd"
rlm_realm: Proxying request from user guyd to realm iparch.net
rlm_realm: Adding Realm = "iparch.net"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "suffix" returns noop for request 3
rlm_eap: EAP packet type response id 121 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 3
modcall[authorize]: module "files" returns notfound for request 3
modcall: group authorize returns updated for request 3
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 3
rlm_eap: Request found, released from the list
rlm_eap: EAP/tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake fragment handler
eaptls_verify returned 1
eaptls_process returned 13
modcall[authenticate]: module "eap" returns handled for request 3
modcall: group authenticate returns handled for request 3
Sending Access-Challenge of id 71 to 192.168.103.253:1593
EAP-Message =
0x017a040a0dc000000b44697479311c301a060355040313134950204172636869746563
74757265732043413124302206092a864886f70d01090116154775792e44617669657340
6970617263682e6e6574820100300d06092a864886f70d0101040500038201010067e989
8654cd9fa28505426e2d0cbcdea0bcbe98bddf522e9ae7b243fcd56647ff5432578bb208
d8f185289c49fa55d89791fbbc04f5506f9bbb7252620d7312c65cbb28ad4e101fd0ea49
1c2a42796fe27e685d180a9249378a0d21e594505b2735ac58cee6f65408c1f310855cbd
c84d6a8c017df618875a8fb63037f91b1b49c4294dfd12f6ef08d7df3c52d204ed6354ea
e761
EAP-Message =
0x307923464ac67aca107788f17b8230f08cdc35afa9314269e3e4b9f49b78f797435b1e
8aff5bd87cbc53484d8836026a7278a8963bd97a829a3946a30237a9661a7c10b785a40f
8d188ff0e7764500a3ec1b1df6031d5cee28ecf1326e09808b4042de1c3c4e1c941dd9b0
0005123082050e308203f6a003020102020100300d06092a864886f70d01010405003081
ba310b3009060355040613024742311230100603550408130948616d7073686972653118
30160603550407130f4368757263682043726f6f6b68616d31193017060355040a131049
502041726368697465637475726573311e301c060355040b131543657274696669636174
6520
EAP-Message =
0x417574686f72697479311c301a06035504031313495020417263686974656374757265
732043413124302206092a864886f70d01090116154775792e4461766965734069706172
63682e6e6574301e170d3034303330343231343632345a170d3134303330323231343632
345a3081ba310b3009060355040613024742311230100603550408130948616d70736869
7265311830160603550407130f4368757263682043726f6f6b68616d3119301706035504
0a131049502041726368697465637475726573311e301c060355040b1315436572746966
696361746520417574686f72697479311c301a0603550403131349502041726368697465
6374
EAP-Message =
0x757265732043413124302206092a864886f70d01090116154775792e44617669657340
6970617263682e6e657430820122300d06092a864886f70d01010105000382010f003082
010a0282010100bdd837adc3f9456e6a0fa7b231afb1b8c31926c4adb45f873486c78336
a6f3acb8f8facc785e4bfacbefede43bd2577f159f25a8539070f953433ddf48d99d8868
73c58486f8a76e14d02c80c859c750d0f2809b348fc15158ce29dff52a9f7d8a465bd192
63f05f8d26178830b3c652e0ed5edd1633a95db997ee76abff65bbee7bd974dc3926273f
e9801ec5c3dcd291b55ea477a2c628c6c9375d368024c3646ceffabb365dc7a8ad5a86bd
de01
EAP-Message = 0x2ac89cb2d451b3131ba61387adaf075f921f8a8564f3
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x1951dc5b3a356ec80a81c6101f826c23
Finished request 3
Going to the next request
--- Walking the entire request list ---
Waking up in 3 seconds...
rad_recv: Access-Request packet from host 192.168.103.253:1594, id=72,
length=167
User-Name = "[EMAIL PROTECTED]"
Cisco-AVPair = "ssid=IPARCH"
NAS-IP-Address = 192.168.103.253
Called-Station-Id = "004096311e3b"
Calling-Station-Id = "000d5499164e"
NAS-Identifier = "Aironet"
NAS-Port = 38
Framed-MTU = 1400
State = 0x1951dc5b3a356ec80a81c6101f826c23
NAS-Port-Type = Wireless-802.11
Service-Type = Login-User
EAP-Message = 0x027a00060d00
Message-Authenticator = 0x34e5f0775aa1a19f1c91d6e1c6eb1bdf
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 4
modcall[authorize]: module "preprocess" returns ok for request 4
modcall[authorize]: module "chap" returns noop for request 4
modcall[authorize]: module "mschap" returns noop for request 4
rlm_realm: Looking up realm "iparch.net" for User-Name =
"[EMAIL PROTECTED]"
rlm_realm: Found realm "iparch.net"
rlm_realm: Adding Stripped-User-Name = "guyd"
rlm_realm: Proxying request from user guyd to realm iparch.net
rlm_realm: Adding Realm = "iparch.net"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "suffix" returns noop for request 4
rlm_eap: EAP packet type response id 122 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 4
modcall[authorize]: module "files" returns notfound for request 4
modcall: group authorize returns updated for request 4
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 4
rlm_eap: Request found, released from the list
rlm_eap: EAP/tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake fragment handler
eaptls_verify returned 1
eaptls_process returned 13
modcall[authenticate]: module "eap" returns handled for request 4
modcall: group authenticate returns handled for request 4
Sending Access-Challenge of id 72 to 192.168.103.253:1594
EAP-Message =
0x017b034e0d8000000b448fed88a92cbc2022b886ffe3ffccfeddf7a7d49d8ab309abac
1aa9522b95c26df54242ea42a74bf975a914a4cee91c7a286a596f7acc070ab2e3670203
010001a382011b30820117301d0603551d0e04160414530b72f9875596a11561ae2f9ca5
89781ce59e273081e70603551d230481df3081dc8014530b72f9875596a11561ae2f9ca5
89781ce59e27a181c0a481bd3081ba310b30090603550406130247423112301006035504
08130948616d707368697265311830160603550407130f4368757263682043726f6f6b68
616d31193017060355040a131049502041726368697465637475726573311e301c060355
040b
EAP-Message =
0x1315436572746966696361746520417574686f72697479311c301a0603550403131349
5020417263686974656374757265732043413124302206092a864886f70d010901161547
75792e446176696573406970617263682e6e6574820100300c0603551d13040530030101
ff300d06092a864886f70d010104050003820101008f337b029626ed3ca91c82fc1f69a4
83ce0149d22ca3a5e03d2712b250fe1e40dad8e03e14262f20f85f14ea54614eb606980d
3a8679f5c624a044489f372c4e848f4f8d51f9bf10856d78c43449406a7f6fc6b5672777
0a770bffc2c0eb004a0a6c95bbecc675313bfa50c57144d9b3942a4ab8f771f9c02cfd70
e111
EAP-Message =
0xa200b924ba8291b80fc8c046afadb33ad05e08db3954cd0fe11d550b2d5cfe9bf5a185
709bd9a7961f942cbe3af48d97b525148ad5289d4d0476e102486f3b78f7c91282dfeb58
d1ad70dfd96238e0431877cebe1f0e8191c4d6c21888e918a41f90f47c4863fc292f4785
0faf4b92d61a29c5f03ceb5026779fd6cd54253b7989638316030100cc0d0000c4020102
00bf00bd3081ba310b3009060355040613024742311230100603550408130948616d7073
68697265311830160603550407130f4368757263682043726f6f6b68616d311930170603
55040a131049502041726368697465637475726573311e301c060355040b131543657274
6966
EAP-Message =
0x696361746520417574686f72697479311c301a06035504031313495020417263686974
656374757265732043413124302206092a864886f70d01090116154775792e4461766965
73406970617263682e6e65740e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x7d6f2c09caa53c378167f97a865b40be
Finished request 4
Going to the next request
Waking up in 3 seconds...
rad_recv: Access-Request packet from host 192.168.103.253:1595, id=73,
length=1571
User-Name = "[EMAIL PROTECTED]"
Cisco-AVPair = "ssid=IPARCH"
NAS-IP-Address = 192.168.103.253
Called-Station-Id = "004096311e3b"
Calling-Station-Id = "000d5499164e"
NAS-Identifier = "Aironet"
NAS-Port = 38
Framed-MTU = 1400
State = 0x7d6f2c09caa53c378167f97a865b40be
NAS-Port-Type = Wireless-802.11
Service-Type = Login-User
EAP-Message =
0x027b05780dc000000a1e16030109070b0009030009000003e8308203e4308202cca003
020102020121300d06092a864886f70d01010405003081ba310b30090603550406130247
42311230100603550408130948616d707368697265311830160603550407130f43687572
63682043726f6f6b68616d31193017060355040a13104950204172636869746563747572
6573311e301c060355040b1315436572746966696361746520417574686f72697479311c
301a06035504031313495020417263686974656374757265732043413124302206092a86
4886f70d01090116154775792e446176696573406970617263682e6e6574301e170d3034
3033
EAP-Message =
0x31313232333332355a170d3035303331313232333332355a308196310b300906035504
0613024742311230100603550408130948616d707368697265311830160603550407130f
4368757263682043726f6f6b68616d31193017060355040a131049502041726368697465
637475726573311830160603550403140f67757964406970617263682e6e657431243022
06092a864886f70d01090116154775792e446176696573406970617263682e6e65743082
0122300d06092a864886f70d01010105000382010f003082010a02820101009a52d0320a
547f6942a31f58fb922d7f2f50a16ab67c58e9fe3f2480631ad2e60407b3fecca37c342e
e468
EAP-Message =
0xeb1e8be94e89d859e84b18f5ffe7a09032cc6e2532de4c71a6cdfa2766c79eb48bb9f3
30b76e58d550ca65c917049b4597da45e230223a6eebc4eba5c51ecb2edf44b070fb0bb3
0c52965e0317ee8eb608e1f92f985cbfb9f1d0d9e8cf193f6c0197d90ac94c1418db5560
2c557b36e3497ed7ad18e9cf6efd5d586140b1a976f3800f7c3260afcf0f69a740ca0f90
b30b9be722eb53b5f41b2c99ea2ad650616e2848c142a866090a4c7961d904d5db8f9305
fa0266e421bf54dec1c44841b955eb7ef5f2d2cc8e4b7bced3734192c9146723511f0203
010001a317301530130603551d25040c300a06082b06010505070302300d06092a864886
f70d
EAP-Message =
0x01010405000382010100823d6662722d6bb2edc598077345a15114f7101b4739f9befd
0d6cce9500049860b8b6b72a41cd54576bb6da41024167508228d0455a8d1fccd2e15d88
d5f4776876a8c91b73ac64cd0e375158d3f1a0cd7ba93506eda1d59e8590c40930e7217d
9e2059fe1e568ebeb5859b7e87cbcaa10a62dd6608b67570a3c7d8c1263e8ec5d4d15e0f
8226d7ae5c17002a4929cde5f0905dc38255bcd63d3787bc5eebb8f8daf1ba0626eb600a
5e8e98de92fd07b79f07894740678a2c6a7e27a9b8e63a8e33b9099fbc05478dd002cd37
32624710bcdf743ea18e8e1181cb303ffb590ec248eb46816deb52f5c211e9fdfa96a1bf
ffde
EAP-Message =
0x7b8da980edc7ce8f4dd2fef1410005123082050e308203f6a003020102020100300d06
092a864886f70d01010405003081ba310b30090603550406130247423112301006035504
08130948616d707368697265311830160603550407130f4368757263682043726f6f6b68
616d31193017060355040a131049502041726368697465637475726573311e301c060355
040b1315436572746966696361746520417574686f72697479311c301a06035504031313
495020417263686974656374757265732043413124302206092a864886f70d0109011615
4775792e446176696573406970617263682e6e6574301e170d3034303330343231343632
345a
EAP-Message =
0x170d3134303330323231343632345a3081ba310b300906035504061302474231123010
0603550408130948616d707368697265311830160603550407130f436875726368204372
6f6f6b68616d31193017060355040a131049502041726368697465637475726573311e30
1c060355040b1315436572746966696361746520417574686f726974
Message-Authenticator = 0x4412a92a4149941015a3cda010009895
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 5
modcall[authorize]: module "preprocess" returns ok for request 5
modcall[authorize]: module "chap" returns noop for request 5
modcall[authorize]: module "mschap" returns noop for request 5
rlm_realm: Looking up realm "iparch.net" for User-Name =
"[EMAIL PROTECTED]"
rlm_realm: Found realm "iparch.net"
rlm_realm: Adding Stripped-User-Name = "guyd"
rlm_realm: Proxying request from user guyd to realm iparch.net
rlm_realm: Adding Realm = "iparch.net"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "suffix" returns noop for request 5
rlm_eap: EAP packet type response id 123 length 253
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 5
modcall[authorize]: module "files" returns notfound for request 5
modcall: group authorize returns updated for request 5
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 5
rlm_eap: Request found, released from the list
rlm_eap: EAP/tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS First Fragment of the message
eaptls_verify returned 9
eaptls_process returned 13
modcall[authenticate]: module "eap" returns handled for request 5
modcall: group authenticate returns handled for request 5
Sending Access-Challenge of id 73 to 192.168.103.253:1595
EAP-Message = 0x017c00060d00
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x6bdbb6fe6590dc59560eea5d883a6288
Finished request 5
Going to the next request
Waking up in 3 seconds...
rad_recv: Access-Request packet from host 192.168.103.253:1596, id=74,
length=1375
User-Name = "[EMAIL PROTECTED]"
Cisco-AVPair = "ssid=IPARCH"
NAS-IP-Address = 192.168.103.253
Called-Station-Id = "004096311e3b"
Calling-Station-Id = "000d5499164e"
NAS-Identifier = "Aironet"
NAS-Port = 38
Framed-MTU = 1400
State = 0x6bdbb6fe6590dc59560eea5d883a6288
NAS-Port-Type = Wireless-802.11
Service-Type = Login-User
EAP-Message =
0x027c04b60d0079311c301a060355040313134950204172636869746563747572657320
43413124302206092a864886f70d01090116154775792e44617669657340697061726368
2e6e657430820122300d06092a864886f70d01010105000382010f003082010a02820101
00bdd837adc3f9456e6a0fa7b231afb1b8c31926c4adb45f873486c78336a6f3acb8f8fa
cc785e4bfacbefede43bd2577f159f25a8539070f953433ddf48d99d886873c58486f8a7
6e14d02c80c859c750d0f2809b348fc15158ce29dff52a9f7d8a465bd19263f05f8d2617
8830b3c652e0ed5edd1633a95db997ee76abff65bbee7bd974dc3926273fe9801ec5c3dc
d291
EAP-Message =
0xb55ea477a2c628c6c9375d368024c3646ceffabb365dc7a8ad5a86bdde012ac89cb2d4
51b3131ba61387adaf075f921f8a8564f38fed88a92cbc2022b886ffe3ffccfeddf7a7d4
9d8ab309abac1aa9522b95c26df54242ea42a74bf975a914a4cee91c7a286a596f7acc07
0ab2e3670203010001a382011b30820117301d0603551d0e04160414530b72f9875596a1
1561ae2f9ca589781ce59e273081e70603551d230481df3081dc8014530b72f9875596a1
1561ae2f9ca589781ce59e27a181c0a481bd3081ba310b30090603550406130247423112
30100603550408130948616d707368697265311830160603550407130f43687572636820
4372
EAP-Message =
0x6f6f6b68616d31193017060355040a131049502041726368697465637475726573311e
301c060355040b1315436572746966696361746520417574686f72697479311c301a0603
5504031313495020417263686974656374757265732043413124302206092a864886f70d
01090116154775792e446176696573406970617263682e6e6574820100300c0603551d13
040530030101ff300d06092a864886f70d010104050003820101008f337b029626ed3ca9
1c82fc1f69a483ce0149d22ca3a5e03d2712b250fe1e40dad8e03e14262f20f85f14ea54
614eb606980d3a8679f5c624a044489f372c4e848f4f8d51f9bf10856d78c43449406a7f
6fc6
EAP-Message =
0xb56727770a770bffc2c0eb004a0a6c95bbecc675313bfa50c57144d9b3942a4ab8f771
f9c02cfd70e111a200b924ba8291b80fc8c046afadb33ad05e08db3954cd0fe11d550b2d
5cfe9bf5a185709bd9a7961f942cbe3af48d97b525148ad5289d4d0476e102486f3b78f7
c91282dfeb58d1ad70dfd96238e0431877cebe1f0e8191c4d6c21888e918a41f90f47c48
63fc292f47850faf4b92d61a29c5f03ceb5026779fd6cd54253b79896383160301010610
00010201008f4b0a1bf396d6c2274339bb31cec7dbd07f14781aedf8da57f0195af41ed7
f0d3e394166c831323f78a0a2bac020b362249829f74e259e6ac784541da83c1e8f2ea06
2732
EAP-Message =
0x5c5368d82de6a6097103abc29d82878fc1cb1c9e2da7494efbc1a086dbaa9bfabdc826
94290b39954e16ab62176bc03681475837d41e4a42bf14b1238666efeac881952cc2cb41
6f720fc93af3f420852c8686d60255f78c49826d4d67ab0f09fcbf6e499d4844fc35c01d
148a5e91771d56b551cc9c4b498c82b310029efe333dfe73c07ecb8f72720992ef05f0b9
d88f9cb8fcaa2681549eb11ad4f93a884bd27713bf783a747233377da9f1cf06643fedfb
2108d547f7aad7ee15030100020228
Message-Authenticator = 0x26470ac969ad0d74287d181c69d9a770
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 6
modcall[authorize]: module "preprocess" returns ok for request 6
modcall[authorize]: module "chap" returns noop for request 6
modcall[authorize]: module "mschap" returns noop for request 6
rlm_realm: Looking up realm "iparch.net" for User-Name =
"[EMAIL PROTECTED]"
rlm_realm: Found realm "iparch.net"
rlm_realm: Adding Stripped-User-Name = "guyd"
rlm_realm: Proxying request from user guyd to realm iparch.net
rlm_realm: Adding Realm = "iparch.net"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "suffix" returns noop for request 6
rlm_eap: EAP packet type response id 124 length 253
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 6
modcall[authorize]: module "files" returns notfound for request 6
modcall: group authorize returns updated for request 6
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 6
rlm_eap: Request found, released from the list
rlm_eap: EAP/tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0907], Certificate
chain-depth=1,
error=0
--> User-Name = [EMAIL PROTECTED]
--> BUF-Name = IP Architectures CA
--> subject = /C=GB/ST=Hampshire/L=Church Crookham/O=IP
Architectures/OU=Certificate Authority/CN=IP Architectures
CA/[EMAIL PROTECTED]
--> issuer = /C=GB/ST=Hampshire/L=Church Crookham/O=IP
Architectures/OU=Certificate Authority/CN=IP Architectures
CA/[EMAIL PROTECTED]
--> verify return:1
chain-depth=0,
error=0
--> User-Name = [EMAIL PROTECTED]
--> BUF-Name = [EMAIL PROTECTED]
--> subject = /C=GB/ST=Hampshire/L=Church Crookham/O=IP
Architectures/[EMAIL PROTECTED]/[EMAIL PROTECTED]
--> issuer = /C=GB/ST=Hampshire/L=Church Crookham/O=IP
Architectures/OU=Certificate Authority/CN=IP Architectures
CA/[EMAIL PROTECTED]
--> verify return:1
TLS_accept: SSLv3 read client certificate A
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange
TLS_accept: SSLv3 read client key exchange A
rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal handshake_failure
TLS Alert read:fatal:handshake failure
TLS_accept:failed in SSLv3 read certificate verify A
3940:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake
failure:s3_pkt.c:1052:SSL alert number 40
3940:error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake
failure:s3_pkt.c:837:
rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails.
In SSL Handshake Phase
In SSL Accept mode
rlm_eap_tls: BIO_read failed in a system call (-1), TLS session fails.
eaptls_process returned 13
rlm_eap: Freeing handler
modcall[authenticate]: module "eap" returns reject for request 6
modcall: group authenticate returns reject for request 6
auth: Failed to validate the user.
Login incorrect: [EMAIL PROTECTED]/<no User-Password attribute>] (from
client Aironet port 38 cli 000d5499164e)
Delaying request 6 for 1 seconds
Finished request 6
Going to the next request
Waking up in 3 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 68 with timestamp 40d9f13e
Sending Access-Reject of id 74 to 192.168.103.253:1596
EAP-Message = 0x047c0004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 1 seconds...
--- Walking the entire request list ---
Cleaning up request 1 ID 69 with timestamp 40d9f13f
Waking up in 1 seconds...
--- Walking the entire request list ---
Cleaning up request 2 ID 70 with timestamp 40d9f140
Waking up in 1 seconds...
--- Walking the entire request list ---
Cleaning up request 3 ID 71 with timestamp 40d9f141
Cleaning up request 4 ID 72 with timestamp 40d9f141
Cleaning up request 5 ID 73 with timestamp 40d9f141
Cleaning up request 6 ID 74 with timestamp 40d9f141
Nothing to do. Sleeping until we see a request.
Regards,
Guy
This e-mail is private and may be confidential and is for the intended recipient only.
If misdirected, please notify us by telephone and confirm that it has been deleted
from your system and any copies destroyed. If you are not the intended recipient you
are strictly prohibited from using, printing, copying, distributing or disseminating
this e-mail or any information contained in it. We use reasonable endeavours to virus
scan all e-mails leaving the Company but no warranty is given that this e-mail and any
attachments are virus free. You should undertake your own virus checking. The right
to monitor e-mail communications through our network is reserved by us.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
