@Alan DeKok
> I'll bet that if you posted the final Access-Accept from 1.1.7 and from
> 2.0.1, that they would be *different*. If you make them the same, I'll also
> bet that the NAS will accept the user.
You were right (you win the bet), I accidentally commented out an entry in the
"default"-file, which setting were included in radiusd.conf in previous version
of freeradius
> Stop fighting with the certificates. You're wasting your time, and confusing
> yourself. Start looking at the contents of the Access-Accept, which is the
> only thing that really matters.
With that hint I was able to get Windows and Linux Laptops working again using
EAP-TLS and freeradius 2.0.1. I also managed to get a WM2003 and a WM6 PDA
connecting using EAP-PEAP.
For using EAP-TLS with the Windows Mobile devices I still have to solve one
problem, which I think would be no problem for you, the problem with the
username of the devices.
If I disable the option "check_cert_cn = %{User-Name}" in eap.conf I get a
working configuration, but finally it should work also with that Option enabled.
The problem of the Windows Mobile devices is, that they always submit as
username "DOMAIN\user". If you leave the DOMAINNAME blank still "\user" is used.
Since the radiusd.conf hints say, that I should NOT use the option
"with_ntdomain_hack" (and when I tested it still didn't work for me) I wanted to
use the "Realm module".
But at the moment I didn't fully understand how realms work, although I did read
the Posting on this mailinglist (from 2004) and the manpage.
I Know that I will have to use the realm module
# 'domain\user'
realm ntdomain {
format = prefix
delimiter = "\\"
}
therefore, but what else do I have to configure when I want to use a "blank"
domain? First I tried with a domain called "bla" which is configured in
proxy.conf:
realm bla {
authhost = LOCAL
accthost = LOCAL
}
The attached logfile shows, that the username is stripped correctly, but
obviously the stripped username in not passed correctly to the eap module. Can
anyone tell me, what else I have to configure? My goal is simply to strip the
"empty" domain from the username, so that eap-tls work with the option
"check_cert_cn = %{User-Name}" enabled in eap.conf
In short:
How do I specify an empty domain (realm "" {authhost = LOCAL, accthost = LOCAL}
doesn't work)?
What else do I have to configure, when the realm ntdomain is set in radiusd.conf
(I have also set ntdomain in "authorize" and "preacct" section)
Best regards and thanks in advance
Stefan Puch
PS: When I've got a working configuration for the Windows Mobile devices, I'm
going to write a little HOWTO like the one "EAP/TLS Setup for FreeRADIUS and
Windows XP Supplicant" just for Mobile PDA's
FreeRADIUS Version 2.0.1, for host i586-mandriva-linux-gnu, built on Jan 24
2008 at 21:20:10
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including configuration file /etc/raddb/snmp.conf
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/default
including dictionary file /etc/raddb/dictionary
main {
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/radius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = "/var/run/radiusd/radiusd.pid"
user = "radius"
group = "radius"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
}
client 127.0.0.1 {
require_message_authenticator = no
secret = "test"
shortname = "localhost"
}
client 192.168.0.8 {
require_message_authenticator = no
secret = "test"
shortname = "AP-Tower"
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_check = "none"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm bla {
authhost = LOCAL
accthost = LOCAL
}
realm LOCAL {
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating exec
exec {
wait = yes
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating expr
Module: Linked to module rlm_expiration
Module: Instantiating expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_eap
Module: Instantiating eap
eap {
default_eap_type = "tls"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
pem_file_type = yes
private_key_file = "/etc/pki/tls/private/server.pem"
certificate_file = "/etc/pki/tls/private/server.pem"
CA_file = "/etc/pki/tls/certs/ca.pem"
private_key_password = "whatever"
dh_file = "/etc/raddb/certs/dh"
random_file = "/etc/raddb/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
check_cert_cn = "%{User-Name}"
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating preprocess
preprocess {
huntgroups = "/etc/raddb/huntgroups"
hints = "/etc/raddb/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Linked to module rlm_detail
Module: Instantiating auth_log
detail auth_log {
detailfile =
"/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Linked to module rlm_realm
Module: Instantiating ntdomain
realm ntdomain {
format = "prefix"
delimiter = "\"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating files
files {
usersfile = "/etc/raddb/users"
compat = "no"
}
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address,
NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Instantiating detail
detail {
detailfile =
"/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Linked to module rlm_radutmp
Module: Instantiating radutmp
radutmp {
filename = "/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Checking session {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Instantiating reply_log
detail reply_log {
detailfile =
"/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
}
}
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.0.8 port 1128, id=143,
length=203
Message-Authenticator = 0x6a9456153eae379a334abd83a66943de
Service-Type = Framed-User
User-Name = "[EMAIL PROTECTED]"
Framed-MTU = 1488
Called-Station-Id = "000FB5BA4F59:Flugplatz"
Calling-Station-Id = "00127946D8F2"
NAS-Identifier = "AP-Tower"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x0200001901626c615c75736572406578616d706c652e636f6d
NAS-IP-Address = 192.168.0.8
NAS-Port = 2
NAS-Port-Id = "STA port # 2"
+- entering group authorize
++[preprocess] returns ok
expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
-> /var/log/radius/radacct/192.168.0.8/auth-detail-20080205
rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/192.168.0.8/auth-detail-20080205
expand: %t -> Tue Feb 5 22:55:02 2008
++[auth_log] returns ok
rlm_realm: Looking up realm "bla" for User-Name = "[EMAIL PROTECTED]"
rlm_realm: Found realm "bla"
rlm_realm: Adding Stripped-User-Name = "[EMAIL PROTECTED]"
rlm_realm: Proxying request from user [EMAIL PROTECTED] to realm bla
rlm_realm: Adding Realm = "bla"
rlm_realm: Authentication realm is LOCAL.
++[ntdomain] returns noop
rlm_eap: EAP packet type response id 0 length 25
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
users: Matched entry DEFAULT at line 226
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Requiring client certificate
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 143 to 192.168.0.8 port 1128
EAP-Message = 0x010100060d20
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xd855ce66d854c3db82f4be0093fad79e
Finished request 0.
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Request packet from host 192.168.0.8 port 1128, id=144,
length=270
Message-Authenticator = 0xc3e9820d65ceacf0da25985d0491a9dc
Service-Type = Framed-User
User-Name = "[EMAIL PROTECTED]"
Framed-MTU = 1488
State = 0xd855ce66d854c3db82f4be0093fad79e
Called-Station-Id = "000FB5BA4F59:Flugplatz"
Calling-Station-Id = "00127946D8F2"
NAS-Identifier = "AP-Tower"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message =
0x0201004a0d8000000040160301003b010000370301a7e723f972662a0dd9f47bf100b53967eacf0169d5d1cbf872f42a65f2a3113200001000040005000a000900640062000300060100
NAS-IP-Address = 192.168.0.8
NAS-Port = 2
NAS-Port-Id = "STA port # 2"
+- entering group authorize
++[preprocess] returns ok
expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
-> /var/log/radius/radacct/192.168.0.8/auth-detail-20080205
rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/192.168.0.8/auth-detail-20080205
expand: %t -> Tue Feb 5 22:55:02 2008
++[auth_log] returns ok
rlm_realm: Looking up realm "bla" for User-Name = "[EMAIL PROTECTED]"
rlm_realm: Found realm "bla"
rlm_realm: Adding Stripped-User-Name = "[EMAIL PROTECTED]"
rlm_realm: Proxying request from user [EMAIL PROTECTED] to realm bla
rlm_realm: Adding Realm = "bla"
rlm_realm: Authentication realm is LOCAL.
++[ntdomain] returns noop
rlm_eap: EAP packet type response id 1 length 74
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
users: Matched entry DEFAULT at line 226
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: processing TLS
TLS Length 64
rlm_eap_tls: Length Included
eaptls_verify returned 11
(other): before/accept initialization
TLS_accept: before/accept initialization
rlm_eap_tls: <<< TLS 1.0 Handshake [length 003b], ClientHello
TLS_accept: SSLv3 read client hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
TLS_accept: SSLv3 write server hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 075b], Certificate
TLS_accept: SSLv3 write certificate A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 00a6], CertificateRequest
TLS_accept: SSLv3 write certificate request A
TLS_accept: SSLv3 flush data
TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 144 to 192.168.0.8 port 1128
EAP-Message =
0x010204000dc00000085a160301004a02000046030147a8db36f7de79b222c826c344ccc50f4f28f2212f49eabd6563cfcb42a342e720fe29e3f6c35a60dbc948048c57e83889209d7fcb00d060074f31f3a50dc5cd3c000400160301075b0b0007570007540003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d3126302406035504
EAP-Message =
0x03131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3038303133313230313030345a170d3039303133303230313030345a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100cd0aae93d135cfa6de4ef564f3c3ea6afd2fda9ba67ed5e20c3aa7594026
EAP-Message =
0x426df1c094085e62d90d1ecf1eb16473b90db8cd8aa73c8ab1ceab1b0b13d65f5e707e10cc384f80d28b977cb16177968b7cbd7d4dd25be2434ef1728f7b00cb47ef030641549a1fb49fbfdab2232b34cd6de986ac053a54f63cdde4e553d40f193f62e73125ad718b8cd6b8867b29691b642752e65406a3261ded9c988c7e98d2d4dc62e2c86dab8eada9ecfbb407edb8d6e05ca07abe73d8c718966be7e36161f48f1c5efa9567173759e81f479311380d0e411e946e78ba4fe343d0ad2a2e239c2baeb3a49ae39760e25fc49203cafbd6d063bcdede04dfd583f62b3ffe5d37e70203010001a317301530130603551d25040c300a06082b06010505
EAP-Message =
0x070301300d06092a864886f70d010104050003820101009c0a02fee42eef2b4470120ef49920c5ba74597993b054a639c7934ed86883f98ac77748ecc490f9ce22eac7df58b64a6ce0d7a880e883610393f168f8aa9b1da7265fe73402d6715663a959281014e3eaa827c30a73c9226e9fc47d0380a156afcb456c78176330c44a0c2de71441d9f26f73121524fd913d3eda66f4335117c35f963019bc30dd2991ae9a6f87d3f797f3ff3be21736d1c1a033f8eff0f08a6c77838171c53e694b0b077451ccff66deae511d1e89d9f51c96d67302bba8f569a9bcfa7a2b5c147294ae1bf3a104a0de7f7c5b2903e19140b5e3a2012f71bee6c5e7694a8a
EAP-Message = 0x274e032acd43a5bca611d725
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xd855ce66d957c3db82f4be0093fad79e
Finished request 1.
Going to the next request
Waking up in 0.8 seconds.
rad_recv: Access-Request packet from host 192.168.0.8 port 1128, id=145,
length=202
Message-Authenticator = 0x9ad3446768f6a2edfaac1bf4bc2fb1c0
Service-Type = Framed-User
User-Name = "[EMAIL PROTECTED]"
Framed-MTU = 1488
State = 0xd855ce66d957c3db82f4be0093fad79e
Called-Station-Id = "000FB5BA4F59:Flugplatz"
Calling-Station-Id = "00127946D8F2"
NAS-Identifier = "AP-Tower"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020200060d00
NAS-IP-Address = 192.168.0.8
NAS-Port = 2
NAS-Port-Id = "STA port # 2"
+- entering group authorize
++[preprocess] returns ok
expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
-> /var/log/radius/radacct/192.168.0.8/auth-detail-20080205
rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/192.168.0.8/auth-detail-20080205
expand: %t -> Tue Feb 5 22:55:03 2008
++[auth_log] returns ok
rlm_realm: Looking up realm "bla" for User-Name = "[EMAIL PROTECTED]"
rlm_realm: Found realm "bla"
rlm_realm: Adding Stripped-User-Name = "[EMAIL PROTECTED]"
rlm_realm: Proxying request from user [EMAIL PROTECTED] to realm bla
rlm_realm: Adding Realm = "bla"
rlm_realm: Authentication realm is LOCAL.
++[ntdomain] returns noop
rlm_eap: EAP packet type response id 2 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
users: Matched entry DEFAULT at line 226
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake fragment handler
eaptls_verify returned 1
eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 145 to 192.168.0.8 port 1128
EAP-Message =
0x010304000dc00000085a23355921a1747a34c197603352550003a8308203a43082028c020900927807f7241a80a4300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3038303133313230313030335a170d3038303330313230313030335a308193310b3009060355
EAP-Message =
0x040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100b2fb6cf91fecd4c4d86dc1d33479c39ef0273adf98d5c61f705c29b0592b853cbf48e5bdbf8b53207b800a96008b776b04f49983761c78abd187a95861fc4f2c7b7aee015662b554f1d9aa64b8906687
EAP-Message =
0x9e4246aaa8b63c2541fb75adbd395380d34e0756c542eafa4572f0f64e3a78ac5050bffad57f7b63e896a336930763ba2861a10bb1a8637241e025e113e828854558345183472766e6de33a80cedc10fe5f540db3212581ff6546118326a59cedce4927c6d10e7ea359251cdbdb95c2c122a9cd9afeca66ae97b852542ec21a93d85adbc606fc3ec37d646d0533ffdaae7a06869247eac8ae81009a0a1041f25486a7ff4e629fd2aae9287dfd47cd3010203010001300d06092a864886f70d01010505000382010100a1c65ea3a93de293e98fea2031bc47643bf9a1ae4d0b379c9f1b0652c6bd7f3ba4ea448285ce80187ff086f9a32b1701773e356c
EAP-Message =
0xa5c646bc7fa4ed896a60c1942735277d4a9d6d18505c5e53b20655eb76077701b0bf7072a055172b622ad8304d6eaa13ea3c16b6da96fc2ea827b808a9ca383513979115156b2b01610dc2f2802b618d91f95ca1672fd131eda6aa5a5cf442bb6ad97b19717208dd4197bbe219b551fc3af61b331a4de9f03720139913754ad2a7d0781a374b3633a24944fefe3aaef1e3be7d6fd5d59b3a1a28c13917636c50fd47371fee39d607f0d52e0752614f0dd1565e97d042ec689cec47fe6149df970e70d35bac9785fc846df05816030100a60d00009e0301024000980096308193310b3009060355040613024652310f300d060355040813065261646975
EAP-Message = 0x733112301006035504071309
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xd855ce66da56c3db82f4be0093fad79e
Finished request 2.
Going to the next request
Waking up in 0.7 seconds.
rad_recv: Access-Request packet from host 192.168.0.8 port 1128, id=146,
length=202
Message-Authenticator = 0x0835adbae1c68d7427e1db3683525dcb
Service-Type = Framed-User
User-Name = "[EMAIL PROTECTED]"
Framed-MTU = 1488
State = 0xd855ce66da56c3db82f4be0093fad79e
Called-Station-Id = "000FB5BA4F59:Flugplatz"
Calling-Station-Id = "00127946D8F2"
NAS-Identifier = "AP-Tower"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020300060d00
NAS-IP-Address = 192.168.0.8
NAS-Port = 2
NAS-Port-Id = "STA port # 2"
+- entering group authorize
++[preprocess] returns ok
expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
-> /var/log/radius/radacct/192.168.0.8/auth-detail-20080205
rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/192.168.0.8/auth-detail-20080205
expand: %t -> Tue Feb 5 22:55:03 2008
++[auth_log] returns ok
rlm_realm: Looking up realm "bla" for User-Name = "[EMAIL PROTECTED]"
rlm_realm: Found realm "bla"
rlm_realm: Adding Stripped-User-Name = "[EMAIL PROTECTED]"
rlm_realm: Proxying request from user [EMAIL PROTECTED] to realm bla
rlm_realm: Adding Realm = "bla"
rlm_realm: Authentication realm is LOCAL.
++[ntdomain] returns noop
rlm_eap: EAP packet type response id 3 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
users: Matched entry DEFAULT at line 226
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake fragment handler
eaptls_verify returned 1
eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 146 to 192.168.0.8 port 1128
EAP-Message =
0x010400780d800000085a536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f726974790e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xd855ce66db51c3db82f4be0093fad79e
Finished request 3.
Going to the next request
Waking up in 0.6 seconds.
rad_recv: Access-Request packet from host 192.168.0.8 port 1128, id=147,
length=1702
Message-Authenticator = 0x30b4960c3f45725d88c1be80642953a8
Service-Type = Framed-User
User-Name = "[EMAIL PROTECTED]"
Framed-MTU = 1488
State = 0xd855ce66db51c3db82f4be0093fad79e
Called-Station-Id = "000FB5BA4F59:Flugplatz"
Calling-Station-Id = "00127946D8F2"
NAS-Identifier = "AP-Tower"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message =
0x020405d80dc0000005e116030105b10b0003a100039e00039b308203973082027fa003020102020106300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3038303133313231323235315a170d3039303133303231323235315a3071310b3009060355040613024652
EAP-Message =
0x310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e311930170603550403141075736572406578616d706c652e636f6d311f301d06092a864886f70d010901161075736572406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100a6355bf3db416288af94b9b6375d7791c2a78185d1168801d013bb8717721fc107d68204d80b9103f28f0999cf24534151ac16c99ca1a3a00ff4562754c52e2dde5a08567b61a125723b925992eaa5df170c8a8137ac68a2ecafc998b1a2d78bd32c2d535cfa9e97876ef92f21ce253c62f1e2a5501e99c1
EAP-Message =
0x3a45bcc2bf792d390cedb563f79f7d92f2eb0fd6d7327436c65ef574460156a9e70c7d5b96153b6ad2400459e98aa6ba56db512b266453b5756a92974558a16fc95add4bd975dc68205d327a477608ceaff7d25d113b2e044e0ffaa818cb4a62530b28150b36e8e1803ba0c60d428f9f2c4ca3af14755f98fe083ec58f096c9c89945835c822bd030203010001a317301530130603551d25040c300a06082b06010505070302300d06092a864886f70d010104050003820101003bcfbd82cc96ff2b12e95e357b06cba909d9c677f918f735cbbed8b78259d82278e45f9f46356fb3cfa871a2addb70ab14058904b7b5c84703b033f1840da82d0260aa
EAP-Message =
0xe136ec1ac9b49af0b9b7ea03ac567c14ea3d47bacfe0de5ec78c554193c23c92da5457274e2f4756b7ccd73a238948633d644beb265b5a7f4eb86b76d39656a7cb808a435c4f63131d8e4a255f7609544b1553a8bcb938ef7ceb9141d4b02f7643f9bb170a337b3a5d2f57270b812778609611403f45321d6be7b547344e1a16be8abfb732f2048639341199d04084237a11e93aed58f4f21158fc8dca167ce364f3eae8c3492a55f2fc77455aa3f5a94d0106887e4b806298db8455941000010201009e940c0cf49fe68f41d945974197b6196cd147fc8c307625f9f63545c57625dd9c3c733a5c3d05b079bfaa64a0ebf57f84a1372a1463605a6008
EAP-Message =
0x341f3f77bb13b8074b90451cdc7bd5e243eee60f9c22cd4b9ebfd53e790cda90c191f8fdbb15352d2ec8c06e7894dd776883379bf13d82c95e9d52daefbe0c9ff7d32d229788ca9429c3c588f6608448aa6d9319c3b31f92208e24cc64c261e957d30b6cdf7daa45c7389616cfdefc9a29b385df03606381360f62b14dd7e48f6a9531ddcae7f65e725fd0fa105d52d8bc90b55bfa8181f3ad06b0a065b88c022380ab860eee226283b409231f205c7e7a96f1ba4d62ea2fbfad3d26ccfd02c91b93ba074da60f00010201006a77de0f83c67284ddff00ab404dfcddf9e4de8dde95a51c78dca72a374a5138430cadf79937cb74309dd2de2821f2f087
EAP-Message =
0x0ee9a8a0d152fe9edc973681c0fa148c0cbd2c6a2715302fcba3134535799733ead78d716ae7364cf5fe143fae73ea8f85e9138550dba12ec5e161a6628d93315cfa37547b72a06367555e44c99a0cda5e9ba91f1c6578754ede32a9669296fd337d5bd0ee8b5cfab0af80e22cbb56b72c6ab82031788de8e70295f62e33e68ce1e15af30c23df21b0b0b0becacdd0ace66d03c2b6885cf7005da481239422896fb58f0ac32e90792412d5eefeef9040de8ca4992be275c0e6436adfc93616ad57e46c66d3a64b70990a068ef62392140301000101160301002068d801790f68bf809a2e1f0bf5
NAS-IP-Address = 192.168.0.8
NAS-Port = 2
NAS-Port-Id = "STA port # 2"
+- entering group authorize
++[preprocess] returns ok
expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
-> /var/log/radius/radacct/192.168.0.8/auth-detail-20080205
rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/192.168.0.8/auth-detail-20080205
expand: %t -> Tue Feb 5 22:55:03 2008
++[auth_log] returns ok
rlm_realm: Looking up realm "bla" for User-Name = "[EMAIL PROTECTED]"
rlm_realm: Found realm "bla"
rlm_realm: Adding Stripped-User-Name = "[EMAIL PROTECTED]"
rlm_realm: Proxying request from user [EMAIL PROTECTED] to realm bla
rlm_realm: Adding Realm = "bla"
rlm_realm: Authentication realm is LOCAL.
++[ntdomain] returns noop
rlm_eap: EAP packet type response id 4 length 253
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
users: Matched entry DEFAULT at line 226
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: processing TLS
TLS Length 1505
rlm_eap_tls: Received EAP-TLS First Fragment of the message
eaptls_verify returned 9
eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 147 to 192.168.0.8 port 1128
EAP-Message = 0x010500060d00
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xd855ce66dc50c3db82f4be0093fad79e
Finished request 4.
Going to the next request
Waking up in 0.3 seconds.
rad_recv: Access-Request packet from host 192.168.0.8 port 1128, id=148,
length=221
Message-Authenticator = 0x7d627a7897faed5ff31c3dd65eb009b5
Service-Type = Framed-User
User-Name = "[EMAIL PROTECTED]"
Framed-MTU = 1488
State = 0xd855ce66dc50c3db82f4be0093fad79e
Called-Station-Id = "000FB5BA4F59:Flugplatz"
Calling-Station-Id = "00127946D8F2"
NAS-Identifier = "AP-Tower"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020500190d00112d679a5282e10a85aafb50657bc8b89651c0
NAS-IP-Address = 192.168.0.8
NAS-Port = 2
NAS-Port-Id = "STA port # 2"
+- entering group authorize
++[preprocess] returns ok
expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
-> /var/log/radius/radacct/192.168.0.8/auth-detail-20080205
rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/192.168.0.8/auth-detail-20080205
expand: %t -> Tue Feb 5 22:55:03 2008
++[auth_log] returns ok
rlm_realm: Looking up realm "bla" for User-Name = "[EMAIL PROTECTED]"
rlm_realm: Found realm "bla"
rlm_realm: Adding Stripped-User-Name = "[EMAIL PROTECTED]"
rlm_realm: Proxying request from user [EMAIL PROTECTED] to realm bla
rlm_realm: Adding Realm = "bla"
rlm_realm: Authentication realm is LOCAL.
++[ntdomain] returns noop
rlm_eap: EAP packet type response id 5 length 25
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
users: Matched entry DEFAULT at line 226
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
rlm_eap_tls: <<< TLS 1.0 Handshake [length 03a5], Certificate
chain-depth=1,
error=0
--> User-Name = [EMAIL PROTECTED]
--> BUF-Name = Example Certificate Authority
--> subject = /C=FR/ST=Radius/L=Somewhere/O=Example Inc./[EMAIL
PROTECTED]/CN=Example Certificate Authority
--> issuer = /C=FR/ST=Radius/L=Somewhere/O=Example Inc./[EMAIL
PROTECTED]/CN=Example Certificate Authority
--> verify return:1
expand: %{User-Name} -> [EMAIL PROTECTED]
rlm_eap_tls: checking certificate CN ([EMAIL PROTECTED]) with xlat'ed value
([EMAIL PROTECTED])
rlm_eap_tls: Certificate CN ([EMAIL PROTECTED]) does not match specified value
([EMAIL PROTECTED])!
chain-depth=0,
error=0
--> User-Name = [EMAIL PROTECTED]
--> BUF-Name = [EMAIL PROTECTED]
--> subject = /C=FR/ST=Radius/O=Example Inc./[EMAIL PROTECTED]/[EMAIL PROTECTED]
--> issuer = /C=FR/ST=Radius/L=Somewhere/O=Example Inc./[EMAIL
PROTECTED]/CN=Example Certificate Authority
--> verify return:0
rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal certificate_unknown
TLS Alert write:fatal:certificate unknown
TLS_accept:error in SSLv3 read client certificate B
rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no
certificate returned
rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails.
eaptls_process returned 13
rlm_eap: Freeing handler
++[eap] returns reject
auth: Failed to validate the user.
Login incorrect: [EMAIL PROTECTED]/<via Auth-Type = EAP>] (from client AP-Tower
port 2 cli 00127946D8F2)
Found Post-Auth-Type Reject
+- entering group REJECT
++- group REJECT returns noop
Delaying reject of request 5 for 1 seconds
Going to the next request
Waking up in 0.3 seconds.
Waking up in 0.1 seconds.
Waking up in 0.1 seconds.
Waking up in 0.2 seconds.
rad_recv: Access-Request packet from host 192.168.0.8 port 1128, id=148,
length=221
Waiting to send Access-Reject to client AP-Tower port 1128 - ID: 148
Sending delayed reject for request 5
Sending Access-Reject of id 148 to 192.168.0.8 port 1128
EAP-Message = 0x04050004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.3 seconds.
Cleaning up request 0 ID 143 with timestamp +25
Waking up in 0.1 seconds.
Cleaning up request 1 ID 144 with timestamp +25
Cleaning up request 2 ID 145 with timestamp +26
Waking up in 0.1 seconds.
Cleaning up request 3 ID 146 with timestamp +26
Waking up in 0.2 seconds.
Cleaning up request 4 ID 147 with timestamp +26
Waking up in 1.0 seconds.
Cleaning up request 5 ID 148 with timestamp +26
Ready to process requests.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
