Alan DeKok wrote:
> Tomas Pelka wrote:
>> have a problem with "advanced" EAP authentication methods including
>> PEAP, EAP-TLS, EAP-TTLS-MD5/MSCHAPV2.
>
> I wouldn't call them "advanced..."
>
>> Certs was created with the makefile included in freeradius sources.
>>
>> All my experiments ending with: decapsulated EAP packet (code=4 id=4
>> len=4) from RADIUS server: EAP Failure
>>
>> Runnin as, for example
>> ./eapol_test -c test_tls.conf -a192.168.56.3 -p1812 -stesting123 -r1
>>
>> Output, eap.conf and test_tls.conf attached.
>
> <sigh> Can you explain why you sent:
>
> * config files
>
> * eapol_test outpiut
>
> And NOT the server debugging output, as suggested in the FAQ, README,
> INSTALL, "man" page, web pages, and daily on this list?
>
> You have sent everything EXCEPT the information we need to help you.
Yes you are right, shame on me! radiusd -X output is attached now.
Sorry
--
Tom
FreeRADIUS Version 2.1.7, for host i486-pc-linux-gnu, built on Nov 18 2009 at
00:32:07
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/modules/
including configuration file /etc/freeradius/modules/radutmp
including configuration file /etc/freeradius/modules/acct_unique
including configuration file /etc/freeradius/modules/perl
including configuration file /etc/freeradius/modules/pam
including configuration file /etc/freeradius/modules/detail.example.com
including configuration file /etc/freeradius/modules/attr_filter
including configuration file /etc/freeradius/modules/mac2ip
including configuration file /etc/freeradius/modules/cui
including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login
including configuration file /etc/freeradius/modules/expr
including configuration file /etc/freeradius/modules/smsotp
including configuration file /etc/freeradius/modules/linelog
including configuration file /etc/freeradius/modules/policy
including configuration file /etc/freeradius/modules/checkval
including configuration file /etc/freeradius/modules/preprocess
including configuration file /etc/freeradius/modules/files
including configuration file /etc/freeradius/modules/mac2vlan
including configuration file /etc/freeradius/modules/counter
including configuration file /etc/freeradius/modules/otp
including configuration file /etc/freeradius/modules/chap
including configuration file /etc/freeradius/modules/inner-eap
including configuration file /etc/freeradius/modules/realm
including configuration file /etc/freeradius/modules/sql_log
including configuration file /etc/freeradius/modules/passwd
including configuration file /etc/freeradius/modules/detail
including configuration file /etc/freeradius/modules/detail.log
including configuration file /etc/freeradius/modules/echo
including configuration file /etc/freeradius/modules/always
including configuration file /etc/freeradius/modules/sradutmp
including configuration file /etc/freeradius/modules/pap
including configuration file /etc/freeradius/modules/attr_rewrite
including configuration file /etc/freeradius/modules/mschap
including configuration file /etc/freeradius/modules/logintime
including configuration file /etc/freeradius/modules/expiration
including configuration file /etc/freeradius/modules/smbpasswd
including configuration file /etc/freeradius/modules/krb5
including configuration file /etc/freeradius/modules/exec
including configuration file /etc/freeradius/modules/digest
including configuration file /etc/freeradius/modules/unix
including configuration file /etc/freeradius/modules/etc_group
including configuration file /etc/freeradius/modules/ippool
including configuration file /etc/freeradius/modules/wimax
including configuration file /etc/freeradius/modules/ldap
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/control-socket
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
including configuration file /etc/freeradius/sites-enabled/default
group = freerad
user = freerad
including dictionary file /etc/freeradius/dictionary
main {
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/freeradius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/freeradius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = "/var/run/freeradius/freeradius.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
require_message_authenticator = no
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
nastype = "other"
}
client 192.168.56.0/24 {
require_message_authenticator = no
secret = "testing123"
shortname = "test-network"
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating expr
Module: Linked to module rlm_expiration
Module: Instantiating expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server inner-tunnel {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating chap
Module: Linked to module rlm_mschap
Module: Instantiating mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
}
Module: Linked to module rlm_unix
Module: Instantiating unix
unix {
radwtmp = "/var/log/freeradius/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating eap
eap {
default_eap_type = "tls"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 2048
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
pem_file_type = yes
private_key_file = "/etc/freeradius/certs/server.key"
certificate_file = "/etc/freeradius/certs/server.pem"
CA_file = "/etc/freeradius/certs/ca.pem"
private_key_password = "whatever"
dh_file = "/etc/freeradius/certs/dh"
random_file = "/etc/freeradius/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
make_cert_command = "/etc/freeradius/certs/bootstrap"
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_realm
Module: Instantiating suffix
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating files
files {
usersfile = "/etc/freeradius/users"
acctusersfile = "/etc/freeradius/acct_users"
preproxy_usersfile = "/etc/freeradius/preproxy_users"
compat = "no"
}
Module: Checking session {...} for more modules to load
Module: Linked to module rlm_radutmp
Module: Instantiating radutmp
radutmp {
filename = "/var/log/freeradius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Linked to module rlm_attr_filter
Module: Instantiating attr_filter.access_reject
attr_filter attr_filter.access_reject {
attrsfile = "/etc/freeradius/attrs.access_reject"
key = "%{User-Name}"
}
} # modules
} # server
server {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating preprocess
preprocess {
huntgroups = "/etc/freeradius/huntgroups"
hints = "/etc/freeradius/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address,
NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating detail
detail {
detailfile =
"/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Instantiating attr_filter.accounting_response
attr_filter attr_filter.accounting_response {
attrsfile = "/etc/freeradius/attrs.accounting_response"
key = "%{User-Name}"
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
listen {
type = "control"
listen {
socket = "/var/run/freeradius/freeradius.sock"
}
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /var/run/freeradius/freeradius.sock
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.56.1 port 39184, id=0,
length=126
User-Name = "anonymous"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x0200000e01616e6f6e796d6f7573
Message-Authenticator = 0x859e794e4024790c24c2e5dd95721da2
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 0 length 14
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may
fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Requiring client certificate
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 0 to 192.168.56.1 port 39184
EAP-Message = 0x010100060d20
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa78c9618a78d9b898e762a853550d7fe
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.56.1 port 39184, id=1,
length=136
User-Name = "anonymous"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020100060315
State = 0xa78c9618a78d9b898e762a853550d7fe
Message-Authenticator = 0xb448eb19d86afc25566ec8b138f9a1d0
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may
fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/ttls
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 1 to 192.168.56.1 port 39184
EAP-Message = 0x010200061520
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa78c9618a68e83898e762a853550d7fe
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.56.1 port 39184, id=2,
length=229
User-Name = "anonymous"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message =
0x02020063150016030100580100005403014b0722ab45e9a23daf7ac843f876dbfde89176c5641516c72bf5df9f0ae1dc3e00002600390038003500160013000a00330032002f0005000400150012000900140011000800060003020100000400230000
State = 0xa78c9618a68e83898e762a853550d7fe
Message-Authenticator = 0x6c8251e9eab6634eb38557c5ae327199
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 99
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls] (other): before/accept initialization
[ttls] TLS_accept: before/accept initialization
[ttls] <<< TLS 1.0 Handshake [length 0058], ClientHello
[ttls] TLS_accept: SSLv3 read client hello A
[ttls] >>> TLS 1.0 Handshake [length 0030], ServerHello
[ttls] TLS_accept: SSLv3 write server hello A
[ttls] >>> TLS 1.0 Handshake [length 085e], Certificate
[ttls] TLS_accept: SSLv3 write certificate A
[ttls] >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange
[ttls] TLS_accept: SSLv3 write key exchange A
[ttls] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[ttls] TLS_accept: SSLv3 write server done A
[ttls] TLS_accept: SSLv3 flush data
[ttls] TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[ttls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 2 to 192.168.56.1 port 39184
EAP-Message =
0x0103040015c000000ab316030100300200002c03014b0722ab5a896c3630f7fd6d6ecd626fdfea593923c1739a05517f57d64fe3e400003901000400230000160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574
EAP-Message =
0x686f72697479301e170d3039313131383031313230305a170d3130313131383031313230305a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100954c614a6edba49037df9156ba8db30157e0708ba5da06617d9245f6eb34870fd2bab36b7774cf1f3fbb1752657b7fa3041b738b6b27f2c2
EAP-Message =
0x33d8691233fe86190dfd08b3ad8ee98784650629940e3659682e7ebc36de799404ebdd830a1c264f65ea80cfe8198762d6c463d6d77064fcae27aff84d2c8a90d22a775c9362c40c217121d24b36fee5b8448301aebc5f0a7c61253714ecdf4ebec11fcb536fc8eeaa3c6d4ef0e14eab3038d67cd0636a20949241fc44a1b6d8a5586a4ed58ef88c2ef27cfa19c57334c37bdd4e537c8701b46e7b49d6c2299259a612d9069b8ad9f5744f3c7683e58f3ebc07882b5b6071a890c83469921dd967470cccde24d97b0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010405000382010100aa9f4e
EAP-Message =
0x26423d73f17a9c5935d67a599e6587b957dc1f1d967edac9e7c1f908ab449d6d081f02d368e6e65edb912dd310ca358e1700ccd1cdb15eca322f56ee6638ec68a31435e4936ccdfd543c28370c5ed7c8c32bae67a134cf916a4f41241dcf6e9f01b57e61ddeabcda292092e7aa0d77bd37f551b863570734aafd49b4c1d8dd3cbc0350bd76e6ef116c69fcd0dc735558117e028488f4816ef5e644a96e8879b8a8b38989f113e3b8aa42c34d6e4574a0806b7dde151b2c7085ab14ec401250dae09afe2802b87b1540fbeb313f890d63cfb7ee307a681fdb30e9276b0c7f5167b164d6ea5ff6bb8c132fe6469390cfb17f8309cf180f6fb865ad11bf9b
EAP-Message = 0x0004ab308204a73082038fa0
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa78c9618a58f83898e762a853550d7fe
Finished request 2.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 192.168.56.1 port 39184, id=3,
length=136
User-Name = "anonymous"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020300061500
State = 0xa78c9618a58f83898e762a853550d7fe
Message-Authenticator = 0xb3b6657237a148d0f29a9f57199f531f
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] Received TLS ACK
[ttls] ACK handshake fragment handler
[ttls] eaptls_verify returned 1
[ttls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 3 to 192.168.56.1 port 39184
EAP-Message =
0x0104040015c000000ab303020102020900bc77767de6948675300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3039313131383031313230305a170d3130313131383031313230305a308193310b3009060355040613024652310f300d0603550408130652616469
EAP-Message =
0x75733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100d26b051f3280f53da906c27197319fc19eb0e10c2228ae67f239330a9829a332e60795bd137034e05deeda14d6856de7629645dcdbad65b96fc2e91c9f0f79ee81be4c0ccd7a3ad4d3c805958f02f0252cf28a8272961e0d2a94c846e0cb5510edb4af0e85
EAP-Message =
0xbe9f248aa8044145057fa04e04bba20796ec7a877ed2c4e161cbf6025deaf1fd48c8ee77cf0e95a5e8fe4950da5c1d01d53e90d71138bc2cd924a240e401a426f2bcd347d2a15902c029bdb4fda73ccdf1da131d718d0989182dd7692ba7b39f54400cb7e53daa64e1da42ff6df0c13b14f3d16a722ef236f24093607ef68de2d577108933ce2b3e687383e7c4f2126877c592d7fee7419a2a3af50203010001a381fb3081f8301d0603551d0e04160414219ed212b28361c83640d4b15073d9c30e5a2fb63081c80603551d230481c03081bd8014219ed212b28361c83640d4b15073d9c30e5a2fb6a18199a48196308193310b300906035504061302
EAP-Message =
0x4652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900bc77767de6948675300c0603551d13040530030101ff300d06092a864886f70d010105050003820101006d5fefdefc840cfcba63951a850afff949eed1ead3b37f79912b727cb715eccaaa518d60d79d27b1034d31a639494aa9d0ce392ac7464f202744038cc755913c3e3ae726009cb950
EAP-Message = 0x1538a6bddeef7ae207db90bb
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa78c9618a48883898e762a853550d7fe
Finished request 3.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 192.168.56.1 port 39184, id=4,
length=136
User-Name = "anonymous"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020400061500
State = 0xa78c9618a48883898e762a853550d7fe
Message-Authenticator = 0x3511ea1e23f6cec0183642931c07cb09
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] Received TLS ACK
[ttls] ACK handshake fragment handler
[ttls] eaptls_verify returned 1
[ttls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 4 to 192.168.56.1 port 39184
EAP-Message =
0x010502d1158000000ab37017d52f69aa63dee76aa37ad02aa613ad1ac63fbd9319aed4e948c3f4bc09f9b71045bb9dcf58386cb749d3df8efb67cc98383adb696ae01dcd5a900141dc2fb95516eeadaaa188bd91f56959c6bcf817252b4c76baf7d859e7fd953d85e9e88195696917da2401800c6aca25479eb14debf0727cc48f6e6e43b3edbe2251fa587aaaa6c1f4228d1493e9b9f67e285a68384c3273f3cfaca8cf8956948498ca910d8ddd165c2105bb0a3221160301020d0c0002090080ea9b19de5c8f48f056f3d0b0c2b1403ff2f7d3bd47673f9e44b744cf3e120a24ce7a16b97cdd7a99d73d74db5a6dd50570d979136e59aba7c3ac05cd
EAP-Message =
0xa0fa713512c644ab1d89e8d2d827b8db034ef0796edeb946987f17ac0bedee7fa7d43ad55cc796fce51887fe6e61588dcbca56736afc4ce3f97923e86d990c52d0946c4b0001020080aaa5dfe22b6d6c72ee70379e5bbca6c589c8b5ff4a391dfe91558614a5e7444822ddf65d69e892cef52a270f9d3c78671f3ca8b62be69e8c3d77add595a8010ab6b1d099433dbb7ddfcfb20ab627c17c9ce48c0dc4edacce8ff50f2cd1035fccef6d6068634c74a1254cd458bf518088c649c6cced91d1d972625abc3b17a9f201006bed7da9307cceca74178e68f8addbcc297614d64cb71414fcaa3aebcbeef4cf2d1c791e1b17840a5a9c1de289eeffb06753
EAP-Message =
0x74de73048f8b001e96ce2d8fc4c302e71d648ebe0667d5def572fd00e9d94b696f3e590c72a354a9b7b92f8c165e8904bef0bda885afd14b537622a7814a158c01c91afee24a8c7bdbf894e31e74c79ddee400cd14284b4c0e6e2e93a17c72c23d2b81fad23891469b2fa8199e9c44f6db785b77645935065655e4a2ea0f633b7a4eec37b809d63add38878f1cecdc5713b6f0dd2ef29dfa3af2410068931e2a8de67f0f5c2c2a1559dc64970d35188709d1f2b862a3cbfee84f30574358638eba8dd15779df6c96d917a165c7d716030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa78c9618a38983898e762a853550d7fe
Finished request 4.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 192.168.56.1 port 39184, id=5,
length=334
User-Name = "anonymous"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message =
0x020500cc15001603010086100000820080d9b1954b9380d6f4e8acf3251062d055fb6fc95b694eb5c65e6d5cc808a494980b0ca8dc46dd1022df50696490827bdd1f2269703840a63820f735fac21bebcb5609033c5799c52b56f4c4b02b84e5bed9ce9529336de35d4160c2bfc46db63a95137dbaad2e14d7d21c9bce4a26998f00179898271b2652e1c23b258df8dbba14030100010116030100305e86e718291d8c61aa77f3853b1a77b3f2cf49592be1d64fc3ae965b471d15afc544ef3009edec8974cd2164038cd5a2
State = 0xa78c9618a38983898e762a853550d7fe
Message-Authenticator = 0xad9fb735ff4ce58f19cab8d1d8f74921
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 5 length 204
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
[ttls] TLS_accept: SSLv3 read client key exchange A
[ttls] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[ttls] <<< TLS 1.0 Handshake [length 0010], Finished
[ttls] TLS_accept: SSLv3 read finished A
[ttls] >>> TLS 1.0 Handshake [length 00aa]???
[ttls] TLS_accept: unknown state
[ttls] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[ttls] TLS_accept: SSLv3 write change cipher spec A
[ttls] >>> TLS 1.0 Handshake [length 0010], Finished
[ttls] TLS_accept: SSLv3 write finished A
[ttls] TLS_accept: SSLv3 flush data
[ttls] (other): SSL negotiation finished successfully
SSL Connection Established
[ttls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 5 to 192.168.56.1 port 39184
EAP-Message =
0x010600f41580000000ea16030100aa040000a60000000000a084b5c0d38a4ca606de5f40c7d495c8fb3745f57f28155175126856791c30cf0390d4845df412320913d31b309ef9c9ce38d3ee24f4146bd216fc46347de3b47d3c6eb7b3645b1eec5672708db4a67840648bef56d07904cb0e5ad07602a5d66f7c595c94437f3a54dc4da8993d0ef358c7d42e077bae3181bcd2cba6c68bbc424980fea06d681c4bdb2d09f9c8b7c5cbf1a3abef14bf6b41d1deaa3f211f9cee140301000101160301003055734cc8712c2877e4c095b7612298f19ed5cfdd77bbea686a4ef18613ec5d1397725fc1c304781154b081ab49fdfff2
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa78c9618a28a83898e762a853550d7fe
Finished request 5.
Going to the next request
Waking up in 4.7 seconds.
rad_recv: Access-Request packet from host 192.168.56.1 port 39184, id=6,
length=242
User-Name = "anonymous"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message =
0x0206007015001703010020d52f355c3ba826728ec6f8d75dcb3beb13e4816c99cf279e9221441c6575f11017030100400e41c7a6359df8f3399a05578f4108d442f11d5b2feec0d84afd422be8cce0402704cdd3b348043ecc671cb38b169370f823e4f3029a88d3bbd7799cf83b63d9
State = 0xa78c9618a28a83898e762a853550d7fe
Message-Authenticator = 0x4028f6a62ee1806921615cf7dd531ce8
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 6 length 112
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls] eaptls_process returned 7
[ttls] Session established. Proceeding to decode tunneled attributes.
[ttls] Got tunneled request
EAP-Message = 0x0200000d017465737475736572
FreeRADIUS-Proxied-To = 127.0.0.1
[ttls] Got tunneled identity of testuser
[ttls] Setting default EAP type for tunneled EAP session.
[ttls] Sending tunneled request
EAP-Message = 0x0200000d017465737475736572
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "testuser"
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "testuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 0 length 13
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry testuser at line 205
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel
[ttls] Got tunneled reply code 11
EAP-Message = 0x010100160410d40b68eabb90b8d91cff930c1c685d06
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xb2ba9debb2bb99262f90c62437fa241b
[ttls] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 6 to 192.168.56.1 port 39184
EAP-Message =
0x0107004f1580000000451703010040bcb775bf77737c565c7c62efcbcc16038a22e722de738a60a0fa08f494736f1e51c198707b15d717072fe88ba8850aec9afb0d871e14bafaf172325a90fd9503
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa78c9618a18b83898e762a853550d7fe
Finished request 6.
Going to the next request
Waking up in 4.7 seconds.
rad_recv: Access-Request packet from host 192.168.56.1 port 39184, id=7,
length=242
User-Name = "anonymous"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message =
0x0207007015001703010020ed859394b91d43bce51f95fce8c798fac6b455264e71e1ece6ed0f2c93e3037d1703010040a27192a92b5fbe74a2800f3fa0e7a8320946087975fd9c7041d138b0dd6b8108d36f53ac6dd9925f8294795799bc7a45a32b5a3261b50720089a98b7b948a79f
State = 0xa78c9618a18b83898e762a853550d7fe
Message-Authenticator = 0xc19d5ab5493e0e6042e61306c5f21b1b
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 7 length 112
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls] eaptls_process returned 7
[ttls] Session established. Proceeding to decode tunneled attributes.
[ttls] Got tunneled request
EAP-Message = 0x0201001604105f9f2d7c64fc8eb78b6253c33f177cdf
FreeRADIUS-Proxied-To = 127.0.0.1
[ttls] Sending tunneled request
EAP-Message = 0x0201001604105f9f2d7c64fc8eb78b6253c33f177cdf
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "testuser"
State = 0xb2ba9debb2bb99262f90c62437fa241b
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "testuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 1 length 22
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry testuser at line 205
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/md5
[eap] processing type md5
[eap] Freeing handler
++[eap] returns ok
WARNING: Empty section. Using default return values.
} # server inner-tunnel
[ttls] Got tunneled reply code 2
EAP-Message = 0x03010004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "testuser"
[ttls] Got tunneled Access-Accept
[eap] Freeing handler
rlm_eap_ttls: Freeing handler for user testuser
++[eap] returns ok
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 7 to 192.168.56.1 port 39184
MS-MPPE-Recv-Key =
0xe5198763de54ae9f4a535508fb5427e98023c0c66ff7dc43eb1b5c4e406df59c
MS-MPPE-Send-Key =
0x5f9296e057249eb6637aaa412b390409c9cf231a9cebb73c5fddddb54c8f92f8
EAP-Message = 0x03070004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "anonymous"
Finished request 7.
Going to the next request
Waking up in 4.7 seconds.
rad_recv: Access-Request packet from host 192.168.56.1 port 39184, id=8,
length=126
User-Name = "anonymous"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x0200000e01616e6f6e796d6f7573
Message-Authenticator = 0xdd67125859cd2aff16fe1b64e4e6839e
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 0 length 14
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may
fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Requiring client certificate
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 8 to 192.168.56.1 port 39184
EAP-Message = 0x010100060d20
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xb78328abb78225cdd1f7ad3eb3c71c89
Finished request 8.
Going to the next request
Waking up in 4.6 seconds.
rad_recv: Access-Request packet from host 192.168.56.1 port 39184, id=9,
length=136
User-Name = "anonymous"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020100060315
State = 0xb78328abb78225cdd1f7ad3eb3c71c89
Message-Authenticator = 0xdf9ef172538856432ea3aa0e23d59bc3
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may
fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/ttls
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 9 to 192.168.56.1 port 39184
EAP-Message = 0x010200061520
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xb78328abb6813dcdd1f7ad3eb3c71c89
Finished request 9.
Going to the next request
Waking up in 4.6 seconds.
rad_recv: Access-Request packet from host 192.168.56.1 port 39184, id=10,
length=391
User-Name = "anonymous"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message =
0x02020103150016030100f8010000f403014b0722ac02bfaf8406e53ac7271d614c195afbc10ece7e4b5146671345f8daf600002600390038003500160013000a00330032002f000500040015001200090014001100080006000302010000a4002300a084b5c0d38a4ca606de5f40c7d495c8fb3745f57f28155175126856791c30cf0390d4845df412320913d31b309ef9c9ce38d3ee24f4146bd216fc46347de3b47d3c6eb7b3645b1eec5672708db4a67840648bef56d07904cb0e5ad07602a5d66f7c595c94437f3a54dc4da8993d0ef358c7d42e077bae3181bcd2cba6c68bbc424980fea06d681c4bdb2d09f9c8b7c5cbf1a3abef14bf6b41d1de
EAP-Message = 0xaa3f211f9cee
State = 0xb78328abb6813dcdd1f7ad3eb3c71c89
Message-Authenticator = 0xa3c4c91ab57a40408c117a4ce4caa2c8
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 253
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls] (other): before/accept initialization
[ttls] TLS_accept: before/accept initialization
[ttls] <<< TLS 1.0 Handshake [length 00f8], ClientHello
[ttls] TLS_accept: SSLv3 read client hello A
[ttls] >>> TLS 1.0 Handshake [length 002a], ServerHello
[ttls] TLS_accept: SSLv3 write server hello A
[ttls] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[ttls] TLS_accept: SSLv3 write change cipher spec A
[ttls] >>> TLS 1.0 Handshake [length 0010], Finished
[ttls] TLS_accept: SSLv3 write finished A
[ttls] TLS_accept: SSLv3 flush data
[ttls] TLS_accept: Need to read more data: SSLv3 read finished A
In SSL Handshake Phase
In SSL Accept mode
[ttls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 10 to 192.168.56.1 port 39184
EAP-Message =
0x0103007415800000006a160301002a0200002603014b0722acac1d641e1a39f2777289fa4851f0cab2ec5a11eed7a1605b70a8b8a90000390114030100010116030100305a80dfc2f75fcd7fbba26d9b3e671b91d50d969d0d9ff4855e775c427109e64e7de446fc71e197e7544d33762d0f9415
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xb78328abb5803dcdd1f7ad3eb3c71c89
Finished request 10.
Going to the next request
Waking up in 4.6 seconds.
rad_recv: Access-Request packet from host 192.168.56.1 port 39184, id=11,
length=195
User-Name = "anonymous"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message =
0x02030041150014030100010116030100306335a608841f00d733608f3ab9ab3f6d335b42a4761c4828ce6e0d0baf02bb5c319e84b7fa5dc81b308dce1d42a65628
State = 0xb78328abb5803dcdd1f7ad3eb3c71c89
Message-Authenticator = 0xa3e9881bc97ead5412af836838de342e
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 65
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[ttls] <<< TLS 1.0 Handshake [length 0010], Finished
[ttls] TLS_accept: SSLv3 read finished A
[ttls] (other): SSL negotiation finished successfully
SSL Connection Established
SSL Application Data
[ttls] eaptls_process returned 3
[ttls] Skipping Phase2 due to session resumption
[ttls] FAIL: Forcibly stopping session resumption as it is not allowed.
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> anonymous
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 11 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 11
Sending Access-Reject of id 11 to 192.168.56.1 port 39184
EAP-Message = 0x04030004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.6 seconds.
Cleaning up request 0 ID 0 with timestamp +6
Cleaning up request 1 ID 1 with timestamp +6
Waking up in 0.1 seconds.
Cleaning up request 2 ID 2 with timestamp +6
Cleaning up request 3 ID 3 with timestamp +6
Cleaning up request 4 ID 4 with timestamp +6
Cleaning up request 5 ID 5 with timestamp +6
Cleaning up request 6 ID 6 with timestamp +6
Cleaning up request 7 ID 7 with timestamp +6
Waking up in 0.1 seconds.
Cleaning up request 8 ID 8 with timestamp +7
Cleaning up request 9 ID 9 with timestamp +7
Cleaning up request 10 ID 10 with timestamp +7
Waking up in 1.0 seconds.
Cleaning up request 11 ID 11 with timestamp +7
Ready to process requests.
#
# Please read the documentation file ../doc/processing_users_file,
# or 'man 5 users' (after installing the server) for more information.
#
# This file contains authentication security and configuration
# information for each user. Accounting requests are NOT processed
# through this file. Instead, see 'acct_users', in this directory.
#
# The first field is the user's name and can be up to
# 253 characters in length. This is followed (on the same line) with
# the list of authentication requirements for that user. This can
# include password, comm server name, comm server port number, protocol
# type (perhaps set by the "hints" file), and huntgroup name (set by
# the "huntgroups" file).
#
# If you are not sure why a particular reply is being sent by the
# server, then run the server in debugging mode (radiusd -X), and
# you will see which entries in this file are matched.
#
# When an authentication request is received from the comm server,
# these values are tested. Only the first match is used unless the
# "Fall-Through" variable is set to "Yes".
#
# A special user named "DEFAULT" matches on all usernames.
# You can have several DEFAULT entries. All entries are processed
# in the order they appear in this file. The first entry that
# matches the login-request will stop processing unless you use
# the Fall-Through variable.
#
# If you use the database support to turn this file into a .db or .dbm
# file, the DEFAULT entries _have_ to be at the end of this file and
# you can't have multiple entries for one username.
#
# Indented (with the tab character) lines following the first
# line indicate the configuration values to be passed back to
# the comm server to allow the initiation of a user session.
# This can include things like the PPP configuration values
# or the host to log the user onto.
#
# You can include another `users' file with `$INCLUDE users.other'
#
#
# For a list of RADIUS attributes, and links to their definitions,
# see:
#
# http://www.freeradius.org/rfc/attributes.html
#
#
# Deny access for a specific user. Note that this entry MUST
# be before any other 'Auth-Type' attribute which results in the user
# being authenticated.
#
# Note that there is NO 'Fall-Through' attribute, so the user will not
# be given any additional resources.
#
#lameuser Auth-Type := Reject
# Reply-Message = "Your account has been disabled."
#
# Deny access for a group of users.
#
# Note that there is NO 'Fall-Through' attribute, so the user will not
# be given any additional resources.
#
#DEFAULT Group == "disabled", Auth-Type := Reject
# Reply-Message = "Your account has been disabled."
#
#
# This is a complete entry for "steve". Note that there is no Fall-Through
# entry so that no DEFAULT entry will be used, and the user will NOT
# get any attributes in addition to the ones listed here.
#
#steve Cleartext-Password := "testing"
# Service-Type = Framed-User,
# Framed-Protocol = PPP,
# Framed-IP-Address = 172.16.3.33,
# Framed-IP-Netmask = 255.255.255.0,
# Framed-Routing = Broadcast-Listen,
# Framed-Filter-Id = "std.ppp",
# Framed-MTU = 1500,
# Framed-Compression = Van-Jacobsen-TCP-IP
#
# This is an entry for a user with a space in their name.
# Note the double quotes surrounding the name.
#
#"John Doe" Cleartext-Password := "hello"
# Reply-Message = "Hello, %{User-Name}"
#
# Dial user back and telnet to the default host for that port
#
#Deg Cleartext-Password := "ge55ged"
# Service-Type = Callback-Login-User,
# Login-IP-Host = 0.0.0.0,
# Callback-Number = "9,5551212",
# Login-Service = Telnet,
# Login-TCP-Port = Telnet
#
# Another complete entry. After the user "dialbk" has logged in, the
# connection will be broken and the user will be dialed back after which
# he will get a connection to the host "timeshare1".
#
#dialbk Cleartext-Password := "callme"
# Service-Type = Callback-Login-User,
# Login-IP-Host = timeshare1,
# Login-Service = PortMaster,
# Callback-Number = "9,1-800-555-1212"
#
# user "swilson" will only get a static IP number if he logs in with
# a framed protocol on a terminal server in Alphen (see the huntgroups file).
#
# Note that by setting "Fall-Through", other attributes will be added from
# the following DEFAULT entries
#
#swilson Service-Type == Framed-User, Huntgroup-Name == "alphen"
# Framed-IP-Address = 192.168.1.65,
# Fall-Through = Yes
#
# If the user logs in as 'username.shell', then authenticate them
# using the default method, give them shell access, and stop processing
# the rest of the file.
#
#DEFAULT Suffix == ".shell"
# Service-Type = Login-User,
# Login-Service = Telnet,
# Login-IP-Host = your.shell.machine
#
# The rest of this file contains the several DEFAULT entries.
# DEFAULT entries match with all login names.
# Note that DEFAULT entries can also Fall-Through (see first entry).
# A name-value pair from a DEFAULT entry will _NEVER_ override
# an already existing name-value pair.
#
#
# Set up different IP address pools for the terminal servers.
# Note that the "+" behind the IP address means that this is the "base"
# IP address. The Port-Id (S0, S1 etc) will be added to it.
#
#DEFAULT Service-Type == Framed-User, Huntgroup-Name == "alphen"
# Framed-IP-Address = 192.168.1.32+,
# Fall-Through = Yes
#DEFAULT Service-Type == Framed-User, Huntgroup-Name == "delft"
# Framed-IP-Address = 192.168.2.32+,
# Fall-Through = Yes
#
# Sample defaults for all framed connections.
#
#DEFAULT Service-Type == Framed-User
# Framed-IP-Address = 255.255.255.254,
# Framed-MTU = 576,
# Service-Type = Framed-User,
# Fall-Through = Yes
#
# Default for PPP: dynamic IP address, PPP mode, VJ-compression.
# NOTE: we do not use Hint = "PPP", since PPP might also be auto-detected
# by the terminal server in which case there may not be a "P" suffix.
# The terminal server sends "Framed-Protocol = PPP" for auto PPP.
#
DEFAULT Framed-Protocol == PPP
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP
#
# Default for CSLIP: dynamic IP address, SLIP mode, VJ-compression.
#
DEFAULT Hint == "CSLIP"
Framed-Protocol = SLIP,
Framed-Compression = Van-Jacobson-TCP-IP
#
# Default for SLIP: dynamic IP address, SLIP mode.
#
DEFAULT Hint == "SLIP"
Framed-Protocol = SLIP
#
# Last default: rlogin to our main server.
#
#DEFAULT
# Service-Type = Login-User,
# Login-Service = Rlogin,
# Login-IP-Host = shellbox.ispdomain.com
# #
# # Last default: shell on the local terminal server.
# #
# DEFAULT
# Service-Type = Administrative-User
# On no match, the user is denied access.
testuser Cleartext-Password := "password"
#DEFAULT Auth-Type = System
# Fall-Through = 1
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
