Hi,
my freeradius works as a proxy, terminates eap and proxy the request
with mschap to another freeradius.
When "Passing reply from proxy back into the tunnel" the proxy quits
with a segmentation fault.
This happens, with little difference, when sending the accept or reject
back to NAS.
EAP/PEAP-MS-CHAPv2 is working when using a local user from users file so
that the request is not proxied.
My System is Ubuntu 10.4.2 LTS Server and freeradius 2.1.10 from source.
I hope anyone got this before and can give a solution.
Please have a look in my debug log attached.
Thank you very much!
Simon
FreeRADIUS Version 2.1.10, for host i686-pc-linux-gnu, built on Jun 1 2011 at
14:11:11
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including configuration file /usr/local/etc/raddb/clients.conf
including files in directory /usr/local/etc/raddb/modules/
including configuration file /usr/local/etc/raddb/modules/attr_filter
including configuration file /usr/local/etc/raddb/modules/exec
including configuration file /usr/local/etc/raddb/modules/passwd
including configuration file /usr/local/etc/raddb/modules/realm
including configuration file /usr/local/etc/raddb/modules/linelog
including configuration file /usr/local/etc/raddb/modules/cui
including configuration file /usr/local/etc/raddb/modules/chap
including configuration file /usr/local/etc/raddb/modules/wimax
including configuration file /usr/local/etc/raddb/modules/detail
including configuration file /usr/local/etc/raddb/modules/sradutmp
including configuration file /usr/local/etc/raddb/modules/mac2vlan
including configuration file /usr/local/etc/raddb/modules/pam
including configuration file
/usr/local/etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /usr/local/etc/raddb/modules/krb5
including configuration file /usr/local/etc/raddb/modules/ippool
including configuration file /usr/local/etc/raddb/modules/logintime
including configuration file /usr/local/etc/raddb/modules/detail.example.com
including configuration file /usr/local/etc/raddb/modules/dynamic_clients
including configuration file /usr/local/etc/raddb/modules/otp
including configuration file /usr/local/etc/raddb/modules/expr
including configuration file /usr/local/etc/raddb/modules/counter
including configuration file /usr/local/etc/raddb/modules/ldap
including configuration file /usr/local/etc/raddb/modules/opendirectory
including configuration file /usr/local/etc/raddb/modules/preprocess
including configuration file /usr/local/etc/raddb/modules/files
including configuration file /usr/local/etc/raddb/modules/always
including configuration file /usr/local/etc/raddb/modules/unix
including configuration file /usr/local/etc/raddb/modules/expiration
including configuration file /usr/local/etc/raddb/modules/ntlm_auth
including configuration file /usr/local/etc/raddb/modules/smbpasswd
including configuration file /usr/local/etc/raddb/modules/detail.log
including configuration file /usr/local/etc/raddb/modules/mschap
including configuration file /usr/local/etc/raddb/modules/sql_log
including configuration file /usr/local/etc/raddb/modules/digest
including configuration file /usr/local/etc/raddb/modules/policy
including configuration file /usr/local/etc/raddb/modules/mac2ip
including configuration file /usr/local/etc/raddb/modules/acct_unique
including configuration file /usr/local/etc/raddb/modules/radutmp
including configuration file /usr/local/etc/raddb/modules/etc_group
including configuration file /usr/local/etc/raddb/modules/echo
including configuration file /usr/local/etc/raddb/modules/attr_rewrite
including configuration file /usr/local/etc/raddb/modules/smsotp
including configuration file /usr/local/etc/raddb/modules/inner-eap
including configuration file /usr/local/etc/raddb/modules/pap
including configuration file /usr/local/etc/raddb/modules/checkval
including configuration file /usr/local/etc/raddb/modules/perl
including configuration file /usr/local/etc/raddb/eap.conf
including configuration file /usr/local/etc/raddb/policy.conf
including files in directory /usr/local/etc/raddb/sites-enabled/
including configuration file
/usr/local/etc/raddb/sites-enabled/proxy-inner-tunnel
including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel
including configuration file /usr/local/etc/raddb/sites-enabled/default
including configuration file /usr/local/etc/raddb/sites-enabled/control-socket
main {
allow_core_dumps = yes
}
Core dumps are enabled.
including dictionary file /usr/local/etc/raddb/dictionary
main {
prefix = "/usr/local"
localstatedir = "/usr/local/var"
logdir = "/usr/local/var/log/radius"
libdir = "/usr/local/lib"
radacctdir = "/usr/local/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
checkrad = "/usr/local/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
require_message_authenticator = yes
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
realm spot {
nostrip
authhost = radius.blabla
accthost = radius2.blabla
secret = testing123
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
nastype = "other"
}
client 10.73.108.0/24 {
require_message_authenticator = no
secret = "testing123-3"
shortname = "Spot"
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating module "exec" from file /usr/local/etc/raddb/modules/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating module "expr" from file /usr/local/etc/raddb/modules/expr
Module: Linked to module rlm_expiration
Module: Instantiating module "expiration" from file
/usr/local/etc/raddb/modules/expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating module "logintime" from file
/usr/local/etc/raddb/modules/logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server proxy-inner-tunnel { # from file
/usr/local/etc/raddb/sites-enabled/proxy-inner-tunnel
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_eap
Module: Instantiating module "eap" from file /usr/local/etc/raddb/eap.conf
eap {
default_eap_type = "peap"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 4096
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
CA_path = "/usr/local/etc/raddb/certs"
pem_file_type = yes
private_key_file = "/usr/local/etc/raddb/certs/server.pem"
certificate_file = "/usr/local/etc/raddb/certs/server.pem"
CA_file = "/usr/local/etc/raddb/certs/ca.pem"
private_key_password = "secret"
dh_file = "/usr/local/etc/raddb/certs/dh"
random_file = "/usr/local/etc/raddb/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
make_cert_command = "/usr/local/etc/raddb/certs/bootstrap"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = yes
use_tunneled_reply = no
proxy_tunneled_request_as_eap = no
virtual_server = "proxy-inner-tunnel"
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
}
Module: Checking authorize {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
} # modules
} # server
server inner-tunnel { # from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating module "pap" from file /usr/local/etc/raddb/modules/pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating module "chap" from file /usr/local/etc/raddb/modules/chap
Module: Linked to module rlm_mschap
Module: Instantiating module "mschap" from file
/usr/local/etc/raddb/modules/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
}
Module: Linked to module rlm_unix
Module: Instantiating module "unix" from file /usr/local/etc/raddb/modules/unix
unix {
radwtmp = "/usr/local/var/log/radius/radwtmp"
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_realm
Module: Instantiating module "suffix" from file
/usr/local/etc/raddb/modules/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating module "files" from file
/usr/local/etc/raddb/modules/files
files {
usersfile = "/usr/local/etc/raddb/users"
acctusersfile = "/usr/local/etc/raddb/acct_users"
preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users"
compat = "no"
}
Module: Checking session {...} for more modules to load
Module: Linked to module rlm_radutmp
Module: Instantiating module "radutmp" from file
/usr/local/etc/raddb/modules/radutmp
radutmp {
filename = "/usr/local/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Linked to module rlm_attr_filter
Module: Instantiating module "attr_filter.access_reject" from file
/usr/local/etc/raddb/modules/attr_filter
attr_filter attr_filter.access_reject {
attrsfile = "/usr/local/etc/raddb/attrs.access_reject"
key = "%{User-Name}"
}
} # modules
} # server
server { # from file /usr/local/etc/raddb/radiusd.conf
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_digest
Module: Instantiating module "digest" from file
/usr/local/etc/raddb/modules/digest
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating module "preprocess" from file
/usr/local/etc/raddb/modules/preprocess
preprocess {
huntgroups = "/usr/local/etc/raddb/huntgroups"
hints = "/usr/local/etc/raddb/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating module "acct_unique" from file
/usr/local/etc/raddb/modules/acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address,
NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating module "detail" from file
/usr/local/etc/raddb/modules/detail
detail {
detailfile =
"/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Instantiating module "attr_filter.accounting_response" from file
/usr/local/etc/raddb/modules/attr_filter
attr_filter attr_filter.accounting_response {
attrsfile = "/usr/local/etc/raddb/attrs.accounting_response"
key = "%{User-Name}"
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
listen {
type = "control"
listen {
socket = "/usr/local/var/run/radiusd/radiusd.sock"
}
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /usr/local/var/run/radiusd/radiusd.sock
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 10.73.108.250 port 2048, id=0,
length=127
User-Name = "test"
NAS-IP-Address = 10.73.108.250
Called-Station-Id = "022369f4829a"
Calling-Station-Id = "001e654bde20"
NAS-Identifier = "022369f4829a"
NAS-Port = 53
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0201000c0174657374696164
Message-Authenticator = 0xa6136247aef9dc5a3dfc1e2cb7997c10
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "test", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 12
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may
fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 0 to 10.73.108.250 port 2048
EAP-Message = 0x010200061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x872ceda5872ef416fcce132a807fa59a
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.73.108.250 port 2048, id=0,
length=254
Cleaning up request 0 ID 0 with timestamp +6
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING: !! EAP session for state 0x872ceda5872ef416 did not finish!
WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
User-Name = "test"
NAS-IP-Address = 10.73.108.250
Called-Station-Id = "022369f4829a"
Calling-Station-Id = "001e654bde20"
NAS-Identifier = "022369f4829a"
NAS-Port = 53
Framed-MTU = 1400
State = 0x872ceda5872ef416fcce132a807fa59a
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x0202007919800000006f160301006a0100006603014de639bb9b38461024c267db6347e663e2e14fd28e1023ab230b2f18a49c46da000018002f00350005000ac013c014c009c00a003200380013000401000025ff010001000000000c000a00000774657374696164000a0006000400170018000b00020100
Message-Authenticator = 0x09d281d00ac9508e0108822c7fb30caa
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "test", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 121
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 111
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 006a], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 0031], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 0804], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 0 to 10.73.108.250 port 2048
EAP-Message =
0x0103040019c00000084816030100310200002d03014de639b9e3c7cf16757a3cce9c7cdc445dda2b3d899fa37ae17b14a8c6e45fbe00002f000005ff0100010016030108040b0008000007fd0003853082038130820269a003020102020102300d06092a864886f70d0101040500308180310b3009060355040613024445310b3009060355040813025348310d300b060355040713044b69656c310f300d060355040a1306544e47204147311d301b06092a864886f70d010901160e746563686e696b40746e672e6465312530230603550403131c544e4720414720436572746966696361746520417574686f72697479301e170d3131303630313132
EAP-Message =
0x323735375a170d3136303533303132323735375a306e310b3009060355040613024445310b3009060355040813025348310f300d060355040a1306544e472041473122302006035504031319544e4720414720536572766572204365727469666963617465311d301b06092a864886f70d010901160e746563686e696b40746e672e646530820122300d06092a864886f70d01010105000382010f003082010a0282010100d5fd25165a5bb41d0055e0d4d740d8253ad2f2d932452057944d717832c677be80a544a2440bf9fbbb3747699d6acdea1efc2937fb31660cb023f7f46535aec435cd33a8cd64656b0632651327e7c225aa429ed6d899446d
EAP-Message =
0xdda058e7442b7c58bea4aadb9ccf9f9098c06df4175a5083caf2c083372a9a261c5b27109b602b8a42d0c9c4564c0b58150ee411d4b6a0b176e105501523107a0e8c87c27dd84e273ded32a99eaf7f8b84ebb55c8d0646fb33e9acda5fe56cdc10c57868d83a4fb5a582f74532395ca519e90975a9281e7928998a56da0cd3e4cde1844cfe5706823222b4a836626344f3f57938a01ad80134d632d938bfc439e02fa3be0d5c43eb0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101040500038201010004f17e4cf41a755b4b269bad474e74948e66d07a26b8d46c5d38ec2c90989225eea825
EAP-Message =
0xbf2ba471a9b06b357dd87998821c4a4c17650981cea331a0e988382bc4cffc0cacce7a6acc3b8d4992afd2a552e041bede9ebe08606d6a66a6a9bc183b0ed87f46a1a06a023807a29f02745a36221ea8680d2b1e5bf398f73d71a5ac221c619646adbf39acc5cc38ebbc3e9d220f339278d6db41579faa1da90ee93742a507a2ee9f984b897fcb48116557b58c728172ff2b8a509ed8e5984d8d817162c15af945b331580b2e7f2c14fd38c8a43b84377ca94b91b5950d5c34efd0e56c42409666d01a3d2e1b533d52ca45d8411b988a52e91e4a0576fe7efec308f62c0004723082046e30820356a003020102020900f652440dbbee309c300d06092a
EAP-Message = 0x864886f70d01010505003081
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x872ceda5862ff416fcce132a807fa59a
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.73.108.250 port 2048, id=0,
length=139
Cleaning up request 1 ID 0 with timestamp +6
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING: !! EAP session for state 0x872ceda5862ff416 did not finish!
WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
User-Name = "test"
NAS-IP-Address = 10.73.108.250
Called-Station-Id = "022369f4829a"
Calling-Station-Id = "001e654bde20"
NAS-Identifier = "022369f4829a"
NAS-Port = 53
Framed-MTU = 1400
State = 0x872ceda5862ff416fcce132a807fa59a
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020300061900
Message-Authenticator = 0xda0bec72f89b8686c85db15af2b44f76
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "test", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 0 to 10.73.108.250 port 2048
EAP-Message =
0x010403fc194080310b3009060355040613024445310b3009060355040813025348310d300b060355040713044b69656c310f300d060355040a1306544e47204147311d301b06092a864886f70d010901160e746563686e696b40746e672e6465312530230603550403131c544e4720414720436572746966696361746520417574686f72697479301e170d3131303630313132323735375a170d3136303533303132323735375a308180310b3009060355040613024445310b3009060355040813025348310d300b060355040713044b69656c310f300d060355040a1306544e47204147311d301b06092a864886f70d010901160e746563686e696b40
EAP-Message =
0x746e672e6465312530230603550403131c544e4720414720436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100c40a310cdfc93a6829297beab24fbbdfb36a0d6586119d16983707330bb2d4b3f50b886545d88acff4ad7fbc698250f07693a3d892cf0585d19fb54139b0e6da9772e6141364a09baae13c780909dbc3473cdba711f661adce412ac7c9b9986d544d8566c1fd6589f4a32d9d70ea4b0baa32c8defbeb9b038c7a543b8773ca7430c4c8774eacbfe00f28fa302596a14af35bea4935114f79ecd0bc6ac4afda1306ad9755673a059625f079eb1fd6f8
EAP-Message =
0xd86af0d004c5a7284349f5f478482897bcc06a9aba387eaeecc513beb253735a959a1151f145aa7415f3e7418562ceb4042beef72cffc55445cd139e98026809c61a27c7c158dcfa2fe7465ba990df45dd0203010001a381e83081e5301d0603551d0e0416041428d0c4b49b5b344857e5852eca3f4f37a99e99433081b50603551d230481ad3081aa801428d0c4b49b5b344857e5852eca3f4f37a99e9943a18186a48183308180310b3009060355040613024445310b3009060355040813025348310d300b060355040713044b69656c310f300d060355040a1306544e47204147311d301b06092a864886f70d010901160e746563686e696b40746e
EAP-Message =
0x672e6465312530230603550403131c544e4720414720436572746966696361746520417574686f72697479820900f652440dbbee309c300c0603551d13040530030101ff300d06092a864886f70d0101050500038201010019e035a91c4f1d47a58e5c4df4a6aec0941eddf0f7222f78a2dab227932ce746de421eb34102a559c69f4ba3bbc4e048f50740d3e9185ecb3844d57e6000ee17bbcffecadc440f92aa10b8f0d33c1118f760d863d3833f0c2eaffd66527173fce87fb967bc94c2c4ad5fda77c0d401046f990b86d894a7fe95923be3e0ae935730afa2774534b84d13dc2d84261e092c56290ef39f858666fcce346b9810aff5685aa58424
EAP-Message = 0xd3f95b56a50d5669
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x872ceda58528f416fcce132a807fa59a
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.73.108.250 port 2048, id=0,
length=139
Cleaning up request 2 ID 0 with timestamp +7
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING: !! EAP session for state 0x872ceda58528f416 did not finish!
WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
User-Name = "test"
NAS-IP-Address = 10.73.108.250
Called-Station-Id = "022369f4829a"
Calling-Station-Id = "001e654bde20"
NAS-Identifier = "022369f4829a"
NAS-Port = 53
Framed-MTU = 1400
State = 0x872ceda58528f416fcce132a807fa59a
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020400061900
Message-Authenticator = 0x68f1caeac9dbb34e879ae67676ca8c97
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "test", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 0 to 10.73.108.250 port 2048
EAP-Message =
0x010500621900c1968a67eebfcdeec55b0476cd4c38736f08703b40119f8279fc6e5109780f013bbcf61c0a3499974e1f2b2b197f92b14b348919d48a976735aae2239b3420f3e1c220f1392aed5584a7016fbce4e11663f3f016030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x872ceda58429f416fcce132a807fa59a
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.73.108.250 port 2048, id=0,
length=471
Cleaning up request 3 ID 0 with timestamp +7
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING: !! EAP session for state 0x872ceda58429f416 did not finish!
WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
User-Name = "test"
NAS-IP-Address = 10.73.108.250
Called-Station-Id = "022369f4829a"
Calling-Station-Id = "001e654bde20"
NAS-Identifier = "022369f4829a"
NAS-Port = 53
Framed-MTU = 1400
State = 0x872ceda58429f416fcce132a807fa59a
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x0205015019800000014616030101061000010201002fd2e04e279bf162c541aeee788f002b65735873489f21acd94660995587435dc0370fbfad1472db799b7303bebf29aca366663f0de56b89e680cecb6f8ad37c35fd58c0d68cce988cce7ca937afca0491956a51f6a8047e78292e99c9a8210af15691b862080636a300817b3ef75011b0ddc867d6e8694092b96deec5899a73677d8f1981b1dd130946d44454d3f507124fafe00d4400e6b46585cba802ac4c5f99d90cac556b77ee30c79a34570b131b2b0b4e6a57cf1fbc33e14c27fa1faf9e1ce2b099f88a32da92b4d1baf49f55dfdcd519b3f60875b1428a99c1bad3a5e9aaa881d69be353
EAP-Message =
0xbf638cf703605cb1f429cc16e4875a43eb7e402dbfc49c2614030100010116030100303dd7dd3b91da8e4a363a82f6debaae5f6705b526009a10487d46babb912ea45fd762cc20b5726d71ad9d327034712200
Message-Authenticator = 0x53c13b1af6b0f2dcb5a2e53bcaceefc9
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "test", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 5 length 253
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 326
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange
[peap] TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 write finished A
[peap] TLS_accept: SSLv3 flush data
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 0 to 10.73.108.250 port 2048
EAP-Message =
0x01060041190014030100010116030100309b393ca57780b79eb43b91305a280b65cd4ba48457e45e2b34e56ca754d6cfb214e09ca153dd0592850bb04e1b108ced
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x872ceda5832af416fcce132a807fa59a
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.73.108.250 port 2048, id=0,
length=139
Cleaning up request 4 ID 0 with timestamp +7
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING: !! EAP session for state 0x872ceda5832af416 did not finish!
WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
User-Name = "test"
NAS-IP-Address = 10.73.108.250
Called-Station-Id = "022369f4829a"
Calling-Station-Id = "001e654bde20"
NAS-Identifier = "022369f4829a"
NAS-Port = 53
Framed-MTU = 1400
State = 0x872ceda5832af416fcce132a807fa59a
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020600061900
Message-Authenticator = 0x077dbc205e7bcfc6ce2b51f5c0bd33b6
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "test", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 6 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state TUNNEL ESTABLISHED
++[eap] returns handled
Sending Access-Challenge of id 0 to 10.73.108.250 port 2048
EAP-Message =
0x0107002b190017030100204e0a45adfc896d12ef52ee91ae7e917c4d5a0843b9daf0082763105b76ab1736
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x872ceda5822bf416fcce132a807fa59a
Finished request 5.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.73.108.250 port 2048, id=0,
length=176
Cleaning up request 5 ID 0 with timestamp +7
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING: !! EAP session for state 0x872ceda5822bf416 did not finish!
WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
User-Name = "test"
NAS-IP-Address = 10.73.108.250
Called-Station-Id = "022369f4829a"
Calling-Station-Id = "001e654bde20"
NAS-Identifier = "022369f4829a"
NAS-Port = 53
Framed-MTU = 1400
State = 0x872ceda5822bf416fcce132a807fa59a
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x0207002b1900170301002002411188b62f7f0f621000198a3a5e51af322312f34dea684f00556e91d5320e
Message-Authenticator = 0xaaafa27b546fd600c990d7004e13daf1
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "test", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 7 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state WAITING FOR INNER IDENTITY
[peap] Identity - test
[peap] Got inner identity 'test'
[peap] Setting default EAP type for tunneled EAP session.
[peap] Got tunneled request
EAP-Message = 0x0207000c0174657374696164
server {
PEAP: Setting User-Name to test
Sending tunneled request
EAP-Message = 0x0207000c0174657374696164
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "test"
NAS-IP-Address = 10.73.108.250
Called-Station-Id = "022369f4829a"
Calling-Station-Id = "001e654bde20"
NAS-Identifier = "022369f4829a"
NAS-Port = 53
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
server proxy-inner-tunnel {
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/proxy-inner-tunnel
+- entering group authorize {...}
++[control] returns notfound
} # server proxy-inner-tunnel
[peap] Got tunneled reply code 0
PEAP: Calling authenticate in order to initiate tunneled EAP session.
# Executing group from file
/usr/local/etc/raddb/sites-enabled/proxy-inner-tunnel
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
PEAP: Cancelling proxy to realm spot until the tunneled EAP session has
been established
[peap] Got tunneled reply RADIUS code 11
EAP-Message =
0x010800211a0108001c10afd44c27c37b79af35d30add84bfef9874657374696164
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x387020c438783a8a5d7d9ae55d393176
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 0 to 10.73.108.250 port 2048
EAP-Message =
0x0108004b1900170301004037cceb9590851e01d3aa19f1c45feba5cfa13fb066dd3f58cc0f9d187f5b7e19da62d37bbc2fad7332dba399a98d25c3133ca262b780365bf5ac93687420ef18
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x872ceda58124f416fcce132a807fa59a
Finished request 6.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.73.108.250 port 2048, id=0,
length=240
Cleaning up request 6 ID 0 with timestamp +7
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING: !! EAP session for state 0x872ceda58124f416 did not finish!
WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
User-Name = "test"
NAS-IP-Address = 10.73.108.250
Called-Station-Id = "022369f4829a"
Calling-Station-Id = "001e654bde20"
NAS-Identifier = "022369f4829a"
NAS-Port = 53
Framed-MTU = 1400
State = 0x872ceda58124f416fcce132a807fa59a
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x0208006b190017030100607a6e689c4a295b547d02ac764e369bdfa17c731c1a76bb532b99b82bf7b0920586378032ef2fcba3b91d178da911a71be5bc91d69c3de80fefcc9aa0629517ff15fdabe224a1ed7298c61a5e8408038259c765999b88ca7df972c2cfa0f708f4
Message-Authenticator = 0xe4230d4626e2d4b863a9c04b1303eb07
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "test", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 8 length 107
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message =
0x020800421a0208003d312d2fa39213a4c0a56b970e13741f723500000000000000000e32e5c11d31a3f2315821c2cdfc09c9c5b5833f59459d6c0074657374696164
server {
PEAP: Setting User-Name to test
Sending tunneled request
EAP-Message =
0x020800421a0208003d312d2fa39213a4c0a56b970e13741f723500000000000000000e32e5c11d31a3f2315821c2cdfc09c9c5b5833f59459d6c0074657374696164
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "test"
State = 0x387020c438783a8a5d7d9ae55d393176
NAS-IP-Address = 10.73.108.250
Called-Station-Id = "022369f4829a"
Calling-Station-Id = "001e654bde20"
NAS-Identifier = "022369f4829a"
NAS-Port = 53
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
server proxy-inner-tunnel {
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/proxy-inner-tunnel
+- entering group authorize {...}
++[control] returns notfound
} # server proxy-inner-tunnel
[peap] Got tunneled reply code 0
PEAP: Calling authenticate in order to initiate tunneled EAP session.
# Executing group from file
/usr/local/etc/raddb/sites-enabled/proxy-inner-tunnel
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[eap] Not-EAP proxy set. Not composing EAP
++[eap] returns handled
PEAP: Tunneled authentication will be proxied to spot
PEAP: Remembering to do EAP-MS-CHAP-V2 post-proxy.
[eap] Tunneled session will be proxied. Not doing EAP.
++[eap] returns handled
WARNING: Empty pre-proxy section. Using default return values.
Sending Access-Request of id 142 to 111.111.111.111 port 1812
User-Name = "test"
NAS-IP-Address = 10.73.108.250
Called-Station-Id = "022369f4829a"
Calling-Station-Id = "001e654bde20"
NAS-Identifier = "022369f4829a"
NAS-Port = 53
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
MS-CHAP-Challenge = 0xafd44c27c37b79af35d30add84bfef98
MS-CHAP2-Response =
0x08652d2fa39213a4c0a56b970e13741f723500000000000000000e32e5c11d31a3f2315821c2cdfc09c9c5b5833f59459d6c
Proxy-State = 0x30
Proxying request 7 to home server 111.111.111.111 port 1812
Sending Access-Request of id 142 to 111.111.111.111 port 1812
User-Name = "test"
NAS-IP-Address = 10.73.108.250
Called-Station-Id = "022369f4829a"
Calling-Station-Id = "001e654bde20"
NAS-Identifier = "022369f4829a"
NAS-Port = 53
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
MS-CHAP-Challenge = 0xafd44c27c37b79af35d30add84bfef98
MS-CHAP2-Response =
0x08652d2fa39213a4c0a56b970e13741f723500000000000000000e32e5c11d31a3f2315821c2cdfc09c9c5b5833f59459d6c
Proxy-State = 0x30
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Accept packet from host 111.111.111.111 port 1812, id=142,
length=182
MS-CHAP2-Success =
0x08533d36303641433945394338314132343242413137463035344338314632353339364339423531354642
MS-MPPE-Recv-Key = 0x6402c90b25701f12a1f003586fa0067e
MS-MPPE-Send-Key = 0x26ceb550531337a9bba59aa8ad27a46d
MS-MPPE-Encryption-Policy = 0x00000001
MS-MPPE-Encryption-Types = 0x00000006
Proxy-State = 0x30
# Executing section post-proxy from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group post-proxy {...}
[eap] Doing post-proxy callback
[eap] Passing reply from proxy back into the tunnel.
server proxy-inner-tunnel {
[eap] Passing reply back for EAP-MS-CHAP-V2
# Executing section post-proxy from file
/usr/local/etc/raddb/sites-enabled/proxy-inner-tunnel
+- entering group post-proxy {...}
++[eap] returns noop
WARNING: Empty post-auth section. Using default return values.
} # server proxy-inner-tunnel
[eap] Final reply from tunneled session code 2
MS-CHAP2-Success =
0x08533d36303641433945394338314132343242413137463035344338314632353339364339423531354642
MS-MPPE-Recv-Key = 0x6402c90b25701f12a1f003586fa0067e
MS-MPPE-Send-Key = 0x26ceb550531337a9bba59aa8ad27a46d
MS-MPPE-Encryption-Policy = 0x00000001
MS-MPPE-Encryption-Types = 0x00000006
Proxy-State = 0x30
[eap] Got reply 2
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
