пропозиції роботи
Dariusz
Bednarczyk
RPA Developer
(Automation Anywhere
\ Winshuttle )
Temat: freeradius autoryzuje użytkowników ale brak połączenia
WitamMój problem polega na tym, że freeradius rozpoznaje niby użytkowników, ale niestety nie umożliwia podłączenie się do internetu. Poniżej zamieszczam log z próby autoryzacji użytkowników oraz pliki konfiguracyjne.
FreeRADIUS Version 2.0.4, for host i486-pc-linux-gnu, built on Nov 25 2010 at 03:32:10
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including configuration file /etc/freeradius/snmp.conf
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/default
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
including dictionary file /etc/freeradius/dictionary
main {
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/freeradius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/freeradius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = "/var/run/freeradius/freeradius.pid"
user = "freerad"
group = "freerad"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
client 192.168.1.0/24 {
require_message_authenticator = no
secret = "haslo_do_radiusa"
shortname = "apek"
}
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
nastype = "other"
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_check = "none"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating exec
exec {
wait = yes
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating expr
Module: Linked to module rlm_expiration
Module: Instantiating expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server inner-tunnel {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating chap
Module: Linked to module rlm_mschap
Module: Instantiating mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
}
Module: Linked to module rlm_unix
Module: Instantiating unix
unix {
radwtmp = "/var/log/freeradius/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating eap
eap {
default_eap_type = "tls"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
pem_file_type = yes
private_key_file = "/etc/freeradius/certs/server_keycert.pem"
certificate_file = "/etc/freeradius/certs/server_keycert.pem"
CA_file = "/etc/freeradius/certs/cacert.pem"
private_key_password = "haselko1"
dh_file = "/etc/freeradius/certs/dh"
random_file = "/etc/freeradius/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
check_cert_cn = "%{User-Name}"
cipher_list = "DEFAULT"
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_realm
Module: Instantiating suffix
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating files
files {
usersfile = "/etc/freeradius/users"
acctusersfile = "/etc/freeradius/acct_users"
preproxy_usersfile = "/etc/freeradius/preproxy_users"
compat = "no"
}
Module: Checking session {...} for more modules to load
Module: Linked to module rlm_radutmp
Module: Instantiating radutmp
radutmp {
filename = "/var/log/freeradius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Linked to module rlm_attr_filter
Module: Instantiating attr_filter.access_reject
attr_filter attr_filter.access_reject {
attrsfile = "/etc/freeradius/attrs.access_reject"
key = "%{User-Name}"
}
}
}
server {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating preprocess
preprocess {
huntgroups = "/etc/freeradius/huntgroups"
hints = "/etc/freeradius/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating detail
detail {
detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Instantiating attr_filter.accounting_response
attr_filter attr_filter.accounting_response {
attrsfile = "/etc/freeradius/attrs.accounting_response"
key = "%{User-Name}"
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
}
}
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
main {
snmp = no
smux_password = ""
snmp_write_access = no
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.1.254 port 1060, id=0, length=177
Message-Authenticator = 0x70a7d08340ab06c35ced82a40b903130
Service-Type = Framed-User
User-Name = "root\000"
Framed-MTU = 1488
Called-Station-Id = "D8-5D-4C-F0-A1-B4:TP-LINK_F0A1B4"
Calling-Station-Id = "00-1C-BF-66-4C-E3"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x0200000901726f6f74
NAS-IP-Address = 192.168.1.5
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "root", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 0 length 9
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns updated
WARNING: Found User-Password == "...".
WARNING: Are you sure you don't mean Cleartext-Password?
WARNING: See "man rlm_pap" for more information.
users: Matched entry root at line 1
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Requiring client certificate
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 0 to 192.168.1.254 port 1060
EAP-Message = 0x010100060d20
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xe283fecde282f313079705a1469e3bb8
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.254 port 1060, id=1, length=192
Message-Authenticator = 0xe924c3d30fca85010f948b999ccf6cbc
Service-Type = Framed-User
User-Name = "root\000"
Framed-MTU = 1488
State = 0xe283fecde282f313079705a1469e3bb8
Called-Station-Id = "D8-5D-4C-F0-A1-B4:TP-LINK_F0A1B4"
Calling-Station-Id = "00-1C-BF-66-4C-E3"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x020100060319
NAS-IP-Address = 192.168.1.5
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "root", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 1 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns updated
WARNING: Found User-Password == "...".
WARNING: Are you sure you don't mean Cleartext-Password?
WARNING: See "man rlm_pap" for more information.
users: Matched entry root at line 1
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP NAK
rlm_eap: EAP-NAK asked for EAP-Type/peap
rlm_eap: processing type tls
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 1 to 192.168.1.254 port 1060
EAP-Message = 0x010200061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xe283fecde381e713079705a1469e3bb8
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.254 port 1060, id=2, length=306
Message-Authenticator = 0x9c3d7a8ea5ae7f1cbd16ba10d97cd0bc
Service-Type = Framed-User
User-Name = "root\000"
Framed-MTU = 1488
State = 0xe283fecde381e713079705a1469e3bb8
Called-Station-Id = "D8-5D-4C-F0-A1-B4:TP-LINK_F0A1B4"
Calling-Station-Id = "00-1C-BF-66-4C-E3"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x0202007819800000006e16030100690100006503014cf2214d94480ea2fc1e8d8172031d43b2e2b84347c488e04fb5c3c221e08823000018002f00350005000ac009c00ac013c014003200380013000401000024000000090007000004726f6f74000a00080006001700180019000b00020100ff01000100
NAS-IP-Address = 192.168.1.5
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "root", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 2 length 120
rlm_eap: Continuing tunnel setup.
++[eap] returns ok
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
TLS Length 110
rlm_eap_tls: Length Included
eaptls_verify returned 11
(other): before/accept initialization
TLS_accept: before/accept initialization
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0069], ClientHello
TLS_accept: SSLv3 read client hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0051], ServerHello
TLS_accept: SSLv3 write server hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 058d], Certificate
TLS_accept: SSLv3 write certificate A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
TLS_accept: SSLv3 write server done A
TLS_accept: SSLv3 flush data
TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 2 to 192.168.1.254 port 1060
EAP-Message = 0x0103040019c0000005f116030100510200004d03014cf1860f085f67a523981ff6c5145aec9a282f7794c38a205137a820b33cf872206b98bc940f91bb2ad47b8445850114403c872edab0c4030c350fe87c944dcc54002f000005ff01000100160301058d0b00058900058600026630820262308201cba003020102020900967ace09be6bfec3300d06092a864886f70d01010505003066310b300906035504061302504c310c300a06035504081303777364310c300a060355040a1303776473310c300a060355040b13037266763110300e06035504031307737065616b6572311b301906092a864886f70d010901160c7764776540747477732e70
EAP-Message = 0x6c301e170d3130313132373230313431355a170d3131313132373230313431355a3067310b300906035504061302504c310b3009060355040813027764310b3009060355040713027764310a3008060355040a130172310b3009060355040b130267743110300e06035504031307737065616b65723113301106092a864886f70d01090116047764656630819f300d06092a864886f70d010101050003818d0030818902818100ad4499a2928c6a3cd1745d832fd40558b596ebd5c723341fa5547e173cab5d20c0b0df66d792a2e0b97fed333e84c667c4220c6558924f47c3979d960f5caa2cc36cd8aae4c48e918479e2c485f89f8dc7508f061fe6
EAP-Message = 0xd669b286f8d260197b5f73cdf22951a9351409c497ff1066318d1e02e436a0ec545f8c5af95b0d78871f0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010505000381810044b4400245700161c96428288dd133e8379298cbfcd869f7a686b02c3c2e43f6155437bf0c8f75a554270a0c4b7de67acdf7d634f185cd8dcdc4b27891508e59ac05fdd9353bc4ce7f17ff65941b8c7ba6fca488dc13124166dfe02a8d7beacd1cbe20cf9c96f3ea9413be83bd058a3abee24e27b693e364301c887f0a17306800031a308203163082027fa003020102020900967ace09be6bfec2300d06092a8648
EAP-Message = 0x86f70d01010505003066310b300906035504061302504c310c300a06035504081303777364310c300a060355040a1303776473310c300a060355040b13037266763110300e06035504031307737065616b6572311b301906092a864886f70d010901160c7764776540747477732e706c301e170d3130313132373230303232385a170d3133313132363230303232385a3066310b300906035504061302504c310c300a06035504081303777364310c300a060355040a1303776473310c300a060355040b13037266763110300e06035504031307737065616b6572311b301906092a864886f70d010901160c7764776540747477732e706c30819f300d
EAP-Message = 0x06092a864886f70d01010105
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xe283fecde080e713079705a1469e3bb8
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.254 port 1060, id=3, length=192
Message-Authenticator = 0x4160a2e7e00cdd9da20ed7cd20c6a494
Service-Type = Framed-User
User-Name = "root\000"
Framed-MTU = 1488
State = 0xe283fecde080e713079705a1469e3bb8
Called-Station-Id = "D8-5D-4C-F0-A1-B4:TP-LINK_F0A1B4"
Calling-Station-Id = "00-1C-BF-66-4C-E3"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x020300061900
NAS-IP-Address = 192.168.1.5
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "root", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 3 length 6
rlm_eap: Continuing tunnel setup.
++[eap] returns ok
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake fragment handler
eaptls_verify returned 1
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 3 to 192.168.1.254 port 1060
EAP-Message = 0x0104020119000003818d0030818902818100b8ae878f2de14033b971e7f670820c8929250c30a0e793aa2ec1ebc525cf6ee3737fcdb6f170f0b541de5edaa6eb745944b822cede1377bd1b51832cec9c443169d1c813505cec004377511b9282cd86a5ace32c0b24104ee03a45293d65b8a09f647300e5e3bf0126122674ee52369f0a4eb10d945fdbc081a600a50a6415870203010001a381cb3081c8301d0603551d0e04160414e20e64b08ea0721cb627da1a8666669e4419956a3081980603551d2304819030818d8014e20e64b08ea0721cb627da1a8666669e4419956aa16aa4683066310b300906035504061302504c310c300a060355040813
EAP-Message = 0x03777364310c300a060355040a1303776473310c300a060355040b13037266763110300e06035504031307737065616b6572311b301906092a864886f70d010901160c7764776540747477732e706c820900967ace09be6bfec2300c0603551d13040530030101ff300d06092a864886f70d0101050500038181007c2ced180c8c06e2191fcade76499e16866c8b2f5c3ae9d4864d15c7fad6cdb3bdacd2a1fd11468d277df61c811aa5246359801c35e9ab19fe621b83f365a153676e5781d90a0c8d9d555ee2c6b9e19a98be00702f61d00b58d075e3cf8d66a90376178d11715c4af0108e66c5b2e6c6f3b229678db65c82ebcfaf9cc9fd9f991603
EAP-Message = 0x0100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xe283fecde187e713079705a1469e3bb8
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 0 with timestamp +18
Cleaning up request 1 ID 1 with timestamp +18
Cleaning up request 2 ID 2 with timestamp +18
Cleaning up request 3 ID 3 with timestamp +18
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.1.254 port 1060, id=4, length=192
Message-Authenticator = 0x6340cd953809eb2e149855540a1e0fb8
Service-Type = Framed-User
User-Name = "root\000"
Framed-MTU = 1488
State = 0xe283fecde187e713079705a1469e3bb8
Called-Station-Id = "D8-5D-4C-F0-A1-B4:TP-LINK_F0A1B4"
Calling-Station-Id = "00-1C-BF-66-4C-E3"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x020400061900
NAS-IP-Address = 192.168.1.5
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "root", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 4 length 6
rlm_eap: Continuing tunnel setup.
++[eap] returns ok
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake fragment handler
eaptls_verify returned 1
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 4 to 192.168.1.254 port 1060
EAP-Message = 0x010500061900
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xe283fecde686e713079705a1469e3bb8
Finished request 4.
Going to the next request
Waking up in 5.0 seconds.
Cleaning up request 4 ID 4 with timestamp +32
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.1.254 port 1060, id=0, length=179
Message-Authenticator = 0x1cb84b58aab20a621ef2c48440fa089a
Service-Type = Framed-User
User-Name = "root2\000"
Framed-MTU = 1488
Called-Station-Id = "D8-5D-4C-F0-A1-B4:TP-LINK_F0A1B4"
Calling-Station-Id = "00-1C-BF-66-4C-E3"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x0200000a01726f6f7432
NAS-IP-Address = 192.168.1.5
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "root2", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 0 length 10
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Requiring client certificate
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 0 to 192.168.1.254 port 1060
EAP-Message = 0x010100060d20
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc8d5a72ac8d4aa55e457568ca7e679a7
Finished request 5.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.254 port 1060, id=1, length=193
Message-Authenticator = 0x90b02545d25826382d5b6870c3f36045
Service-Type = Framed-User
User-Name = "root2\000"
Framed-MTU = 1488
State = 0xc8d5a72ac8d4aa55e457568ca7e679a7
Called-Station-Id = "D8-5D-4C-F0-A1-B4:TP-LINK_F0A1B4"
Calling-Station-Id = "00-1C-BF-66-4C-E3"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x020100060319
NAS-IP-Address = 192.168.1.5
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "root2", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 1 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP NAK
rlm_eap: EAP-NAK asked for EAP-Type/peap
rlm_eap: processing type tls
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 1 to 192.168.1.254 port 1060
EAP-Message = 0x010200061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc8d5a72ac9d7be55e457568ca7e679a7
Finished request 6.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.254 port 1060, id=2, length=308
Message-Authenticator = 0xc30ebe30cc1d854a038a9ad52b13a1f1
Service-Type = Framed-User
User-Name = "root2\000"
Framed-MTU = 1488
State = 0xc8d5a72ac9d7be55e457568ca7e679a7
Called-Station-Id = "D8-5D-4C-F0-A1-B4:TP-LINK_F0A1B4"
Calling-Station-Id = "00-1C-BF-66-4C-E3"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x0202007919800000006f160301006a0100006603014cf2217d7853f6ee3a47b8b662c4f4a4eb5e41d2b53187f2b9bbf70ca93941ea000018002f00350005000ac009c00ac013c0140032003800130004010000250000000a0008000005726f6f7432000a00080006001700180019000b00020100ff01000100
NAS-IP-Address = 192.168.1.5
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "root2", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 2 length 121
rlm_eap: Continuing tunnel setup.
++[eap] returns ok
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
TLS Length 111
rlm_eap_tls: Length Included
eaptls_verify returned 11
(other): before/accept initialization
TLS_accept: before/accept initialization
rlm_eap_tls: <<< TLS 1.0 Handshake [length 006a], ClientHello
TLS_accept: SSLv3 read client hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0051], ServerHello
TLS_accept: SSLv3 write server hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 058d], Certificate
TLS_accept: SSLv3 write certificate A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
TLS_accept: SSLv3 write server done A
TLS_accept: SSLv3 flush data
TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 2 to 192.168.1.254 port 1060
EAP-Message = 0x0103040019c0000005f116030100510200004d03014cf1864062b2079645d5ef4e5de44f94642eeead7a7ec69b6e88949cef98cc7120e152fce53df8bdde09a59941feb463daf01df4b43c438eede9b3c97f20375524002f000005ff01000100160301058d0b00058900058600026630820262308201cba003020102020900967ace09be6bfec3300d06092a864886f70d01010505003066310b300906035504061302504c310c300a06035504081303777364310c300a060355040a1303776473310c300a060355040b13037266763110300e06035504031307737065616b6572311b301906092a864886f70d010901160c7764776540747477732e70
EAP-Message = 0x6c301e170d3130313132373230313431355a170d3131313132373230313431355a3067310b300906035504061302504c310b3009060355040813027764310b3009060355040713027764310a3008060355040a130172310b3009060355040b130267743110300e06035504031307737065616b65723113301106092a864886f70d01090116047764656630819f300d06092a864886f70d010101050003818d0030818902818100ad4499a2928c6a3cd1745d832fd40558b596ebd5c723341fa5547e173cab5d20c0b0df66d792a2e0b97fed333e84c667c4220c6558924f47c3979d960f5caa2cc36cd8aae4c48e918479e2c485f89f8dc7508f061fe6
EAP-Message = 0xd669b286f8d260197b5f73cdf22951a9351409c497ff1066318d1e02e436a0ec545f8c5af95b0d78871f0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010505000381810044b4400245700161c96428288dd133e8379298cbfcd869f7a686b02c3c2e43f6155437bf0c8f75a554270a0c4b7de67acdf7d634f185cd8dcdc4b27891508e59ac05fdd9353bc4ce7f17ff65941b8c7ba6fca488dc13124166dfe02a8d7beacd1cbe20cf9c96f3ea9413be83bd058a3abee24e27b693e364301c887f0a17306800031a308203163082027fa003020102020900967ace09be6bfec2300d06092a8648
EAP-Message = 0x86f70d01010505003066310b300906035504061302504c310c300a06035504081303777364310c300a060355040a1303776473310c300a060355040b13037266763110300e06035504031307737065616b6572311b301906092a864886f70d010901160c7764776540747477732e706c301e170d3130313132373230303232385a170d3133313132363230303232385a3066310b300906035504061302504c310c300a06035504081303777364310c300a060355040a1303776473310c300a060355040b13037266763110300e06035504031307737065616b6572311b301906092a864886f70d010901160c7764776540747477732e706c30819f300d
EAP-Message = 0x06092a864886f70d01010105
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc8d5a72acad6be55e457568ca7e679a7
Finished request 7.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.254 port 1060, id=3, length=193
Message-Authenticator = 0x59e4fdf5be26b2548696a5c0a0694575
Service-Type = Framed-User
User-Name = "root2\000"
Framed-MTU = 1488
State = 0xc8d5a72acad6be55e457568ca7e679a7
Called-Station-Id = "D8-5D-4C-F0-A1-B4:TP-LINK_F0A1B4"
Calling-Station-Id = "00-1C-BF-66-4C-E3"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x020300061900
NAS-IP-Address = 192.168.1.5
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "root2", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 3 length 6
rlm_eap: Continuing tunnel setup.
++[eap] returns ok
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake fragment handler
eaptls_verify returned 1
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 3 to 192.168.1.254 port 1060
EAP-Message = 0x0104020119000003818d0030818902818100b8ae878f2de14033b971e7f670820c8929250c30a0e793aa2ec1ebc525cf6ee3737fcdb6f170f0b541de5edaa6eb745944b822cede1377bd1b51832cec9c443169d1c813505cec004377511b9282cd86a5ace32c0b24104ee03a45293d65b8a09f647300e5e3bf0126122674ee52369f0a4eb10d945fdbc081a600a50a6415870203010001a381cb3081c8301d0603551d0e04160414e20e64b08ea0721cb627da1a8666669e4419956a3081980603551d2304819030818d8014e20e64b08ea0721cb627da1a8666669e4419956aa16aa4683066310b300906035504061302504c310c300a060355040813
EAP-Message = 0x03777364310c300a060355040a1303776473310c300a060355040b13037266763110300e06035504031307737065616b6572311b301906092a864886f70d010901160c7764776540747477732e706c820900967ace09be6bfec2300c0603551d13040530030101ff300d06092a864886f70d0101050500038181007c2ced180c8c06e2191fcade76499e16866c8b2f5c3ae9d4864d15c7fad6cdb3bdacd2a1fd11468d277df61c811aa5246359801c35e9ab19fe621b83f365a153676e5781d90a0c8d9d555ee2c6b9e19a98be00702f61d00b58d075e3cf8d66a90376178d11715c4af0108e66c5b2e6c6f3b229678db65c82ebcfaf9cc9fd9f991603
EAP-Message = 0x0100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc8d5a72acbd1be55e457568ca7e679a7
Finished request 8.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.254 port 1060, id=4, length=193
Message-Authenticator = 0xa99a0c183e2c5191ec057c12343e7b57
Service-Type = Framed-User
User-Name = "root2\000"
Framed-MTU = 1488
State = 0xc8d5a72acbd1be55e457568ca7e679a7
Called-Station-Id = "D8-5D-4C-F0-A1-B4:TP-LINK_F0A1B4"
Calling-Station-Id = "00-1C-BF-66-4C-E3"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x020400061900
NAS-IP-Address = 192.168.1.5
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "root2", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 4 length 6
rlm_eap: Continuing tunnel setup.
++[eap] returns ok
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake fragment handler
eaptls_verify returned 1
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 4 to 192.168.1.254 port 1060
EAP-Message = 0x010500061900
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc8d5a72accd0be55e457568ca7e679a7
Finished request 9.
Going to the next request
Waking up in 3.9 seconds.
Cleaning up request 5 ID 0 with timestamp +67
Cleaning up request 6 ID 1 with timestamp +67
Cleaning up request 7 ID 2 with timestamp +67
Cleaning up request 8 ID 3 with timestamp +67
Waking up in 1.0 seconds.
Cleaning up request 9 ID 4 with timestamp +68
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.1.254 port 1060, id=0, length=179
Message-Authenticator = 0x9d9c0422f718bb63620287ff600accd6
Service-Type = Framed-User
User-Name = "user1\000"
Framed-MTU = 1488
Called-Station-Id = "D8-5D-4C-F0-A1-B4:TP-LINK_F0A1B4"
Calling-Station-Id = "00-1C-BF-66-4C-E3"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x0200000a017573657231
NAS-IP-Address = 192.168.1.5
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "user1", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 0 length 10
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
users: Matched entry user1 at line 3
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type Accept
rad_check_password: Auth-Type = Accept, accepting the user
Login OK: [user1\000/<via Auth-Type = Accept>] (from client apek port 1 cli 00-1C-BF-66-4C-E3)
+- entering group post-auth
++[exec] returns noop
Sending Access-Accept of id 0 to 192.168.1.254 port 1060
Finished request 10.
Going to the next request
Waking up in 4.9 seconds.
Invalid packet code 2 sent to authentication port from client apek port 1060 : IGNORED
Waking up in 2.9 seconds.
Cleaning up request 10 ID 0 with timestamp +108
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.1.254 port 1060, id=0, length=179
Message-Authenticator = 0x82dad12d6a666c1e5b1a0230586b0ad5
Service-Type = Framed-User
User-Name = "user2\000"
Framed-MTU = 1488
Called-Station-Id = "D8-5D-4C-F0-A1-B4:TP-LINK_F0A1B4"
Calling-Station-Id = "00-1C-BF-66-4C-E3"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x0200000a017573657232
NAS-IP-Address = 192.168.1.5
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "user2", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 0 length 10
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
users: Matched entry user2 at line 4
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type Reject
rad_check_password: Auth-Type = Reject, rejecting user
auth: Failed to validate the user.
Login incorrect: [user2\000/<via Auth-Type = Reject>] (from client apek port 1 cli 00-1C-BF-66-4C-E3)
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} -> user2
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 11 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 11
Sending Access-Reject of id 0 to 192.168.1.254 port 1060
Waking up in 4.9 seconds.
Cleaning up request 11 ID 0 with timestamp +123
Ready to process requests.
eap.conf
eap {
default_eap_type = tls
timer_expire = 60
ignore_unkown_eap_types = no
cisco_accounting_username_bug = no
tls {
certdir = ${confdir}/certs
cadir = ${confdir}/certs
private_key_password = redygo6
private_key_file = ${certdir}/server_keycert.pem
certificate_file = ${certdir}/server_keycert.pem
CA_file = ${cadir}/cacert.pem
dh_file = ${certdir}/dh
random_file = ${certdir}/random
fragment_size = 1024
include_length = yes
check_cert_cn = %{User-Name}
cipher_list = "DEFAULT"
}
peap {
default_eap_type = mschapv2
}
mschapv2{
}
}
clients.conf
client 192.168.1.0/24 {
secret = haslo_do_radiusa
shortname = apek
}
users
"root" User-Password == "admin"
"root2" Cleartext-Password == "admin2"
user1 Auth-Type := Accept
user2 Auth-Type := Reject
