thank you TrevorH, i have reinstall freeradius and edit the inner-tunnel file. Now I get that radiusd -X Output:
Code: Select all
FreeRADIUS Version 2.1.12, for host x86_64-redhat-linux-gnu, built on Oct 15 2014 at 05:01:25
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/opendirectory
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/dynamic_clients
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/replicate
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/rediswho
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/otp
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/ntlm_auth
including configuration file /etc/raddb/modules/smsotp
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/redis
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/soh
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/cui
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/sql.conf
including configuration file /etc/raddb/sql/mysql/dialup.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/control-socket
including configuration file /etc/raddb/sites-enabled/inner-tunnel
including configuration file /etc/raddb/sites-enabled/default
main {
user = "radiusd"
group = "radiusd"
allow_core_dumps = no
}
including dictionary file /etc/raddb/dictionary
main {
name = "radiusd"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/radius"
run_dir = "/var/run/radiusd"
libdir = "/usr/lib64/freeradius"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20.000000
response_timeouts = 1
max_outstanding = 65536
require_message_authenticator = yes
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "e34rt56z"
nastype = "other"
}
client 192.168.1.0/24 {
require_message_authenticator = no
secret = "e34rt56z"
shortname = "192.168.1.254"
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating module "exec" from file /etc/raddb/modules/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating module "expr" from file /etc/raddb/modules/expr
Module: Linked to module rlm_expiration
Module: Instantiating module "expiration" from file /etc/raddb/modules/expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating module "logintime" from file /etc/raddb/modules/logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/raddb/radiusd.conf
modules {
Module: Creating Auth-Type = ntlm_auth
Module: Creating Auth-Type = digest
Module: Creating Post-Auth-Type = REJECT
Module: Checking authenticate {...} for more modules to load
Module: Instantiating module "ntlm_auth" from file /etc/raddb/modules/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/etc/raddb/modules/ntlm_auth --request-nt-key --domain=TEST --username=%{mschap:User-Name} --password=%{User-Password}"
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_chap
Module: Instantiating module "chap" from file /etc/raddb/modules/chap
Module: Linked to module rlm_mschap
Module: Instantiating module "mschap" from file /etc/raddb/modules/mschap
mschap {
use_mppe = yes
require_encryption = yes
require_strong = yes
with_ntdomain_hack = yes
ntlm_auth = "/etc/raddb/modules/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-TEST} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
allow_retry = yes
}
Module: Linked to module rlm_digest
Module: Instantiating module "digest" from file /etc/raddb/modules/digest
Module: Linked to module rlm_unix
Module: Instantiating module "unix" from file /etc/raddb/modules/unix
unix {
radwtmp = "/var/log/radius/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating module "eap" from file /etc/raddb/eap.conf
eap {
default_eap_type = "peap"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 4096
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
CA_path = "/etc/raddb/certs"
pem_file_type = yes
private_key_file = "/etc/raddb/certs/server.pem"
certificate_file = "/etc/raddb/certs/server.pem"
CA_file = "/etc/raddb/certs/ca.pem"
private_key_password = "e34rt56z"
dh_file = "/etc/raddb/certs/dh"
random_file = "/dev/urandom"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
ecdh_curve = "prime256v1"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating module "pap" from file /etc/raddb/modules/pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_preprocess
Module: Instantiating module "preprocess" from file /etc/raddb/modules/preprocess
preprocess {
huntgroups = "/etc/raddb/huntgroups"
hints = "/etc/raddb/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating module "acct_unique" from file /etc/raddb/modules/acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
}
Module: Linked to module rlm_realm
Module: Instantiating module "suffix" from file /etc/raddb/modules/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating module "files" from file /etc/raddb/modules/files
files {
usersfile = "/etc/raddb/users"
acctusersfile = "/etc/raddb/acct_users"
preproxy_usersfile = "/etc/raddb/preproxy_users"
compat = "no"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating module "detail" from file /etc/raddb/modules/detail
detail {
detailfile = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Linked to module rlm_radutmp
Module: Instantiating module "radutmp" from file /etc/raddb/modules/radutmp
radutmp {
filename = "/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Linked to module rlm_sql
Module: Instantiating module "sql" from file /etc/raddb/sql.conf
sql {
driver = "rlm_sql_mysql"
server = "localhost"
port = ""
login = "radius"
password = "radpass"
radius_db = "radius"
read_groups = yes
sqltrace = no
sqltracefile = "/var/log/radius/sqltrace.sql"
readclients = no
deletestalesessions = yes
num_sql_socks = 5
lifetime = 0
max_queries = 0
sql_user_name = "%{User-Name}"
default_user_profile = ""
nas_query = "SELECT id, nasname, shortname, type, secret, server FROM nas"
authorize_check_query = "SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id"
authorize_reply_query = "SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id"
authorize_group_check_query = "SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id"
authorize_group_reply_query = "SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id"
accounting_onoff_query = " UPDATE radacct SET acctstoptime = '%S', acctsessiontime = unix_timestamp('%S') - unix_timestamp(acctstarttime), acctterminatecause = '%{Acct-Terminate-Cause}', acctstopdelay = %{%{Acct-Delay-Time}:-0} WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= '%S'"
accounting_update_query = " UPDATE radacct SET framedipaddress = '%{Framed-IP-Address}', acctsessiontime = '%{Acct-Session-Time}', acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}'"
accounting_update_query_alt = " INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctsessiontime, acctauthentic, connectinfo_start, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, servicetype, framedprotocol, framedipaddress, acctstartdelay, xascendsessionsvrkey) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL (%{%{Acct-Session-Time}:-0} + %{%{Acct-Delay-Time}:-0}) SECOND), '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0', '%{X-Ascend-Session-Svr-Key}')"
accounting_start_query = " INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, acctstartdelay, acctstopdelay, xascendsessionsvrkey) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S', NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '%{%{Acct-Delay-Time}:-0}', '0', '%{X-Ascend-Session-Svr-Key}')"
accounting_start_query_alt = " UPDATE radacct SET acctstarttime = '%S', acctstartdelay = '%{%{Acct-Delay-Time}:-0}', connectinfo_start = '%{Connect-Info}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}'"
accounting_stop_query = " UPDATE radacct SET acctstoptime = '%S', acctsessiontime = '%{Acct-Session-Time}', acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', acctterminatecause = '%{Acct-Terminate-Cause}', acctstopdelay = '%{%{Acct-Delay-Time}:-0}', connectinfo_stop = '%{Connect-Info}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}'"
accounting_stop_query_alt = " INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, acctstartdelay, acctstopdelay) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL (%{%{Acct-Session-Time}:-0} + %{%{Acct-Delay-Time}:-0}) SECOND), '%S', '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{Connect-Info}', '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Acct-Terminate-Cause}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0', '%{%{Acct-Delay-Time}:-0}')"
group_membership_query = "SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority"
connect_failure_retry_delay = 60
simul_count_query = ""
simul_verify_query = "SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL"
postauth_query = "INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')"
safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
}
rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
rlm_sql (sql): Attempting to connect to radius@localhost:/radius
rlm_sql (sql): starting 0
rlm_sql (sql): Attempting to connect rlm_sql_mysql #0
rlm_sql_mysql: Starting connect to MySQL server for #0
rlm_sql_mysql: Couldn't connect socket to MySQL server radius@localhost:radius
rlm_sql_mysql: Mysql error 'Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (2)'
rlm_sql (sql): Failed to connect DB handle #0
rlm_sql (sql): starting 1
rlm_sql (sql): starting 2
rlm_sql (sql): starting 3
rlm_sql (sql): starting 4
rlm_sql (sql): Failed to connect to any SQL server.
Module: Linked to module rlm_attr_filter
Module: Instantiating module "attr_filter.accounting_response" from file /etc/raddb/modules/attr_filter
attr_filter attr_filter.accounting_response {
attrsfile = "/etc/raddb/attrs.accounting_response"
key = "%{User-Name}"
relaxed = no
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Instantiating module "attr_filter.access_reject" from file /etc/raddb/modules/attr_filter
attr_filter attr_filter.access_reject {
attrsfile = "/etc/raddb/attrs.access_reject"
key = "%{User-Name}"
relaxed = no
}
} # modules
} # server
server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Loading virtual module ntlm_auth
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
listen {
type = "control"
listen {
socket = "/var/run/radiusd/radiusd.sock"
}
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
... adding new socket proxy address * port 51935
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /var/run/radiusd/radiusd.sock
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.1.254 port 49205, id=26, length=129
NAS-IP-Address = 192.168.1.254
NAS-Port-Type = Ethernet
NAS-Port = 69
User-Name = "TEST\\ClientW7"
Called-Station-Id = "10-BD-18-BE-1B-DE"
Calling-Station-Id = "5C-26-0A-27-BA-F4"
EAP-Message = 0x0201001201544553545c436c69656e745737
Message-Authenticator = 0x66b9e93b224b7ab610b4fc3bfd1b15d2
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[eap] EAP packet type response id 1 length 18
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[expiration] returns noop
++[logintime] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 26 to 192.168.1.254 port 49205
EAP-Message = 0x010200061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x4041b1054043a8b78a74d820a7d3bc56
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.254 port 49205, id=27, length=234
NAS-IP-Address = 192.168.1.254
NAS-Port-Type = Ethernet
NAS-Port = 69
User-Name = "TEST\\ClientW7"
State = 0x4041b1054043a8b78a74d820a7d3bc56
Called-Station-Id = "10-BD-18-BE-1B-DE"
Calling-Station-Id = "5C-26-0A-27-BA-F4"
EAP-Message = 0x0202006919800000005f160301005a0100005603015506b4585a48477872cfe6b5c9718601e45af085d870d1ed52cf964bfb7fe554000018002f00350005000ac013c014c009c00a003200380013000401000015ff01000100000a0006000400170018000b00020100
Message-Authenticator = 0x495d804d17e8e7e8598ac172492c476f
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[eap] EAP packet type response id 2 length 105
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 95
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 005a], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 0031], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 083d], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 27 to 192.168.1.254 port 49205
EAP-Message = 0x0103040019c00000088116030100310200002d03015506b49342d542877e0e6dd43f4a003a4540464daf6a2ccd20f1a3dd10113cdd00002f000005ff01000100160301083d0b000839000836000397308203933082027ba003020102020101300d06092a864886f70d010105050030818d310b3009060355040613024445310f300d0603550408130648657373656e311430120603550407130b4261642041726f6c73656e311b3019060355040a13124573736578204765726d616e7920476d62483122302006092a864886f70d0109011613726f6e6a612e7265737440737073782e636f6d311630140603550403130d4d7920707269766174652043
EAP-Message = 0x41301e170d3135303331313131323830345a170d3235303331383131323830345a3073310b3009060355040613024445310f300d0603550408130648657373656e311b3019060355040a13124573736578204765726d616e7920476d624831123010060355040313097261646975737372763122302006092a864886f70d0109011613726f6e6a612e7265737440737073782e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100e9c80835f453aa681016c7402bc5f5dab52c94d78a0e7edd60d23bed90163739e5166bed908de4f333504984c9a0dbadbb2c41d55d8ae6047946b73a0073ab3061a2e30e76fb
EAP-Message = 0xac96a11e20618b7f8b3530ae9b880f6796458c5a78e102413717dfb4b7fdb54fdef246c9abcff2f3d164919a61de6b35a3e9753e2e08610db78bd0d575053aa060f92408fc0ee1e79fc3432ff1a98f1833e81e0e25d609e4403395a2763331c9183fcdd858dee2f61f0305c1a4599b1e55663ac321f39cd50f50f026a8defd783a7ac7eb2f16c868e49f25bed8b020819a981b0ae6492583d606ba9ab83286729fb0e8177b189386a602d9b7a8627f43b68bbe9b1ec189bb34670203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101050500038201010041139b912dbc812e31e8b101c1bd2fa838
EAP-Message = 0x467f4f915897bcacd8a473a3bc4913e1f714ffb10ca3b1952df57d13f94d89c335bc6c1a6e55dd27c206a92d70204fa32d1220f70b511cb0c4b971e4cb13caf5c159f3429aee45fa92aef112a4e368217fe5537e08c82a90a9041b2f83c172a63842d8019196ed09733ffe82446c350a0a47b41351ecf29eb0245ca42af77ab0538504196406eaccaccf20a11989a80cc25303d30baa0e52954e7a29957c826b4b8cb2000e725213cb4082e573a466c816f79723aab41641a7ea3d530a90c83275099781710248808cefdb2532a0a6677030d6f4df1a32d8f59e42141507adb39f0b6b8b18d453914132eb5258be46000499308204953082037da00302
EAP-Message = 0x0102020900aea88b96dc0007
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x4041b1054142a8b78a74d820a7d3bc56
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.254 port 49205, id=28, length=135
NAS-IP-Address = 192.168.1.254
NAS-Port-Type = Ethernet
NAS-Port = 69
User-Name = "TEST\\ClientW7"
State = 0x4041b1054142a8b78a74d820a7d3bc56
Called-Station-Id = "10-BD-18-BE-1B-DE"
Calling-Station-Id = "5C-26-0A-27-BA-F4"
EAP-Message = 0x020300061900
Message-Authenticator = 0x4c2bc746c413c9a2a663788bff4d55bb
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[eap] EAP packet type response id 3 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 28 to 192.168.1.254 port 49205
EAP-Message = 0x010403fc19403b300d06092a864886f70d010105050030818d310b3009060355040613024445310f300d0603550408130648657373656e311430120603550407130b4261642041726f6c73656e311b3019060355040a13124573736578204765726d616e7920476d62483122302006092a864886f70d0109011613726f6e6a612e7265737440737073782e636f6d311630140603550403130d4d792070726976617465204341301e170d3135303331313131323830345a170d3235303331383131323830345a30818d310b3009060355040613024445310f300d0603550408130648657373656e311430120603550407130b4261642041726f6c73656e
EAP-Message = 0x311b3019060355040a13124573736578204765726d616e7920476d62483122302006092a864886f70d0109011613726f6e6a612e7265737440737073782e636f6d311630140603550403130d4d79207072697661746520434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e163e9cbc110dd0abfb790446f2fd783e8b31ffa273d0584a79639ae8b61386eaf2f207dd3840ded3d911cabe709b0d2a545404c99b5dbe4f659eea930a59b85c5303ce2ae86bb4a6c5b397261fcd48188ac3df48fc29238ccc7c8495529fcf08586cf7ff86325d288f36d22f29249c0459f08c5d69820fd31943dfeeb659bdae540f2
EAP-Message = 0xd84581154635df90e1a2a27472df4f515310195687f40b7ac6fca9eef35fe4000757644d520160cd00fc62b3cb3edced45a81e7ec94561051d83d4b3ff78b3eba9753cc51b1cce7eeca3f131da7070bad42323dad105b77bd2d9db6f88bcfeccc0e43257c2fb5f7271cfcd8a82ad1bc2b5594d7a54c1343f6f6e06d42b0203010001a381f53081f2301d0603551d0e0416041405c0668a90018af7af4032a4ab9dad8b8eb01e823081c20603551d230481ba3081b7801405c0668a90018af7af4032a4ab9dad8b8eb01e82a18193a4819030818d310b3009060355040613024445310f300d0603550408130648657373656e311430120603550407130b
EAP-Message = 0x4261642041726f6c73656e311b3019060355040a13124573736578204765726d616e7920476d62483122302006092a864886f70d0109011613726f6e6a612e7265737440737073782e636f6d311630140603550403130d4d792070726976617465204341820900aea88b96dc00073b300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100311bf06ea07e86e67b6d26682a0a6b00e4395c27c3b2200768206fbb51c9295fd6c6a99ce314907b63a3823773e12585ee09b1404902e205cc7e81729af548e0ffd83ee1440d722b54540af7a632abc0969dbe7e175dc2a2d05a545cf237f77c72e2176045f695a17c8e4da7
EAP-Message = 0xa5d26d6a829b29aa
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x4041b1054245a8b78a74d820a7d3bc56
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.254 port 49205, id=29, length=135
NAS-IP-Address = 192.168.1.254
NAS-Port-Type = Ethernet
NAS-Port = 69
User-Name = "TEST\\ClientW7"
State = 0x4041b1054245a8b78a74d820a7d3bc56
Called-Station-Id = "10-BD-18-BE-1B-DE"
Calling-Station-Id = "5C-26-0A-27-BA-F4"
EAP-Message = 0x020400061900
Message-Authenticator = 0x2864b8f8371f9a05ad0f12a745ff3281
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 29 to 192.168.1.254 port 49205
EAP-Message = 0x0105009b1900c85627819db8f90a5b8e7735e86a601412a9a19c865bd798285b05459ee42ff5b51ae22cb8024d84ac0ac7710c105a6a36a665eaf3abea5bd0654b72cd499a95299e9dfd3781a796bb03e9052036aaea51613162db5678d47d76b06cd3e6c2a69a52284363f5f7426f601092a258ed4e82cd15f35e0e929cd3e1bac37af732a45726462e93e1a0912fe7967c16030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x4041b1054344a8b78a74d820a7d3bc56
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.254 port 49205, id=30, length=467
NAS-IP-Address = 192.168.1.254
NAS-Port-Type = Ethernet
NAS-Port = 69
User-Name = "TEST\\ClientW7"
State = 0x4041b1054344a8b78a74d820a7d3bc56
Called-Station-Id = "10-BD-18-BE-1B-DE"
Calling-Station-Id = "5C-26-0A-27-BA-F4"
EAP-Message = 0x0205015019800000014616030101061000010201007f625297ae6b7f4c865da297fbab929a744a6b1e3818fe17f55fe099e1056775c7c92fb9638caf6eed6aaaad173aa16124e6077d542e6472a8d59ecce0de023ef5b7737ea910357b2ebd9dae36db19334ec9aa2f68b9e2f4a3beaf9697755447ab824ca61fffee68c37aa283d6f7f614cc439ba2678b08269a27fbba046ffb763aa70ced9f0c12b9d0d224aee7916aabe7b0136047dac1f32a149c06d322ccf33c339eff20576376fec6fcb167a0d7708e176014164a26d5d9b0cfb343be8d997286f0fc049da6d6cb1395c16bc23921974c5e75474ca35a3c97fb01f7b59aebaa4c2cdddfa3fdaa
EAP-Message = 0xafd56627767dd5dfc9e25eb451c7065ca77ea168bc5279231403010001011603010030771baf5ca1b880a89f0960e0a575c2b7d038c9b9741e641798223c5f99ec6daa05e21abb549d04f59fa66decf769022e
Message-Authenticator = 0x7bc7b234a86378a43f19ff5e44da2c0c
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[eap] EAP packet type response id 5 length 253
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 326
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange
[peap] TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 write finished A
[peap] TLS_accept: SSLv3 flush data
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 30 to 192.168.1.254 port 49205
EAP-Message = 0x0106004119001403010001011603010030628391af22dc4ff7e107c3e946423132e0785ba75a864f7ad7333a9477d6412c0195849c4a318b02b4569550e2a3bac8
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x4041b1054447a8b78a74d820a7d3bc56
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 26 with timestamp +60
Cleaning up request 1 ID 27 with timestamp +60
Cleaning up request 2 ID 28 with timestamp +60
Cleaning up request 3 ID 29 with timestamp +60
Cleaning up request 4 ID 30 with timestamp +60
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING: !! EAP session for state 0x4041b1054447a8b7 did not finish!
WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.1.254 port 49205, id=31, length=135
NAS-IP-Address = 192.168.1.254
NAS-Port-Type = Ethernet
NAS-Port = 69
User-Name = "TEST\\ClientW7"
State = 0x4041b1054447a8b78a74d820a7d3bc56
Called-Station-Id = "10-BD-18-BE-1B-DE"
Calling-Station-Id = "5C-26-0A-27-BA-F4"
EAP-Message = 0x020600061900
Message-Authenticator = 0xa8f6f3368ee4dd3e46b2b729b8f782bc
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[eap] EAP packet type response id 6 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state TUNNEL ESTABLISHED
++[eap] returns handled
Sending Access-Challenge of id 31 to 192.168.1.254 port 49205
EAP-Message = 0x0107002b190017030100204b588a99b83f2055e7715bf892bade5b43a1b6288663b034957b95db6cef1846
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x4041b1054546a8b78a74d820a7d3bc56
Finished request 5.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.254 port 49205, id=32, length=188
NAS-IP-Address = 192.168.1.254
NAS-Port-Type = Ethernet
NAS-Port = 69
User-Name = "TEST\\ClientW7"
State = 0x4041b1054546a8b78a74d820a7d3bc56
Called-Station-Id = "10-BD-18-BE-1B-DE"
Calling-Station-Id = "5C-26-0A-27-BA-F4"
EAP-Message = 0x0207003b19001703010030842030f2b897c0b618ca5e8d4c6e797e997660ac1782c2ea8cf8510b9ddf83d941bc370124857f17c745e70d01892162
Message-Authenticator = 0xc66e47dd90be81356bb63ad647e48712
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[eap] EAP packet type response id 7 length 59
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state WAITING FOR INNER IDENTITY
[peap] Identity - TEST\ClientW7
[peap] Got inner identity 'TEST\ClientW7'
[peap] Setting default EAP type for tunneled EAP session.
[peap] Got tunneled request
EAP-Message = 0x0207001201544553545c436c69656e745737
server {
[peap] Setting User-Name to TEST\ClientW7
Sending tunneled request
EAP-Message = 0x0207001201544553545c436c69656e745737
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "TEST\\ClientW7"
server inner-tunnel {
# Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++- entering policy ntlm_auth.authorize {...}
+++? if (!control:Auth-Type && User-Password)
? Evaluating !(control:Auth-Type ) -> TRUE
? Evaluating (User-Password) -> FALSE
+++? if (!control:Auth-Type && User-Password) -> FALSE
++- policy ntlm_auth.authorize returns noop
++[mschap] returns noop
++[control] returns noop
[eap] EAP packet type response id 7 length 18
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message = 0x010800271a0108002210086e60a7f33099d13e1251d3b8963edf544553545c436c69656e745737
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x1c8d3a0f1c8520598a03261ed13a3ff6
[peap] Got tunneled reply RADIUS code 11
EAP-Message = 0x010800271a0108002210086e60a7f33099d13e1251d3b8963edf544553545c436c69656e745737
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x1c8d3a0f1c8520598a03261ed13a3ff6
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 32 to 192.168.1.254 port 49205
EAP-Message = 0x0108004b190017030100409c6c0f82fd03d32205b64c353df2bd3bc7e63c0882cb6bb5e54f728a4e13c0a724835a654b48544958898ee132642ec6a8571fd269b1cad6d56d0dc4ceba731b
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x4041b1054649a8b78a74d820a7d3bc56
Finished request 6.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.254 port 49205, id=33, length=236
NAS-IP-Address = 192.168.1.254
NAS-Port-Type = Ethernet
NAS-Port = 69
User-Name = "TEST\\ClientW7"
State = 0x4041b1054649a8b78a74d820a7d3bc56
Called-Station-Id = "10-BD-18-BE-1B-DE"
Calling-Station-Id = "5C-26-0A-27-BA-F4"
EAP-Message = 0x0208006b190017030100602be4648ca682831896b4b052ce67f13b43e18df3732462b1727cead78db32152a3ea8c74c1dc15451d18c50c340aa74d515e8d875d29e7bba247c63de83067afb15d9c81e3f68839c5e3e2843a433335ad08c1614a0e5670b90231814c1b4e54
Message-Authenticator = 0xcd8883d426f5f0ad9b6b2c89736aec93
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[eap] EAP packet type response id 8 length 107
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message = 0x020800481a02080043319cb1ee2d01098cd942a7ae0062d1c3c90000000000000000b062f29da76cd37498a111518f09fee4438d525d2ed72b4200544553545c436c69656e745737
server {
[peap] Setting User-Name to TEST\ClientW7
Sending tunneled request
EAP-Message = 0x020800481a02080043319cb1ee2d01098cd942a7ae0062d1c3c90000000000000000b062f29da76cd37498a111518f09fee4438d525d2ed72b4200544553545c436c69656e745737
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "TEST\\ClientW7"
State = 0x1c8d3a0f1c8520598a03261ed13a3ff6
server inner-tunnel {
# Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++- entering policy ntlm_auth.authorize {...}
+++? if (!control:Auth-Type && User-Password)
? Evaluating !(control:Auth-Type ) -> TRUE
? Evaluating (User-Password) -> FALSE
+++? if (!control:Auth-Type && User-Password) -> FALSE
++- policy ntlm_auth.authorize returns noop
++[mschap] returns noop
++[control] returns noop
[eap] EAP packet type response id 8 length 72
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
[mschapv2] +- entering group MS-CHAP {...}
[mschap] Creating challenge hash with username: ClientW7
[mschap] Told to do MS-CHAPv2 for ClientW7 with NT-Password
[mschap] expand: --username=%{mschap:User-Name:-None} -> --username=ClientW7
[mschap] expand: %{mschap:NT-Domain} -> TEST
[mschap] expand: --domain=%{%{mschap:NT-Domain}:-TEST} -> --domain=TEST
[mschap] Creating challenge hash with username: ClientW7
[mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=48f7bdbb511b369a
[mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=b062f29da76cd37498a111518f09fee4438d525d2ed72b42
Exec-Program output: Exec-Program: FAILED to execute /etc/raddb/modules/ntlm_auth: Exec format error
Exec-Program-Wait: plaintext: Exec-Program: FAILED to execute /etc/raddb/modules/ntlm_auth: Exec format error
Exec-Program: returned: 1
[mschap] External script failed.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
} # server inner-tunnel
[peap] Got tunneled reply code 3
MS-CHAP-Error = "\010E=691 R=1"
EAP-Message = 0x04080004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code 3
MS-CHAP-Error = "\010E=691 R=1"
EAP-Message = 0x04080004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] returns handled
Sending Access-Challenge of id 33 to 192.168.1.254 port 49205
EAP-Message = 0x0109002b190017030100203bc753b9fec2692588b06dc5201e7ed538850ae705fb01cea9d264ba73b9d176
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x4041b1054748a8b78a74d820a7d3bc56
Finished request 7.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.254 port 49205, id=34, length=172
NAS-IP-Address = 192.168.1.254
NAS-Port-Type = Ethernet
NAS-Port = 69
User-Name = "TEST\\ClientW7"
State = 0x4041b1054748a8b78a74d820a7d3bc56
Called-Station-Id = "10-BD-18-BE-1B-DE"
Calling-Station-Id = "5C-26-0A-27-BA-F4"
EAP-Message = 0x0209002b19001703010020d1ecf13ea5b0a9304b5dfe9bc81027fc52f7e4bcc6f4f5714f9e9aa16b951fcb
Message-Authenticator = 0x7045bbb718df0e7c72d8bb39f13f6ff1
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[eap] EAP packet type response id 9 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state send tlv failure
[peap] Received EAP-TLV response.
[peap] The users session was previously rejected: returning reject (again.)
[peap] *** This means you need to read the PREVIOUS messages in the debug output
[peap] *** to find out the reason why the user was rejected.
[peap] *** Look for "reject" or "fail". Those earlier messages will tell you.
[peap] *** what went wrong, and how to fix the problem.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> TEST\ClientW7
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 8 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 8
Sending Access-Reject of id 34 to 192.168.1.254 port 49205
EAP-Message = 0x04090004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
Cleaning up request 5 ID 31 with timestamp +70
Cleaning up request 6 ID 32 with timestamp +70
Cleaning up request 7 ID 33 with timestamp +70
Waking up in 1.0 seconds.
Cleaning up request 8 ID 34 with timestamp +70
Ready to process requests.
I try to authenticate with ntlm_auth,nt use the Active Directory (Windows) to authenticate Clients.
Thank you.
sorry
