EAP Submodule failed. PAM module issue.

classic Classic list List threaded Threaded
12 messages Options
| Threaded
Open this post in threaded view
|

EAP Submodule failed. PAM module issue.

bhp1
Greetings, I'm a Freeradius newbie and I apologize if I make mistakes with
some concepts or get my point across (english is not my first language).
Anyway, I'm setting up freeradius in Ubuntu server 18.04 to authenticate
users (teachers, students) through their google accounts (we have a couple
of domains for each one), so I was adviced to use the PAM-IMAP module. When
trying to authenticate however, it fails going through the eap-peap
authentication. I read the output and checked that authentication is
invalid in the pam module however I do not know how to fix it.

This is the output:

(0) Received Access-Request Id 11 from 192.168.128.34:39957 to
146.83.124.26:1812 length 401

(0)   User-Name = "[hidden email]"

(0)   NAS-IP-Address = 192.168.128.34

(0)   Called-Station-Id = "36-18-0A-7B-A4-6E:Red Radius"

(0)   NAS-Port-Type = Wireless-802.11

(0)   Service-Type = Framed-User

(0)   NAS-Port = 1

(0)   Calling-Station-Id = "E4-6F-13-2C-A4-C3"

(0)   Connect-Info = "CONNECT 54.00 Mbps / 802.11n / RSSI: 56 / Channel: 1"

(0)   Acct-Session-Id = "B51015A162BFE948"

(0)   Acct-Multi-Session-Id = "8F5640A8CB689CCA"

(0)   WLAN-Pairwise-Cipher = 1027076

(0)   WLAN-Group-Cipher = 1027074

(0)   WLAN-AKM-Suite = 1027073

(0)   WLAN-Group-Mgmt-Cipher = 1027078

(0)   Attr-26.29671.2 =
0x55434e20416e746f66616761737461202d2053574150202d20776972656c657373

(0)   Attr-26.29671.3 = 0x41502d56312d536f706f727465

(0)   Attr-26.29671.4 =
0x20414c554d4e4f5320454455524f414d2046554e43494f4e4152494f5320524144495553205445434e49434f53205649

(0)   Meraki-Device-Name = "AP-V1-Soporte"

(0)   Framed-MTU = 1400

(0)   EAP-Message = 0x0273001001776966694075636e2e636c

(0)   Message-Authenticator = 0xae977006014c0b9d5e053dcf6096b593

(0) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default

(0)   authorize {

(0)     policy filter_username {

(0)       if (&User-Name) {

(0)       if (&User-Name)  -> TRUE

(0)       if (&User-Name)  {

(0)         if (&User-Name =~ / /) {

(0)         if (&User-Name =~ / /)  -> FALSE

(0)         if (&User-Name =~ /@[^@]*@/ ) {

(0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE

(0)         if (&User-Name =~ /\.\./ ) {

(0)         if (&User-Name =~ /\.\./ )  -> FALSE

(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {

(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE

(0)         if (&User-Name =~ /\.$/)  {

(0)         if (&User-Name =~ /\.$/)   -> FALSE

(0)         if (&User-Name =~ /@\./)  {

(0)         if (&User-Name =~ /@\./)   -> FALSE

(0)       } # if (&User-Name)  = notfound

(0)     } # policy filter_username = notfound

(0)     [preprocess] = ok

(0) auth_log: EXPAND
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d

(0) auth_log:    --> /var/log/freeradius/radacct/
192.168.128.34/auth-detail-20200828

(0) auth_log:
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/192.168.128.34/auth-detail-20200828

(0) auth_log: EXPAND %t

(0) auth_log:    --> Fri Aug 28 18:49:24 2020

(0)     [auth_log] = ok

(0)     [chap] = noop

(0)     [mschap] = noop

(0)     [digest] = noop

(0) suffix: Checking for suffix after "@"

(0) suffix: Looking up realm "ucn.cl" for User-Name = "[hidden email]"

(0) suffix: Found realm "ucn.cl"

(0) suffix: Adding Stripped-User-Name = "wifi"

(0) suffix: Adding Realm = "ucn.cl"

(0) suffix: Authentication realm is LOCAL

(0)     [suffix] = ok

(0) eap: Peer sent EAP Response (code 2) ID 115 length 16

(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize

(0)     [eap] = ok

(0)   } # authorize = ok

(0) Found Auth-Type = eap

(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(0)   authenticate {

(0) eap: Peer sent packet with method EAP Identity (1)

(0) eap: Calling submodule eap_peap to process data

(0) eap_peap: Initiating new EAP-TLS session

(0) eap_peap: [eaptls start] = request

(0) eap: Sending EAP Request (code 1) ID 116 length 6

(0) eap: EAP session adding &reply:State = 0x21dd954121a98c3d

(0)     [eap] = handled

(0)   } # authenticate = handled

(0) Using Post-Auth-Type Challenge

(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(0)   Challenge { ... } # empty sub-section is ignored

(0) Sent Access-Challenge Id 11 from 146.83.124.26:1812 to
192.168.128.34:39957 length 0

(0)   EAP-Message = 0x017400061920

(0)   Message-Authenticator = 0x00000000000000000000000000000000

(0)   State = 0x21dd954121a98c3dcbc41c49c2b781e8

(0) Finished request

Waking up in 4.9 seconds.

(1) Received Access-Request Id 12 from 192.168.128.34:39957 to
146.83.124.26:1812 length 569

(1)   User-Name = "[hidden email]"

(1)   NAS-IP-Address = 192.168.128.34

(1)   Called-Station-Id = "36-18-0A-7B-A4-6E:Red Radius"

(1)   NAS-Port-Type = Wireless-802.11

(1)   Service-Type = Framed-User

(1)   NAS-Port = 1

(1)   Calling-Station-Id = "E4-6F-13-2C-A4-C3"

(1)   Connect-Info = "CONNECT 54.00 Mbps / 802.11n / RSSI: 58 / Channel: 1"

(1)   Acct-Session-Id = "B51015A162BFE948"

(1)   Acct-Multi-Session-Id = "8F5640A8CB689CCA"

(1)   WLAN-Pairwise-Cipher = 1027076

(1)   WLAN-Group-Cipher = 1027074

(1)   WLAN-AKM-Suite = 1027073

(1)   WLAN-Group-Mgmt-Cipher = 1027078

(1)   Attr-26.29671.2 =
0x55434e20416e746f66616761737461202d2053574150202d20776972656c657373

(1)   Attr-26.29671.3 = 0x41502d56312d536f706f727465

(1)   Attr-26.29671.4 =
0x20414c554d4e4f5320454455524f414d2046554e43494f4e4152494f5320524144495553205445434e49434f53205649

(1)   Meraki-Device-Name = "AP-V1-Soporte"

(1)   Framed-MTU = 1400

(1)   EAP-Message =
0x027400a619800000009c16030300970100009303035f4989f5fe7058f0113f2253369f4f35c5566c645792b9886416adff683207c000002ac02cc02bc030c02f009f009ec024c023c028c027c00ac009c014c013009d009c003d003c0035002f000a01000040000500050100000000000a00080006001d

(1)   State = 0x21dd954121a98c3dcbc41c49c2b781e8

(1)   Message-Authenticator = 0xe979fd0de253104acb886c6a7bb04df5

(1) session-state: No cached attributes

(1) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default

(1)   authorize {

(1)     policy filter_username {

(1)       if (&User-Name) {

(1)       if (&User-Name)  -> TRUE

(1)       if (&User-Name)  {

(1)         if (&User-Name =~ / /) {

(1)         if (&User-Name =~ / /)  -> FALSE

(1)         if (&User-Name =~ /@[^@]*@/ ) {

(1)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE

(1)         if (&User-Name =~ /\.\./ ) {

(1)         if (&User-Name =~ /\.\./ )  -> FALSE

(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {

(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE

(1)         if (&User-Name =~ /\.$/)  {

(1)         if (&User-Name =~ /\.$/)   -> FALSE

(1)         if (&User-Name =~ /@\./)  {

(1)         if (&User-Name =~ /@\./)   -> FALSE

(1)       } # if (&User-Name)  = notfound

(1)     } # policy filter_username = notfound

(1)     [preprocess] = ok

(1) auth_log: EXPAND
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d

(1) auth_log:    --> /var/log/freeradius/radacct/
192.168.128.34/auth-detail-20200828

(1) auth_log:
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/192.168.128.34/auth-detail-20200828

(1) auth_log: EXPAND %t

(1) auth_log:    --> Fri Aug 28 18:49:24 2020

(1)     [auth_log] = ok

(1)     [chap] = noop

(1)     [mschap] = noop

(1)     [digest] = noop

(1) suffix: Checking for suffix after "@"

(1) suffix: Looking up realm "ucn.cl" for User-Name = "[hidden email]"

(1) suffix: Found realm "ucn.cl"

(1) suffix: Adding Stripped-User-Name = "wifi"

(1) suffix: Adding Realm = "ucn.cl"

(1) suffix: Authentication realm is LOCAL

(1)     [suffix] = ok

(1) eap: Peer sent EAP Response (code 2) ID 116 length 166

(1) eap: Continuing tunnel setup

(1)     [eap] = ok

(1)   } # authorize = ok

(1) Found Auth-Type = eap

(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(1)   authenticate {

(1) eap: Expiring EAP session with state 0x21dd954121a98c3d

(1) eap: Finished EAP session with state 0x21dd954121a98c3d

(1) eap: Previous EAP request found for state 0x21dd954121a98c3d, released
from the list

(1) eap: Peer sent packet with method EAP PEAP (25)

(1) eap: Calling submodule eap_peap to process data

(1) eap_peap: Continuing EAP-TLS

(1) eap_peap: Peer indicated complete TLS record size will be 156 bytes

(1) eap_peap: Got complete TLS record (156 bytes)

(1) eap_peap: [eaptls verify] = length included

(1) eap_peap: (other): before SSL initialization

(1) eap_peap: TLS_accept: before SSL initialization

(1) eap_peap: TLS_accept: before SSL initialization

(1) eap_peap: <<< recv UNKNOWN TLS VERSION ?0304? [length 0097]

(1) eap_peap: TLS_accept: SSLv3/TLS read client hello

(1) eap_peap: >>> send TLS 1.2  [length 003d]

(1) eap_peap: TLS_accept: SSLv3/TLS write server hello

(1) eap_peap: >>> send TLS 1.2  [length 0d45]

(1) eap_peap: TLS_accept: SSLv3/TLS write certificate

(1) eap_peap: >>> send TLS 1.2  [length 024d]

(1) eap_peap: TLS_accept: SSLv3/TLS write key exchange

(1) eap_peap: >>> send TLS 1.2  [length 0004]

(1) eap_peap: TLS_accept: SSLv3/TLS write server done

(1) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write server
done

(1) eap_peap: In SSL Handshake Phase

(1) eap_peap: In SSL Accept mode

(1) eap_peap: [eaptls process] = handled

(1) eap: Sending EAP Request (code 1) ID 117 length 1004

(1) eap: EAP session adding &reply:State = 0x21dd954120a88c3d

(1)     [eap] = handled

(1)   } # authenticate = handled

(1) Using Post-Auth-Type Challenge

(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(1)   Challenge { ... } # empty sub-section is ignored

(1) Sent Access-Challenge Id 12 from 146.83.124.26:1812 to
192.168.128.34:39957 length 0

(1)   EAP-Message =
0x017503ec19c000000fe7160303003d020000390303e6bb468a26622401d34769af834e6eb662e6224e5c0e8d88cacb79590bae22cd00c030000011ff01000100000b000403000102001700001603030d450b000d41000d3e000601308205fd308203e5a003020102020101300d06092a864886f70d0101

(1)   Message-Authenticator = 0x00000000000000000000000000000000

(1)   State = 0x21dd954120a88c3dcbc41c49c2b781e8

(1) Finished request

Waking up in 4.9 seconds.

(2) Received Access-Request Id 13 from 192.168.128.34:39957 to
146.83.124.26:1812 length 409

(2)   User-Name = "[hidden email]"

(2)   NAS-IP-Address = 192.168.128.34

(2)   Called-Station-Id = "36-18-0A-7B-A4-6E:Red Radius"

(2)   NAS-Port-Type = Wireless-802.11

(2)   Service-Type = Framed-User

(2)   NAS-Port = 1

(2)   Calling-Station-Id = "E4-6F-13-2C-A4-C3"

(2)   Connect-Info = "CONNECT 54.00 Mbps / 802.11n / RSSI: 59 / Channel: 1"

(2)   Acct-Session-Id = "B51015A162BFE948"

(2)   Acct-Multi-Session-Id = "8F5640A8CB689CCA"

(2)   WLAN-Pairwise-Cipher = 1027076

(2)   WLAN-Group-Cipher = 1027074

(2)   WLAN-AKM-Suite = 1027073

(2)   WLAN-Group-Mgmt-Cipher = 1027078

(2)   Attr-26.29671.2 =
0x55434e20416e746f66616761737461202d2053574150202d20776972656c657373

(2)   Attr-26.29671.3 = 0x41502d56312d536f706f727465

(2)   Attr-26.29671.4 =
0x20414c554d4e4f5320454455524f414d2046554e43494f4e4152494f5320524144495553205445434e49434f53205649

(2)   Meraki-Device-Name = "AP-V1-Soporte"

(2)   Framed-MTU = 1400

(2)   EAP-Message = 0x027500061900

(2)   State = 0x21dd954120a88c3dcbc41c49c2b781e8

(2)   Message-Authenticator = 0x34512dbcef44c467f7a9576c277cb9de

(2) session-state: No cached attributes

(2) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default

(2)   authorize {

(2)     policy filter_username {

(2)       if (&User-Name) {

(2)       if (&User-Name)  -> TRUE

(2)       if (&User-Name)  {

(2)         if (&User-Name =~ / /) {

(2)         if (&User-Name =~ / /)  -> FALSE

(2)         if (&User-Name =~ /@[^@]*@/ ) {

(2)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE

(2)         if (&User-Name =~ /\.\./ ) {

(2)         if (&User-Name =~ /\.\./ )  -> FALSE

(2)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {

(2)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE

(2)         if (&User-Name =~ /\.$/)  {

(2)         if (&User-Name =~ /\.$/)   -> FALSE

(2)         if (&User-Name =~ /@\./)  {

(2)         if (&User-Name =~ /@\./)   -> FALSE

(2)       } # if (&User-Name)  = notfound

(2)     } # policy filter_username = notfound

(2)     [preprocess] = ok

(2) auth_log: EXPAND
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d

(2) auth_log:    --> /var/log/freeradius/radacct/
192.168.128.34/auth-detail-20200828

(2) auth_log:
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/192.168.128.34/auth-detail-20200828

(2) auth_log: EXPAND %t

(2) auth_log:    --> Fri Aug 28 18:49:24 2020

(2)     [auth_log] = ok

(2)     [chap] = noop

(2)     [mschap] = noop

(2)     [digest] = noop

(2) suffix: Checking for suffix after "@"

(2) suffix: Looking up realm "ucn.cl" for User-Name = "[hidden email]"

(2) suffix: Found realm "ucn.cl"

(2) suffix: Adding Stripped-User-Name = "wifi"

(2) suffix: Adding Realm = "ucn.cl"

(2) suffix: Authentication realm is LOCAL

(2)     [suffix] = ok

(2) eap: Peer sent EAP Response (code 2) ID 117 length 6

(2) eap: Continuing tunnel setup

(2)     [eap] = ok

(2)   } # authorize = ok

(2) Found Auth-Type = eap

(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(2)   authenticate {

(2) eap: Expiring EAP session with state 0x21dd954120a88c3d

(2) eap: Finished EAP session with state 0x21dd954120a88c3d

(2) eap: Previous EAP request found for state 0x21dd954120a88c3d, released
from the list

(2) eap: Peer sent packet with method EAP PEAP (25)

(2) eap: Calling submodule eap_peap to process data

(2) eap_peap: Continuing EAP-TLS

(2) eap_peap: Peer ACKed our handshake fragment

(2) eap_peap: [eaptls verify] = request

(2) eap_peap: [eaptls process] = handled

(2) eap: Sending EAP Request (code 1) ID 118 length 1000

(2) eap: EAP session adding &reply:State = 0x21dd954123ab8c3d

(2)     [eap] = handled

(2)   } # authenticate = handled

(2) Using Post-Auth-Type Challenge

(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(2)   Challenge { ... } # empty sub-section is ignored

(2) Sent Access-Challenge Id 13 from 146.83.124.26:1812 to
192.168.128.34:39957 length 0

(2)   EAP-Message =
0x017603e81940209dba66581b0203010001a34f304d30130603551d25040c300a06082b0601050507030130360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e636f6d2f6578616d706c655f63612e63726c300d06092a864886f70d01010b050003820201005e

(2)   Message-Authenticator = 0x00000000000000000000000000000000

(2)   State = 0x21dd954123ab8c3dcbc41c49c2b781e8

(2) Finished request

Waking up in 4.9 seconds.

(3) Received Access-Request Id 14 from 192.168.128.34:39957 to
146.83.124.26:1812 length 409

(3)   User-Name = "[hidden email]"

(3)   NAS-IP-Address = 192.168.128.34

(3)   Called-Station-Id = "36-18-0A-7B-A4-6E:Red Radius"

(3)   NAS-Port-Type = Wireless-802.11

(3)   Service-Type = Framed-User

(3)   NAS-Port = 1

(3)   Calling-Station-Id = "E4-6F-13-2C-A4-C3"

(3)   Connect-Info = "CONNECT 54.00 Mbps / 802.11n / RSSI: 60 / Channel: 1"

(3)   Acct-Session-Id = "B51015A162BFE948"

(3)   Acct-Multi-Session-Id = "8F5640A8CB689CCA"

(3)   WLAN-Pairwise-Cipher = 1027076

(3)   WLAN-Group-Cipher = 1027074

(3)   WLAN-AKM-Suite = 1027073

(3)   WLAN-Group-Mgmt-Cipher = 1027078

(3)   Attr-26.29671.2 =
0x55434e20416e746f66616761737461202d2053574150202d20776972656c657373

(3)   Attr-26.29671.3 = 0x41502d56312d536f706f727465

(3)   Attr-26.29671.4 =
0x20414c554d4e4f5320454455524f414d2046554e43494f4e4152494f5320524144495553205445434e49434f53205649

(3)   Meraki-Device-Name = "AP-V1-Soporte"

(3)   Framed-MTU = 1400

(3)   EAP-Message = 0x027600061900

(3)   State = 0x21dd954123ab8c3dcbc41c49c2b781e8

(3)   Message-Authenticator = 0xdf7908d357b2fcfc9280a77d13deeb86

(3) session-state: No cached attributes

(3) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default

(3)   authorize {

(3)     policy filter_username {

(3)       if (&User-Name) {

(3)       if (&User-Name)  -> TRUE

(3)       if (&User-Name)  {

(3)         if (&User-Name =~ / /) {

(3)         if (&User-Name =~ / /)  -> FALSE

(3)         if (&User-Name =~ /@[^@]*@/ ) {

(3)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE

(3)         if (&User-Name =~ /\.\./ ) {

(3)         if (&User-Name =~ /\.\./ )  -> FALSE

(3)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {

(3)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE

(3)         if (&User-Name =~ /\.$/)  {

(3)         if (&User-Name =~ /\.$/)   -> FALSE

(3)         if (&User-Name =~ /@\./)  {

(3)         if (&User-Name =~ /@\./)   -> FALSE

(3)       } # if (&User-Name)  = notfound

(3)     } # policy filter_username = notfound

(3)     [preprocess] = ok

(3) auth_log: EXPAND
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d

(3) auth_log:    --> /var/log/freeradius/radacct/
192.168.128.34/auth-detail-20200828

(3) auth_log:
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/192.168.128.34/auth-detail-20200828

(3) auth_log: EXPAND %t

(3) auth_log:    --> Fri Aug 28 18:49:24 2020

(3)     [auth_log] = ok

(3)     [chap] = noop

(3)     [mschap] = noop

(3)     [digest] = noop

(3) suffix: Checking for suffix after "@"

(3) suffix: Looking up realm "ucn.cl" for User-Name = "[hidden email]"

(3) suffix: Found realm "ucn.cl"

(3) suffix: Adding Stripped-User-Name = "wifi"

(3) suffix: Adding Realm = "ucn.cl"

(3) suffix: Authentication realm is LOCAL

(3)     [suffix] = ok

(3) eap: Peer sent EAP Response (code 2) ID 118 length 6

(3) eap: Continuing tunnel setup

(3)     [eap] = ok

(3)   } # authorize = ok

(3) Found Auth-Type = eap

(3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(3)   authenticate {

(3) eap: Expiring EAP session with state 0x21dd954123ab8c3d

(3) eap: Finished EAP session with state 0x21dd954123ab8c3d

(3) eap: Previous EAP request found for state 0x21dd954123ab8c3d, released
from the list

(3) eap: Peer sent packet with method EAP PEAP (25)

(3) eap: Calling submodule eap_peap to process data

(3) eap_peap: Continuing EAP-TLS

(3) eap_peap: Peer ACKed our handshake fragment

(3) eap_peap: [eaptls verify] = request

(3) eap_peap: [eaptls process] = handled

(3) eap: Sending EAP Request (code 1) ID 119 length 1000

(3) eap: EAP session adding &reply:State = 0x21dd954122aa8c3d

(3)     [eap] = handled

(3)   } # authenticate = handled

(3) Using Post-Auth-Type Challenge

(3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(3)   Challenge { ... } # empty sub-section is ignored

(3) Sent Access-Challenge Id 14 from 146.83.124.26:1812 to
192.168.128.34:39957 length 0

(3)   EAP-Message =
0x017703e81940303140616c756d6e6f732e75636e2e636c3122302006035504030c19456e746964616420636572746966696361646f72612055434e30820222300d06092a864886f70d01010105000382020f003082020a0282020100bac4e13cd8c7fa57371bce6d41f22a26bcad2ffba6e97df5048e2d

(3)   Message-Authenticator = 0x00000000000000000000000000000000

(3)   State = 0x21dd954122aa8c3dcbc41c49c2b781e8

(3) Finished request

Waking up in 4.9 seconds.

(4) Received Access-Request Id 15 from 192.168.128.34:39957 to
146.83.124.26:1812 length 409

(4)   User-Name = "[hidden email]"

(4)   NAS-IP-Address = 192.168.128.34

(4)   Called-Station-Id = "36-18-0A-7B-A4-6E:Red Radius"

(4)   NAS-Port-Type = Wireless-802.11

(4)   Service-Type = Framed-User

(4)   NAS-Port = 1

(4)   Calling-Station-Id = "E4-6F-13-2C-A4-C3"

(4)   Connect-Info = "CONNECT 54.00 Mbps / 802.11n / RSSI: 57 / Channel: 1"

(4)   Acct-Session-Id = "B51015A162BFE948"

(4)   Acct-Multi-Session-Id = "8F5640A8CB689CCA"

(4)   WLAN-Pairwise-Cipher = 1027076

(4)   WLAN-Group-Cipher = 1027074

(4)   WLAN-AKM-Suite = 1027073

(4)   WLAN-Group-Mgmt-Cipher = 1027078

(4)   Attr-26.29671.2 =
0x55434e20416e746f66616761737461202d2053574150202d20776972656c657373

(4)   Attr-26.29671.3 = 0x41502d56312d536f706f727465

(4)   Attr-26.29671.4 =
0x20414c554d4e4f5320454455524f414d2046554e43494f4e4152494f5320524144495553205445434e49434f53205649

(4)   Meraki-Device-Name = "AP-V1-Soporte"

(4)   Framed-MTU = 1400

(4)   EAP-Message = 0x027700061900

(4)   State = 0x21dd954122aa8c3dcbc41c49c2b781e8

(4)   Message-Authenticator = 0x7747c72fb1b5d7e944b19d7fe7e11405

(4) session-state: No cached attributes

(4) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default

(4)   authorize {

(4)     policy filter_username {

(4)       if (&User-Name) {

(4)       if (&User-Name)  -> TRUE

(4)       if (&User-Name)  {

(4)         if (&User-Name =~ / /) {

(4)         if (&User-Name =~ / /)  -> FALSE

(4)         if (&User-Name =~ /@[^@]*@/ ) {

(4)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE

(4)         if (&User-Name =~ /\.\./ ) {

(4)         if (&User-Name =~ /\.\./ )  -> FALSE

(4)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {

(4)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE

(4)         if (&User-Name =~ /\.$/)  {

(4)         if (&User-Name =~ /\.$/)   -> FALSE

(4)         if (&User-Name =~ /@\./)  {

(4)         if (&User-Name =~ /@\./)   -> FALSE

(4)       } # if (&User-Name)  = notfound

(4)     } # policy filter_username = notfound

(4)     [preprocess] = ok

(4) auth_log: EXPAND
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d

(4) auth_log:    --> /var/log/freeradius/radacct/
192.168.128.34/auth-detail-20200828

(4) auth_log:
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/192.168.128.34/auth-detail-20200828

(4) auth_log: EXPAND %t

(4) auth_log:    --> Fri Aug 28 18:49:25 2020

(4)     [auth_log] = ok

(4)     [chap] = noop

(4)     [mschap] = noop

(4)     [digest] = noop

(4) suffix: Checking for suffix after "@"

(4) suffix: Looking up realm "ucn.cl" for User-Name = "[hidden email]"

(4) suffix: Found realm "ucn.cl"

(4) suffix: Adding Stripped-User-Name = "wifi"

(4) suffix: Adding Realm = "ucn.cl"

(4) suffix: Authentication realm is LOCAL

(4)     [suffix] = ok

(4) eap: Peer sent EAP Response (code 2) ID 119 length 6

(4) eap: Continuing tunnel setup

(4)     [eap] = ok

(4)   } # authorize = ok

(4) Found Auth-Type = eap

(4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(4)   authenticate {

(4) eap: Expiring EAP session with state 0x21dd954122aa8c3d

(4) eap: Finished EAP session with state 0x21dd954122aa8c3d

(4) eap: Previous EAP request found for state 0x21dd954122aa8c3d, released
from the list

(4) eap: Peer sent packet with method EAP PEAP (25)

(4) eap: Calling submodule eap_peap to process data

(4) eap_peap: Continuing EAP-TLS

(4) eap_peap: Peer ACKed our handshake fragment

(4) eap_peap: [eaptls verify] = request

(4) eap_peap: [eaptls process] = handled

(4) eap: Sending EAP Request (code 1) ID 120 length 1000

(4) eap: EAP session adding &reply:State = 0x21dd954125a58c3d

(4)     [eap] = handled

(4)   } # authenticate = handled

(4) Using Post-Auth-Type Challenge

(4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(4)   Challenge { ... } # empty sub-section is ignored

(4) Sent Access-Challenge Id 15 from 146.83.124.26:1812 to
192.168.128.34:39957 length 0

(4)   EAP-Message =
0x017803e81940c77251950fa0fe126a12332e02a8771ae735a0577b0809945f2151bb00b8f395f3f54573f94c87a0ad1afb624ea621c50e5cd9581e9bd0b5cc20a6f0c9bdbbbe326850002220a5b201f4bee09362a04c3dea95c4263c7c8ae9852a2a4c882975dc2cf44699206592149806fb22a1c9d191

(4)   Message-Authenticator = 0x00000000000000000000000000000000

(4)   State = 0x21dd954125a58c3dcbc41c49c2b781e8

(4) Finished request

Waking up in 4.9 seconds.

(5) Received Access-Request Id 16 from 192.168.128.34:39957 to
146.83.124.26:1812 length 409

(5)   User-Name = "[hidden email]"

(5)   NAS-IP-Address = 192.168.128.34

(5)   Called-Station-Id = "36-18-0A-7B-A4-6E:Red Radius"

(5)   NAS-Port-Type = Wireless-802.11

(5)   Service-Type = Framed-User

(5)   NAS-Port = 1

(5)   Calling-Station-Id = "E4-6F-13-2C-A4-C3"

(5)   Connect-Info = "CONNECT 54.00 Mbps / 802.11n / RSSI: 56 / Channel: 1"

(5)   Acct-Session-Id = "B51015A162BFE948"

(5)   Acct-Multi-Session-Id = "8F5640A8CB689CCA"

(5)   WLAN-Pairwise-Cipher = 1027076

(5)   WLAN-Group-Cipher = 1027074

(5)   WLAN-AKM-Suite = 1027073

(5)   WLAN-Group-Mgmt-Cipher = 1027078

(5)   Attr-26.29671.2 =
0x55434e20416e746f66616761737461202d2053574150202d20776972656c657373

(5)   Attr-26.29671.3 = 0x41502d56312d536f706f727465

(5)   Attr-26.29671.4 =
0x20414c554d4e4f5320454455524f414d2046554e43494f4e4152494f5320524144495553205445434e49434f53205649

(5)   Meraki-Device-Name = "AP-V1-Soporte"

(5)   Framed-MTU = 1400

(5)   EAP-Message = 0x027800061900

(5)   State = 0x21dd954125a58c3dcbc41c49c2b781e8

(5)   Message-Authenticator = 0x14679f103d269b881a86323b6d1e8549

(5) session-state: No cached attributes

(5) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default

(5)   authorize {

(5)     policy filter_username {

(5)       if (&User-Name) {

(5)       if (&User-Name)  -> TRUE

(5)       if (&User-Name)  {

(5)         if (&User-Name =~ / /) {

(5)         if (&User-Name =~ / /)  -> FALSE

(5)         if (&User-Name =~ /@[^@]*@/ ) {

(5)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE

(5)         if (&User-Name =~ /\.\./ ) {

(5)         if (&User-Name =~ /\.\./ )  -> FALSE

(5)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {

(5)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE

(5)         if (&User-Name =~ /\.$/)  {

(5)         if (&User-Name =~ /\.$/)   -> FALSE

(5)         if (&User-Name =~ /@\./)  {

(5)         if (&User-Name =~ /@\./)   -> FALSE

(5)       } # if (&User-Name)  = notfound

(5)     } # policy filter_username = notfound

(5)     [preprocess] = ok

(5) auth_log: EXPAND
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d

(5) auth_log:    --> /var/log/freeradius/radacct/
192.168.128.34/auth-detail-20200828

(5) auth_log:
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/192.168.128.34/auth-detail-20200828

(5) auth_log: EXPAND %t

(5) auth_log:    --> Fri Aug 28 18:49:25 2020

(5)     [auth_log] = ok

(5)     [chap] = noop

(5)     [mschap] = noop

(5)     [digest] = noop

(5) suffix: Checking for suffix after "@"

(5) suffix: Looking up realm "ucn.cl" for User-Name = "[hidden email]"

(5) suffix: Found realm "ucn.cl"

(5) suffix: Adding Stripped-User-Name = "wifi"

(5) suffix: Adding Realm = "ucn.cl"

(5) suffix: Authentication realm is LOCAL

(5)     [suffix] = ok

(5) eap: Peer sent EAP Response (code 2) ID 120 length 6

(5) eap: Continuing tunnel setup

(5)     [eap] = ok

(5)   } # authorize = ok

(5) Found Auth-Type = eap

(5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(5)   authenticate {

(5) eap: Expiring EAP session with state 0x21dd954125a58c3d

(5) eap: Finished EAP session with state 0x21dd954125a58c3d

(5) eap: Previous EAP request found for state 0x21dd954125a58c3d, released
from the list

(5) eap: Peer sent packet with method EAP PEAP (25)

(5) eap: Calling submodule eap_peap to process data

(5) eap_peap: Continuing EAP-TLS

(5) eap_peap: Peer ACKed our handshake fragment

(5) eap_peap: [eaptls verify] = request

(5) eap_peap: [eaptls process] = handled

(5) eap: Sending EAP Request (code 1) ID 121 length 101

(5) eap: EAP session adding &reply:State = 0x21dd954124a48c3d

(5)     [eap] = handled

(5)   } # authenticate = handled

(5) Using Post-Auth-Type Challenge

(5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(5)   Challenge { ... } # empty sub-section is ignored

(5) Sent Access-Challenge Id 16 from 146.83.124.26:1812 to
192.168.128.34:39957 length 0

(5)   EAP-Message =
0x017900651900b69a44dd3c02289e1d59e3c9942f182daeeaf01b0f7a2e2ad802551c3563754923a576bf26f9b0e0c6f3af501b6adccd04f8dd1d542c997d9ddce0870cb079731b1d26fde666eb374bdbbfb958b1467d9eb84423ac0816030300040e000000

(5)   Message-Authenticator = 0x00000000000000000000000000000000

(5)   State = 0x21dd954124a48c3dcbc41c49c2b781e8

(5) Finished request

Waking up in 4.8 seconds.

(6) Received Access-Request Id 17 from 192.168.128.34:39957 to
146.83.124.26:1812 length 539

(6)   User-Name = "[hidden email]"

(6)   NAS-IP-Address = 192.168.128.34

(6)   Called-Station-Id = "36-18-0A-7B-A4-6E:Red Radius"

(6)   NAS-Port-Type = Wireless-802.11

(6)   Service-Type = Framed-User

(6)   NAS-Port = 1

(6)   Calling-Station-Id = "E4-6F-13-2C-A4-C3"

(6)   Connect-Info = "CONNECT 54.00 Mbps / 802.11n / RSSI: 58 / Channel: 1"

(6)   Acct-Session-Id = "B51015A162BFE948"

(6)   Acct-Multi-Session-Id = "8F5640A8CB689CCA"

(6)   WLAN-Pairwise-Cipher = 1027076

(6)   WLAN-Group-Cipher = 1027074

(6)   WLAN-AKM-Suite = 1027073

(6)   WLAN-Group-Mgmt-Cipher = 1027078

(6)   Attr-26.29671.2 =
0x55434e20416e746f66616761737461202d2053574150202d20776972656c657373

(6)   Attr-26.29671.3 = 0x41502d56312d536f706f727465

(6)   Attr-26.29671.4 =
0x20414c554d4e4f5320454455524f414d2046554e43494f4e4152494f5320524144495553205445434e49434f53205649

(6)   Meraki-Device-Name = "AP-V1-Soporte"

(6)   Framed-MTU = 1400

(6)   EAP-Message =
0x0279008819800000007e16030300461000004241046788806fbe757cf78d6a08d389fa7e8e550a21e4f195bff23a790c07e11ad380d541a0611f622fa4eb278e6a47fc06503e47e7d0675dfc89ef1975734a5f8cb614030300010116030300280000000000000000b8bf847857e145f1074457e48f47b4

(6)   State = 0x21dd954124a48c3dcbc41c49c2b781e8

(6)   Message-Authenticator = 0x756e5b4622e8707f399a8f35de7abb61

(6) session-state: No cached attributes

(6) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default

(6)   authorize {

(6)     policy filter_username {

(6)       if (&User-Name) {

(6)       if (&User-Name)  -> TRUE

(6)       if (&User-Name)  {

(6)         if (&User-Name =~ / /) {

(6)         if (&User-Name =~ / /)  -> FALSE

(6)         if (&User-Name =~ /@[^@]*@/ ) {

(6)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE

(6)         if (&User-Name =~ /\.\./ ) {

(6)         if (&User-Name =~ /\.\./ )  -> FALSE

(6)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {

(6)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE

(6)         if (&User-Name =~ /\.$/)  {

(6)         if (&User-Name =~ /\.$/)   -> FALSE

(6)         if (&User-Name =~ /@\./)  {

(6)         if (&User-Name =~ /@\./)   -> FALSE

(6)       } # if (&User-Name)  = notfound

(6)     } # policy filter_username = notfound

(6)     [preprocess] = ok

(6) auth_log: EXPAND
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d

(6) auth_log:    --> /var/log/freeradius/radacct/
192.168.128.34/auth-detail-20200828

(6) auth_log:
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/192.168.128.34/auth-detail-20200828

(6) auth_log: EXPAND %t

(6) auth_log:    --> Fri Aug 28 18:49:25 2020

(6)     [auth_log] = ok

(6)     [chap] = noop

(6)     [mschap] = noop

(6)     [digest] = noop

(6) suffix: Checking for suffix after "@"

(6) suffix: Looking up realm "ucn.cl" for User-Name = "[hidden email]"

(6) suffix: Found realm "ucn.cl"

(6) suffix: Adding Stripped-User-Name = "wifi"

(6) suffix: Adding Realm = "ucn.cl"

(6) suffix: Authentication realm is LOCAL

(6)     [suffix] = ok

(6) eap: Peer sent EAP Response (code 2) ID 121 length 136

(6) eap: Continuing tunnel setup

(6)     [eap] = ok

(6)   } # authorize = ok

(6) Found Auth-Type = eap

(6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(6)   authenticate {

(6) eap: Expiring EAP session with state 0x21dd954124a48c3d

(6) eap: Finished EAP session with state 0x21dd954124a48c3d

(6) eap: Previous EAP request found for state 0x21dd954124a48c3d, released
from the list

(6) eap: Peer sent packet with method EAP PEAP (25)

(6) eap: Calling submodule eap_peap to process data

(6) eap_peap: Continuing EAP-TLS

(6) eap_peap: Peer indicated complete TLS record size will be 126 bytes

(6) eap_peap: Got complete TLS record (126 bytes)

(6) eap_peap: [eaptls verify] = length included

(6) eap_peap: TLS_accept: SSLv3/TLS write server done

(6) eap_peap: <<< recv TLS 1.2  [length 0046]

(6) eap_peap: TLS_accept: SSLv3/TLS read client key exchange

(6) eap_peap: TLS_accept: SSLv3/TLS read change cipher spec

(6) eap_peap: <<< recv TLS 1.2  [length 0010]

(6) eap_peap: TLS_accept: SSLv3/TLS read finished

(6) eap_peap: >>> send TLS 1.2  [length 0001]

(6) eap_peap: TLS_accept: SSLv3/TLS write change cipher spec

(6) eap_peap: >>> send TLS 1.2  [length 0010]

(6) eap_peap: TLS_accept: SSLv3/TLS write finished

(6) eap_peap: (other): SSL negotiation finished successfully

(6) eap_peap: SSL Connection Established

(6) eap_peap: [eaptls process] = handled

(6) eap: Sending EAP Request (code 1) ID 122 length 57

(6) eap: EAP session adding &reply:State = 0x21dd954127a78c3d

(6)     [eap] = handled

(6)   } # authenticate = handled

(6) Using Post-Auth-Type Challenge

(6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(6)   Challenge { ... } # empty sub-section is ignored

(6) Sent Access-Challenge Id 17 from 146.83.124.26:1812 to
192.168.128.34:39957 length 0

(6)   EAP-Message =
0x017a0039190014030300010116030300282fa7d91ce14448b5632cba41946bad19f391306bae4b4b64a1293149cc0357f01a76329107706008

(6)   Message-Authenticator = 0x00000000000000000000000000000000

(6)   State = 0x21dd954127a78c3dcbc41c49c2b781e8

(6) Finished request

Waking up in 4.8 seconds.

(7) Received Access-Request Id 18 from 192.168.128.34:39957 to
146.83.124.26:1812 length 409

(7)   User-Name = "[hidden email]"

(7)   NAS-IP-Address = 192.168.128.34

(7)   Called-Station-Id = "36-18-0A-7B-A4-6E:Red Radius"

(7)   NAS-Port-Type = Wireless-802.11

(7)   Service-Type = Framed-User

(7)   NAS-Port = 1

(7)   Calling-Station-Id = "E4-6F-13-2C-A4-C3"

(7)   Connect-Info = "CONNECT 54.00 Mbps / 802.11n / RSSI: 56 / Channel: 1"

(7)   Acct-Session-Id = "B51015A162BFE948"

(7)   Acct-Multi-Session-Id = "8F5640A8CB689CCA"

(7)   WLAN-Pairwise-Cipher = 1027076

(7)   WLAN-Group-Cipher = 1027074

(7)   WLAN-AKM-Suite = 1027073

(7)   WLAN-Group-Mgmt-Cipher = 1027078

(7)   Attr-26.29671.2 =
0x55434e20416e746f66616761737461202d2053574150202d20776972656c657373

(7)   Attr-26.29671.3 = 0x41502d56312d536f706f727465

(7)   Attr-26.29671.4 =
0x20414c554d4e4f5320454455524f414d2046554e43494f4e4152494f5320524144495553205445434e49434f53205649

(7)   Meraki-Device-Name = "AP-V1-Soporte"

(7)   Framed-MTU = 1400

(7)   EAP-Message = 0x027a00061900

(7)   State = 0x21dd954127a78c3dcbc41c49c2b781e8

(7)   Message-Authenticator = 0xa6eabb00fc3dbb9f8a77e3e189c08f82

(7) session-state: No cached attributes

(7) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default

(7)   authorize {

(7)     policy filter_username {

(7)       if (&User-Name) {

(7)       if (&User-Name)  -> TRUE

(7)       if (&User-Name)  {

(7)         if (&User-Name =~ / /) {

(7)         if (&User-Name =~ / /)  -> FALSE

(7)         if (&User-Name =~ /@[^@]*@/ ) {

(7)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE

(7)         if (&User-Name =~ /\.\./ ) {

(7)         if (&User-Name =~ /\.\./ )  -> FALSE

(7)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {

(7)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE

(7)         if (&User-Name =~ /\.$/)  {

(7)         if (&User-Name =~ /\.$/)   -> FALSE

(7)         if (&User-Name =~ /@\./)  {

(7)         if (&User-Name =~ /@\./)   -> FALSE

(7)       } # if (&User-Name)  = notfound

(7)     } # policy filter_username = notfound

(7)     [preprocess] = ok

(7) auth_log: EXPAND
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d

(7) auth_log:    --> /var/log/freeradius/radacct/
192.168.128.34/auth-detail-20200828

(7) auth_log:
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/192.168.128.34/auth-detail-20200828

(7) auth_log: EXPAND %t

(7) auth_log:    --> Fri Aug 28 18:49:27 2020

(7)     [auth_log] = ok

(7)     [chap] = noop

(7)     [mschap] = noop

(7)     [digest] = noop

(7) suffix: Checking for suffix after "@"

(7) suffix: Looking up realm "ucn.cl" for User-Name = "[hidden email]"

(7) suffix: Found realm "ucn.cl"

(7) suffix: Adding Stripped-User-Name = "wifi"

(7) suffix: Adding Realm = "ucn.cl"

(7) suffix: Authentication realm is LOCAL

(7)     [suffix] = ok

(7) eap: Peer sent EAP Response (code 2) ID 122 length 6

(7) eap: Continuing tunnel setup

(7)     [eap] = ok

(7)   } # authorize = ok

(7) Found Auth-Type = eap

(7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(7)   authenticate {

(7) eap: Expiring EAP session with state 0x21dd954127a78c3d

(7) eap: Finished EAP session with state 0x21dd954127a78c3d

(7) eap: Previous EAP request found for state 0x21dd954127a78c3d, released
from the list

(7) eap: Peer sent packet with method EAP PEAP (25)

(7) eap: Calling submodule eap_peap to process data

(7) eap_peap: Continuing EAP-TLS

(7) eap_peap: Peer ACKed our handshake fragment.  handshake is finished

(7) eap_peap: [eaptls verify] = success

(7) eap_peap: [eaptls process] = success

(7) eap_peap: Session established.  Decoding tunneled attributes

(7) eap_peap: PEAP state TUNNEL ESTABLISHED

(7) eap: Sending EAP Request (code 1) ID 123 length 40

(7) eap: EAP session adding &reply:State = 0x21dd954126a68c3d

(7)     [eap] = handled

(7)   } # authenticate = handled

(7) Using Post-Auth-Type Challenge

(7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(7)   Challenge { ... } # empty sub-section is ignored

(7) Sent Access-Challenge Id 18 from 146.83.124.26:1812 to
192.168.128.34:39957 length 0

(7)   EAP-Message =
0x017b00281900170303001d2fa7d91ce14448b6c26c44cc6ab809edad31b8e6e88a368d132b76190a

(7)   Message-Authenticator = 0x00000000000000000000000000000000

(7)   State = 0x21dd954126a68c3dcbc41c49c2b781e8

(7) Finished request

Waking up in 2.6 seconds.

(8) Received Access-Request Id 19 from 192.168.128.34:39957 to
146.83.124.26:1812 length 450

(8)   User-Name = "[hidden email]"

(8)   NAS-IP-Address = 192.168.128.34

(8)   Called-Station-Id = "36-18-0A-7B-A4-6E:Red Radius"

(8)   NAS-Port-Type = Wireless-802.11

(8)   Service-Type = Framed-User

(8)   NAS-Port = 1

(8)   Calling-Station-Id = "E4-6F-13-2C-A4-C3"

(8)   Connect-Info = "CONNECT 54.00 Mbps / 802.11n / RSSI: 59 / Channel: 1"

(8)   Acct-Session-Id = "B51015A162BFE948"

(8)   Acct-Multi-Session-Id = "8F5640A8CB689CCA"

(8)   WLAN-Pairwise-Cipher = 1027076

(8)   WLAN-Group-Cipher = 1027074

(8)   WLAN-AKM-Suite = 1027073

(8)   WLAN-Group-Mgmt-Cipher = 1027078

(8)   Attr-26.29671.2 =
0x55434e20416e746f66616761737461202d2053574150202d20776972656c657373

(8)   Attr-26.29671.3 = 0x41502d56312d536f706f727465

(8)   Attr-26.29671.4 =
0x20414c554d4e4f5320454455524f414d2046554e43494f4e4152494f5320524144495553205445434e49434f53205649

(8)   Meraki-Device-Name = "AP-V1-Soporte"

(8)   Framed-MTU = 1400

(8)   EAP-Message =
0x027b002f19001703030024000000000000000160600c8649acac0a4995596f57083fda3fb934048eec7b2d68991701

(8)   State = 0x21dd954126a68c3dcbc41c49c2b781e8

(8)   Message-Authenticator = 0xb6ce80dae8ccb6105cd97cfbcd9fe078

(8) session-state: No cached attributes

(8) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default

(8)   authorize {

(8)     policy filter_username {

(8)       if (&User-Name) {

(8)       if (&User-Name)  -> TRUE

(8)       if (&User-Name)  {

(8)         if (&User-Name =~ / /) {

(8)         if (&User-Name =~ / /)  -> FALSE

(8)         if (&User-Name =~ /@[^@]*@/ ) {

(8)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE

(8)         if (&User-Name =~ /\.\./ ) {

(8)         if (&User-Name =~ /\.\./ )  -> FALSE

(8)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {

(8)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE

(8)         if (&User-Name =~ /\.$/)  {

(8)         if (&User-Name =~ /\.$/)   -> FALSE

(8)         if (&User-Name =~ /@\./)  {

(8)         if (&User-Name =~ /@\./)   -> FALSE

(8)       } # if (&User-Name)  = notfound

(8)     } # policy filter_username = notfound

(8)     [preprocess] = ok

(8) auth_log: EXPAND
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d

(8) auth_log:    --> /var/log/freeradius/radacct/
192.168.128.34/auth-detail-20200828

(8) auth_log:
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/192.168.128.34/auth-detail-20200828

(8) auth_log: EXPAND %t

(8) auth_log:    --> Fri Aug 28 18:49:27 2020

(8)     [auth_log] = ok

(8)     [chap] = noop

(8)     [mschap] = noop

(8)     [digest] = noop

(8) suffix: Checking for suffix after "@"

(8) suffix: Looking up realm "ucn.cl" for User-Name = "[hidden email]"

(8) suffix: Found realm "ucn.cl"

(8) suffix: Adding Stripped-User-Name = "wifi"

(8) suffix: Adding Realm = "ucn.cl"

(8) suffix: Authentication realm is LOCAL

(8)     [suffix] = ok

(8) eap: Peer sent EAP Response (code 2) ID 123 length 47

(8) eap: Continuing tunnel setup

(8)     [eap] = ok

(8)   } # authorize = ok

(8) Found Auth-Type = eap

(8) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(8)   authenticate {

(8) eap: Expiring EAP session with state 0x21dd954126a68c3d

(8) eap: Finished EAP session with state 0x21dd954126a68c3d

(8) eap: Previous EAP request found for state 0x21dd954126a68c3d, released
from the list

(8) eap: Peer sent packet with method EAP PEAP (25)

(8) eap: Calling submodule eap_peap to process data

(8) eap_peap: Continuing EAP-TLS

(8) eap_peap: [eaptls verify] = ok

(8) eap_peap: Done initial handshake

(8) eap_peap: [eaptls process] = ok

(8) eap_peap: Session established.  Decoding tunneled attributes

(8) eap_peap: PEAP state WAITING FOR INNER IDENTITY

(8) eap_peap: Identity - [hidden email]

(8) eap_peap: Got inner identity '[hidden email]'

(8) eap_peap: Setting default EAP type for tunneled EAP session

(8) eap_peap: Got tunneled request

(8) eap_peap:   EAP-Message = 0x027b001001776966694075636e2e636c

(8) eap_peap: Setting User-Name to [hidden email]

(8) eap_peap: Sending tunneled request to inner-tunnel

(8) eap_peap:   EAP-Message = 0x027b001001776966694075636e2e636c

(8) eap_peap:   FreeRADIUS-Proxied-To = 127.0.0.1

(8) eap_peap:   User-Name = "[hidden email]"

(8) Virtual server inner-tunnel received request

(8)   EAP-Message = 0x027b001001776966694075636e2e636c

(8)   FreeRADIUS-Proxied-To = 127.0.0.1

(8)   User-Name = "[hidden email]"

(8) WARNING: Outer and inner identities are the same.  User privacy is
compromised.

(8) server inner-tunnel {

(8)   # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel

(8)     authorize {

(8)       policy filter_username {

(8)         if (&User-Name) {

(8)         if (&User-Name)  -> TRUE

(8)         if (&User-Name)  {

(8)           if (&User-Name =~ / /) {

(8)           if (&User-Name =~ / /)  -> FALSE

(8)           if (&User-Name =~ /@[^@]*@/ ) {

(8)           if (&User-Name =~ /@[^@]*@/ )  -> FALSE

(8)           if (&User-Name =~ /\.\./ ) {

(8)           if (&User-Name =~ /\.\./ )  -> FALSE

(8)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {

(8)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE

(8)           if (&User-Name =~ /\.$/)  {

(8)           if (&User-Name =~ /\.$/)   -> FALSE

(8)           if (&User-Name =~ /@\./)  {

(8)           if (&User-Name =~ /@\./)   -> FALSE

(8)         } # if (&User-Name)  = notfound

(8)       } # policy filter_username = notfound

(8)       [mschap] = noop

(8) suffix: Checking for suffix after "@"

(8) suffix: Looking up realm "ucn.cl" for User-Name = "[hidden email]"

(8) suffix: Found realm "ucn.cl"

(8) suffix: Adding Stripped-User-Name = "wifi"

(8) suffix: Adding Realm = "ucn.cl"

(8) suffix: Authentication realm is LOCAL

(8)       [suffix] = ok

(8)       update control {

(8)         &Proxy-To-Realm := LOCAL

(8)       } # update control = noop

(8) eap: Peer sent EAP Response (code 2) ID 123 length 16

(8) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize

(8)       [eap] = ok

(8)     } # authorize = ok

(8)   Found Auth-Type = eap

(8)   # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel

(8)     authenticate {

(8) eap: Peer sent packet with method EAP Identity (1)

(8) eap: Calling submodule eap_mschapv2 to process data

(8) eap_mschapv2: Issuing Challenge

(8) eap: Sending EAP Request (code 1) ID 124 length 43

(8) eap: EAP session adding &reply:State = 0xc56f897cc5139321

(8)       [eap] = handled

(8)     } # authenticate = handled

(8) } # server inner-tunnel

(8) Virtual server sending reply

(8)   EAP-Message =
0x017c002b1a017c002610ef5df80f43a08b0517f2eebd51c95820667265657261646975732d332e302e3136

(8)   Message-Authenticator = 0x00000000000000000000000000000000

(8)   State = 0xc56f897cc5139321a7b06bef2a6a6d11

(8) eap_peap: Got tunneled reply code 11

(8) eap_peap:   EAP-Message =
0x017c002b1a017c002610ef5df80f43a08b0517f2eebd51c95820667265657261646975732d332e302e3136

(8) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000

(8) eap_peap:   State = 0xc56f897cc5139321a7b06bef2a6a6d11

(8) eap_peap: Got tunneled reply RADIUS code 11

(8) eap_peap:   EAP-Message =
0x017c002b1a017c002610ef5df80f43a08b0517f2eebd51c95820667265657261646975732d332e302e3136

(8) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000

(8) eap_peap:   State = 0xc56f897cc5139321a7b06bef2a6a6d11

(8) eap_peap: Got tunneled Access-Challenge

(8) eap: Sending EAP Request (code 1) ID 124 length 74

(8) eap: EAP session adding &reply:State = 0x21dd954129a18c3d

(8)     [eap] = handled

(8)   } # authenticate = handled

(8) Using Post-Auth-Type Challenge

(8) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(8)   Challenge { ... } # empty sub-section is ignored

(8) Sent Access-Challenge Id 19 from 146.83.124.26:1812 to
192.168.128.34:39957 length 0

(8)   EAP-Message =
0x017c004a1900170303003f2fa7d91ce14448b7e5c0c32388ddc8194a591f34dc604c741d5fdbf79a47dce0e95eacb441f26d50b86e8204cf425c95a8be1d58c1239799c5c6e254b47166

(8)   Message-Authenticator = 0x00000000000000000000000000000000

(8)   State = 0x21dd954129a18c3dcbc41c49c2b781e8

(8) Finished request

Waking up in 2.6 seconds.

(9) Received Access-Request Id 20 from 192.168.128.34:39957 to
146.83.124.26:1812 length 504

(9)   User-Name = "[hidden email]"

(9)   NAS-IP-Address = 192.168.128.34

(9)   Called-Station-Id = "36-18-0A-7B-A4-6E:Red Radius"

(9)   NAS-Port-Type = Wireless-802.11

(9)   Service-Type = Framed-User

(9)   NAS-Port = 1

(9)   Calling-Station-Id = "E4-6F-13-2C-A4-C3"

(9)   Connect-Info = "CONNECT 54.00 Mbps / 802.11n / RSSI: 59 / Channel: 1"

(9)   Acct-Session-Id = "B51015A162BFE948"

(9)   Acct-Multi-Session-Id = "8F5640A8CB689CCA"

(9)   WLAN-Pairwise-Cipher = 1027076

(9)   WLAN-Group-Cipher = 1027074

(9)   WLAN-AKM-Suite = 1027073

(9)   WLAN-Group-Mgmt-Cipher = 1027078

(9)   Attr-26.29671.2 =
0x55434e20416e746f66616761737461202d2053574150202d20776972656c657373

(9)   Attr-26.29671.3 = 0x41502d56312d536f706f727465

(9)   Attr-26.29671.4 =
0x20414c554d4e4f5320454455524f414d2046554e43494f4e4152494f5320524144495553205445434e49434f53205649

(9)   Meraki-Device-Name = "AP-V1-Soporte"

(9)   Framed-MTU = 1400

(9)   EAP-Message =
0x027c00651900170303005a00000000000000024a9bc269a4199bdc550260ada1d90a510ef9fbf7753f11ec5fe5be876f6eeb2e234a0365719abde087d2a48deb5cf395ca9706c7efe83b694fcfaa80a0a1d145c0357c0bf7ff504d9b9ac35051cf54949111

(9)   State = 0x21dd954129a18c3dcbc41c49c2b781e8

(9)   Message-Authenticator = 0xc9f8565bd068d6ad35c63cd3ec5e16d2

(9) session-state: No cached attributes

(9) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default

(9)   authorize {

(9)     policy filter_username {

(9)       if (&User-Name) {

(9)       if (&User-Name)  -> TRUE

(9)       if (&User-Name)  {

(9)         if (&User-Name =~ / /) {

(9)         if (&User-Name =~ / /)  -> FALSE

(9)         if (&User-Name =~ /@[^@]*@/ ) {

(9)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE

(9)         if (&User-Name =~ /\.\./ ) {

(9)         if (&User-Name =~ /\.\./ )  -> FALSE

(9)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {

(9)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE

(9)         if (&User-Name =~ /\.$/)  {

(9)         if (&User-Name =~ /\.$/)   -> FALSE

(9)         if (&User-Name =~ /@\./)  {

(9)         if (&User-Name =~ /@\./)   -> FALSE

(9)       } # if (&User-Name)  = notfound

(9)     } # policy filter_username = notfound

(9)     [preprocess] = ok

(9) auth_log: EXPAND
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d

(9) auth_log:    --> /var/log/freeradius/radacct/
192.168.128.34/auth-detail-20200828

(9) auth_log:
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/192.168.128.34/auth-detail-20200828

(9) auth_log: EXPAND %t

(9) auth_log:    --> Fri Aug 28 18:49:27 2020

(9)     [auth_log] = ok

(9)     [chap] = noop

(9)     [mschap] = noop

(9)     [digest] = noop

(9) suffix: Checking for suffix after "@"

(9) suffix: Looking up realm "ucn.cl" for User-Name = "[hidden email]"

(9) suffix: Found realm "ucn.cl"

(9) suffix: Adding Stripped-User-Name = "wifi"

(9) suffix: Adding Realm = "ucn.cl"

(9) suffix: Authentication realm is LOCAL

(9)     [suffix] = ok

(9) eap: Peer sent EAP Response (code 2) ID 124 length 101

(9) eap: Continuing tunnel setup

(9)     [eap] = ok

(9)   } # authorize = ok

(9) Found Auth-Type = eap

(9) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(9)   authenticate {

(9) eap: Expiring EAP session with state 0xc56f897cc5139321

(9) eap: Finished EAP session with state 0x21dd954129a18c3d

(9) eap: Previous EAP request found for state 0x21dd954129a18c3d, released
from the list

(9) eap: Peer sent packet with method EAP PEAP (25)

(9) eap: Calling submodule eap_peap to process data

(9) eap_peap: Continuing EAP-TLS

(9) eap_peap: [eaptls verify] = ok

(9) eap_peap: Done initial handshake

(9) eap_peap: [eaptls process] = ok

(9) eap_peap: Session established.  Decoding tunneled attributes

(9) eap_peap: PEAP state phase2

(9) eap_peap: EAP method MSCHAPv2 (26)

(9) eap_peap: Got tunneled request

(9) eap_peap:   EAP-Message =
0x027c00461a027c00413112edf048489e741053571c93c8bcbb060000000000000000ef518244cd55d743a477d7e0528409c7d7373fb0f1a54f1200776966694075636e2e636c

(9) eap_peap: Setting User-Name to [hidden email]

(9) eap_peap: Sending tunneled request to inner-tunnel

(9) eap_peap:   EAP-Message =
0x027c00461a027c00413112edf048489e741053571c93c8bcbb060000000000000000ef518244cd55d743a477d7e0528409c7d7373fb0f1a54f1200776966694075636e2e636c

(9) eap_peap:   FreeRADIUS-Proxied-To = 127.0.0.1

(9) eap_peap:   User-Name = "[hidden email]"

(9) eap_peap:   State = 0xc56f897cc5139321a7b06bef2a6a6d11

(9) Virtual server inner-tunnel received request

(9)   EAP-Message =
0x027c00461a027c00413112edf048489e741053571c93c8bcbb060000000000000000ef518244cd55d743a477d7e0528409c7d7373fb0f1a54f1200776966694075636e2e636c

(9)   FreeRADIUS-Proxied-To = 127.0.0.1

(9)   User-Name = "[hidden email]"

(9)   State = 0xc56f897cc5139321a7b06bef2a6a6d11

(9) WARNING: Outer and inner identities are the same.  User privacy is
compromised.

(9) server inner-tunnel {

(9)   session-state: No cached attributes

(9)   # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel

(9)     authorize {

(9)       policy filter_username {

(9)         if (&User-Name) {

(9)         if (&User-Name)  -> TRUE

(9)         if (&User-Name)  {

(9)           if (&User-Name =~ / /) {

(9)           if (&User-Name =~ / /)  -> FALSE

(9)           if (&User-Name =~ /@[^@]*@/ ) {

(9)           if (&User-Name =~ /@[^@]*@/ )  -> FALSE

(9)           if (&User-Name =~ /\.\./ ) {

(9)           if (&User-Name =~ /\.\./ )  -> FALSE

(9)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {

(9)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE

(9)           if (&User-Name =~ /\.$/)  {

(9)           if (&User-Name =~ /\.$/)   -> FALSE

(9)           if (&User-Name =~ /@\./)  {

(9)           if (&User-Name =~ /@\./)   -> FALSE

(9)         } # if (&User-Name)  = notfound

(9)       } # policy filter_username = notfound

(9)       [mschap] = noop

(9) suffix: Checking for suffix after "@"

(9) suffix: Looking up realm "ucn.cl" for User-Name = "[hidden email]"

(9) suffix: Found realm "ucn.cl"

(9) suffix: Adding Stripped-User-Name = "wifi"

(9) suffix: Adding Realm = "ucn.cl"

(9) suffix: Authentication realm is LOCAL

(9)       [suffix] = ok

(9)       update control {

(9)         &Proxy-To-Realm := LOCAL

(9)       } # update control = noop

(9) eap: Peer sent EAP Response (code 2) ID 124 length 70

(9) eap: No EAP Start, assuming it's an on-going EAP conversation

(9)       [eap] = updated

(9)       if (Realm == 'ucn.cl') {

(9)       if (Realm == 'ucn.cl')  -> TRUE

(9)       if (Realm == 'ucn.cl')  {

(9) first_files: EXPAND %{Virtual-Server}

(9) first_files:    --> inner-tunnel

(9) first_files: users: Matched entry DEFAULT at line 93

(9)         [first_files] = ok

(9)       } # if (Realm == 'ucn.cl')  = ok

(9)       if (Realm == 'alumnos.ucn.cl') {

(9)       if (Realm == 'alumnos.ucn.cl')  -> FALSE

(9) files: EXPAND %{Virtual-Server}

(9) files:    --> inner-tunnel

(9) files: users: Matched entry DEFAULT at line 95

(9)       [files] = ok

(9) first_files: EXPAND %{Virtual-Server}

(9) first_files:    --> inner-tunnel

(9) first_files: users: Matched entry DEFAULT at line 93

(9)       [first_files] = ok

(9) second_files: EXPAND %{Virtual-Server}

(9) second_files:    --> inner-tunnel

(9) second_files: users: Matched entry DEFAULT at line 93

(9)       [second_files] = ok

(9)       [expiration] = noop

(9)       [logintime] = noop

(9)       [pap] = noop

(9)     } # authorize = updated

(9)   Found Auth-Type = pam

(9)   # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel

(9)     authenticate {

(9) pam: Attribute "User-Password" is required for authentication

(9)       [pam] = invalid

(9)     } # authenticate = invalid

(9)   Failed to authenticate the user

(9)   Using Post-Auth-Type Reject

(9)   # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel

(9)     Post-Auth-Type REJECT {

(9) reply_log: EXPAND
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d

(9) reply_log:    --> /var/log/freeradius/radacct/
192.168.128.34/reply-detail-20200828

(9) reply_log:
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d
expands to /var/log/freeradius/radacct/192.168.128.34/reply-detail-20200828

(9) reply_log: WARNING: Skipping empty packet

(9)       [reply_log] = ok

(9) attr_filter.access_reject: EXPAND %{User-Name}

(9) attr_filter.access_reject:    --> [hidden email]

(9) attr_filter.access_reject: Matched entry DEFAULT at line 11

(9)       [attr_filter.access_reject] = updated

(9)       update outer.session-state {

(9)         No attributes updated

(9)       } # update outer.session-state = noop

(9)     } # Post-Auth-Type REJECT = updated

(9) } # server inner-tunnel

(9) Virtual server sending reply

(9) eap_peap: Got tunneled reply code 3

(9) eap_peap: Got tunneled reply RADIUS code 3

(9) eap_peap: Tunneled authentication was rejected

(9) eap_peap: FAILURE

(9) eap: Sending EAP Request (code 1) ID 125 length 46

(9) eap: EAP session adding &reply:State = 0x21dd954128a08c3d

(9)     [eap] = handled

(9)   } # authenticate = handled

(9) Using Post-Auth-Type Challenge

(9) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(9)   Challenge { ... } # empty sub-section is ignored

(9) Sent Access-Challenge Id 20 from 146.83.124.26:1812 to
192.168.128.34:39957 length 0

(9)   EAP-Message =
0x017d002e190017030300232fa7d91ce14448b8ddd68976e03c329bec9e1fd5f358bc7cec4fd90c62fe6eab52678f

(9)   Message-Authenticator = 0x00000000000000000000000000000000

(9)   State = 0x21dd954128a08c3dcbc41c49c2b781e8

(9) Finished request

Waking up in 2.6 seconds.

(10) Received Access-Request Id 21 from 192.168.128.34:39957 to
146.83.124.26:1812 length 449

(10)   User-Name = "[hidden email]"

(10)   NAS-IP-Address = 192.168.128.34

(10)   Called-Station-Id = "36-18-0A-7B-A4-6E:Red Radius"

(10)   NAS-Port-Type = Wireless-802.11

(10)   Service-Type = Framed-User

(10)   NAS-Port = 1

(10)   Calling-Station-Id = "E4-6F-13-2C-A4-C3"

(10)   Connect-Info = "CONNECT 54.00 Mbps / 802.11n / RSSI: 56 / Channel: 1"

(10)   Acct-Session-Id = "B51015A162BFE948"

(10)   Acct-Multi-Session-Id = "8F5640A8CB689CCA"

(10)   WLAN-Pairwise-Cipher = 1027076

(10)   WLAN-Group-Cipher = 1027074

(10)   WLAN-AKM-Suite = 1027073

(10)   WLAN-Group-Mgmt-Cipher = 1027078

(10)   Attr-26.29671.2 =
0x55434e20416e746f66616761737461202d2053574150202d20776972656c657373

(10)   Attr-26.29671.3 = 0x41502d56312d536f706f727465

(10)   Attr-26.29671.4 =
0x20414c554d4e4f5320454455524f414d2046554e43494f4e4152494f5320524144495553205445434e49434f53205649

(10)   Meraki-Device-Name = "AP-V1-Soporte"

(10)   Framed-MTU = 1400

(10)   EAP-Message =
0x027d002e19001703030023000000000000000376d2d8397dd47c5aa4c12397dc5d81bd6492de176eb0693ea9966a

(10)   State = 0x21dd954128a08c3dcbc41c49c2b781e8

(10)   Message-Authenticator = 0x1cc95b6ddafcd8b2fa3b088b64b138db

(10) session-state: No cached attributes

(10) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default

(10)   authorize {

(10)     policy filter_username {

(10)       if (&User-Name) {

(10)       if (&User-Name)  -> TRUE

(10)       if (&User-Name)  {

(10)         if (&User-Name =~ / /) {

(10)         if (&User-Name =~ / /)  -> FALSE

(10)         if (&User-Name =~ /@[^@]*@/ ) {

(10)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE

(10)         if (&User-Name =~ /\.\./ ) {

(10)         if (&User-Name =~ /\.\./ )  -> FALSE

(10)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {

(10)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE

(10)         if (&User-Name =~ /\.$/)  {

(10)         if (&User-Name =~ /\.$/)   -> FALSE

(10)         if (&User-Name =~ /@\./)  {

(10)         if (&User-Name =~ /@\./)   -> FALSE

(10)       } # if (&User-Name)  = notfound

(10)     } # policy filter_username = notfound

(10)     [preprocess] = ok

(10) auth_log: EXPAND
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d

(10) auth_log:    --> /var/log/freeradius/radacct/
192.168.128.34/auth-detail-20200828

(10) auth_log:
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/192.168.128.34/auth-detail-20200828

(10) auth_log: EXPAND %t

(10) auth_log:    --> Fri Aug 28 18:49:27 2020

(10)     [auth_log] = ok

(10)     [chap] = noop

(10)     [mschap] = noop

(10)     [digest] = noop

(10) suffix: Checking for suffix after "@"

(10) suffix: Looking up realm "ucn.cl" for User-Name = "[hidden email]"

(10) suffix: Found realm "ucn.cl"

(10) suffix: Adding Stripped-User-Name = "wifi"

(10) suffix: Adding Realm = "ucn.cl"

(10) suffix: Authentication realm is LOCAL

(10)     [suffix] = ok

(10) eap: Peer sent EAP Response (code 2) ID 125 length 46

(10) eap: Continuing tunnel setup

(10)     [eap] = ok

(10)   } # authorize = ok

(10) Found Auth-Type = eap

(10) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(10)   authenticate {

(10) eap: Expiring EAP session with state 0xc56f897cc5139321

(10) eap: Finished EAP session with state 0x21dd954128a08c3d

(10) eap: Previous EAP request found for state 0x21dd954128a08c3d, released
from the list

(10) eap: Peer sent packet with method EAP PEAP (25)

(10) eap: Calling submodule eap_peap to process data

(10) eap_peap: Continuing EAP-TLS

(10) eap_peap: [eaptls verify] = ok

(10) eap_peap: Done initial handshake

(10) eap_peap: [eaptls process] = ok

(10) eap_peap: Session established.  Decoding tunneled attributes

(10) eap_peap: PEAP state send tlv failure

(10) eap_peap: Received EAP-TLV response

(10) eap_peap:   ERROR: The users session was previously rejected:
returning reject (again.)

(10) eap_peap:   This means you need to read the PREVIOUS messages in the
debug output

(10) eap_peap:   to find out the reason why the user was rejected

(10) eap_peap:   Look for "reject" or "fail".  Those earlier messages will
tell you

(10) eap_peap:   what went wrong, and how to fix the problem

(10) eap: ERROR: Failed continuing EAP PEAP (25) session.  EAP sub-module
failed

(10) eap: Sending EAP Failure (code 4) ID 125 length 4

(10) eap: Failed in EAP select

(10)     [eap] = invalid

(10)   } # authenticate = invalid

(10) Failed to authenticate the user

(10) Using Post-Auth-Type Reject

(10) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(10)   Post-Auth-Type REJECT {

(10) attr_filter.access_reject: EXPAND %{User-Name}

(10) attr_filter.access_reject:    --> [hidden email]

(10) attr_filter.access_reject: Matched entry DEFAULT at line 11

(10)     [attr_filter.access_reject] = updated

(10)     [eap] = noop

(10) reply_log: EXPAND
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d

(10) reply_log:    --> /var/log/freeradius/radacct/
192.168.128.34/reply-detail-20200828

(10) reply_log:
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d
expands to /var/log/freeradius/radacct/192.168.128.34/reply-detail-20200828

(10) reply_log: EXPAND %t

(10) reply_log:    --> Fri Aug 28 18:49:27 2020

(10)     [reply_log] = ok

(10)     policy remove_reply_message_if_eap {

(10)       if (&reply:EAP-Message && &reply:Reply-Message) {

(10)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE

(10)       else {

(10)         [noop] = noop

(10)       } # else = noop

(10)     } # policy remove_reply_message_if_eap = noop

(10)   } # Post-Auth-Type REJECT = updated

(10) Delaying response for 1.000000 seconds

Waking up in 0.3 seconds.

Waking up in 0.6 seconds.

(10) Sending delayed response

(10) Sent Access-Reject Id 21 from 146.83.124.26:1812 to
192.168.128.34:39957 length 44

(10)   EAP-Message = 0x047d0004

(10)   Message-Authenticator = 0x00000000000000000000000000000000


Thanks in advance.

Bárbara.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: EAP Submodule failed. PAM module issue.

Alan DeKok-2
On Aug 28, 2020, at 7:18 PM, HORMAZABAL PI�ONES BARBARA FRANCISCA <[hidden email]> wrote:
>
> Greetings, I'm a Freeradius newbie and I apologize if I make mistakes with
> some concepts or get my point across (english is not my first language).

  It's fine.

> Anyway, I'm setting up freeradius in Ubuntu server 18.04 to authenticate
> users (teachers, students) through their google accounts (we have a couple
> of domains for each one), so I was adviced to use the PAM-IMAP module. When
> trying to authenticate however, it fails going through the eap-peap
> authentication. I read the output and checked that authentication is
> invalid in the pam module however I do not know how to fix it.

  PAM needs a clear-text password in the RADIUS request.  PEAP does not supply one.  You need to configure the clients to use TTLS with PAP inside of the tunnel.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: EAP Submodule failed. PAM module issue.

bhp1
Thank you for answering, Alan. I changed the settings in the eap file and
inner-tunnel. In the eap it's now eap_type = ttls. I'm still having
problems with the PAM-IMAP module though.

Looking around the internet I found that there was a type in setting the
users with PAM. So I have them in my users file as
DEFAULT Virtual-Server == inner-tunnel, Pam-Auth = "pam-imap-radius",
Auth-Type = PAM

Reading the output, these lines are causing the problem.

(7) pam: Using pamauth string "pam-imap-radius2" for pam.conf lookup
(7) pam: ERROR: pam_authenticate failed: Module is unknown

For some reason it doesn't recognize that with the realm "ucn.cl" should be
using pam-imap-radius and not pam-imap-radius2.

The output:

(0) Received Access-Request Id 110 from 192.168.128.34:39957 to
146.83.124.26:1812 length 402

(0)   User-Name = "[hidden email]"

(0)   NAS-IP-Address = 192.168.128.34

(0)   Called-Station-Id = "36-18-0A-7B-A4-6E:Red Radius"

(0)   NAS-Port-Type = Wireless-802.11

(0)   Service-Type = Framed-User

(0)   NAS-Port = 1

(0)   Calling-Station-Id = "E4-6F-13-2C-A4-C3"

(0)   Connect-Info = "CONNECT 54.00 Mbps / 802.11n / RSSI: 61 / Channel: 11"

(0)   Acct-Session-Id = "1265B3D4CA450401"

(0)   Acct-Multi-Session-Id = "E27A7A7004BD7B9C"

(0)   WLAN-Pairwise-Cipher = 1027076

(0)   WLAN-Group-Cipher = 1027074

(0)   WLAN-AKM-Suite = 1027073

(0)   WLAN-Group-Mgmt-Cipher = 1027078

(0)   Attr-26.29671.2 =
0x55434e20416e746f66616761737461202d2053574150202d20776972656c657373

(0)   Attr-26.29671.3 = 0x41502d56312d536f706f727465

(0)   Attr-26.29671.4 =
0x20414c554d4e4f5320454455524f414d2046554e43494f4e4152494f5320524144495553205445434e49434f53205649

(0)   Meraki-Device-Name = "AP-V1-Soporte"

(0)   Framed-MTU = 1400

(0)   EAP-Message = 0x025a001001776966694075636e2e636c

(0)   Message-Authenticator = 0x04cce3d3d9c3a62938bf82ea2abc2b9c

(0) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default

(0)   authorize {

(0)     policy filter_username {

(0)       if (&User-Name) {

(0)       if (&User-Name)  -> TRUE

(0)       if (&User-Name)  {

(0)         if (&User-Name =~ / /) {

(0)         if (&User-Name =~ / /)  -> FALSE

(0)         if (&User-Name =~ /@[^@]*@/ ) {

(0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE

(0)         if (&User-Name =~ /\.\./ ) {

(0)         if (&User-Name =~ /\.\./ )  -> FALSE

(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {

(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE

(0)         if (&User-Name =~ /\.$/)  {

(0)         if (&User-Name =~ /\.$/)   -> FALSE

(0)         if (&User-Name =~ /@\./)  {

(0)         if (&User-Name =~ /@\./)   -> FALSE

(0)       } # if (&User-Name)  = notfound

(0)     } # policy filter_username = notfound

(0)     [preprocess] = ok

(0) auth_log: EXPAND
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d

(0) auth_log:    --> /var/log/freeradius/radacct/
192.168.128.34/auth-detail-20200901

(0) auth_log:
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/192.168.128.34/auth-detail-20200901

(0) auth_log: EXPAND %t

(0) auth_log:    --> Tue Sep  1 11:52:23 2020

(0)     [auth_log] = ok

(0)     [chap] = noop

(0)     [mschap] = noop

(0)     [digest] = noop

(0) suffix: Checking for suffix after "@"

(0) suffix: Looking up realm "ucn.cl" for User-Name = "[hidden email]"

(0) suffix: Found realm "ucn.cl"

(0) suffix: Adding Stripped-User-Name = "wifi"

(0) suffix: Adding Realm = "ucn.cl"

(0) suffix: Authentication realm is LOCAL

(0)     [suffix] = ok

(0) eap: Peer sent EAP Response (code 2) ID 90 length 16

(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize

(0)     [eap] = ok

(0)   } # authorize = ok

(0) Found Auth-Type = eap

(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(0)   authenticate {

(0) eap: Peer sent packet with method EAP Identity (1)

(0) eap: Calling submodule eap_ttls to process data

(0) eap_ttls: Initiating new EAP-TLS session

(0) eap_ttls: [eaptls start] = request

(0) eap: Sending EAP Request (code 1) ID 91 length 6

(0) eap: EAP session adding &reply:State = 0xfc98dff8fcc3cadd

(0)     [eap] = handled

(0)   } # authenticate = handled

(0) Using Post-Auth-Type Challenge

(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(0)   Challenge { ... } # empty sub-section is ignored

(0) Sent Access-Challenge Id 110 from 146.83.124.26:1812 to
192.168.128.34:39957 length 0

(0)   EAP-Message = 0x015b00061520

(0)   Message-Authenticator = 0x00000000000000000000000000000000

(0)   State = 0xfc98dff8fcc3cadd585a7c0a5256b1cb

(0) Finished request

Waking up in 4.9 seconds.

(1) Received Access-Request Id 111 from 192.168.128.34:39957 to
146.83.124.26:1812 length 561

(1)   User-Name = "[hidden email]"

(1)   NAS-IP-Address = 192.168.128.34

(1)   Called-Station-Id = "36-18-0A-7B-A4-6E:Red Radius"

(1)   NAS-Port-Type = Wireless-802.11

(1)   Service-Type = Framed-User

(1)   NAS-Port = 1

(1)   Calling-Station-Id = "E4-6F-13-2C-A4-C3"

(1)   Connect-Info = "CONNECT 54.00 Mbps / 802.11n / RSSI: 57 / Channel: 11"

(1)   Acct-Session-Id = "1265B3D4CA450401"

(1)   Acct-Multi-Session-Id = "E27A7A7004BD7B9C"

(1)   WLAN-Pairwise-Cipher = 1027076

(1)   WLAN-Group-Cipher = 1027074

(1)   WLAN-AKM-Suite = 1027073

(1)   WLAN-Group-Mgmt-Cipher = 1027078

(1)   Attr-26.29671.2 =
0x55434e20416e746f66616761737461202d2053574150202d20776972656c657373

(1)   Attr-26.29671.3 = 0x41502d56312d536f706f727465

(1)   Attr-26.29671.4 =
0x20414c554d4e4f5320454455524f414d2046554e43494f4e4152494f5320524144495553205445434e49434f53205649

(1)   Meraki-Device-Name = "AP-V1-Soporte"

(1)   Framed-MTU = 1400

(1)   EAP-Message =
0x025b009d158000000093160303008e0100008a03035f4e6e39d543bdbe262325b01665d7fc0cecf99af68741b25deddf25a63780f100002ac02cc02bc030c02f009f009ec024c023c028c027c00ac009c014c013009d009c003d003c0035002f000a01000037000a00080006001d00170018000b000201

(1)   State = 0xfc98dff8fcc3cadd585a7c0a5256b1cb

(1)   Message-Authenticator = 0x068dc765eda5d55a72a56d19ed80cc5a

(1) session-state: No cached attributes

(1) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default

(1)   authorize {

(1)     policy filter_username {

(1)       if (&User-Name) {

(1)       if (&User-Name)  -> TRUE

(1)       if (&User-Name)  {

(1)         if (&User-Name =~ / /) {

(1)         if (&User-Name =~ / /)  -> FALSE

(1)         if (&User-Name =~ /@[^@]*@/ ) {

(1)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE

(1)         if (&User-Name =~ /\.\./ ) {

(1)         if (&User-Name =~ /\.\./ )  -> FALSE

(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {

(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE

(1)         if (&User-Name =~ /\.$/)  {

(1)         if (&User-Name =~ /\.$/)   -> FALSE

(1)         if (&User-Name =~ /@\./)  {

(1)         if (&User-Name =~ /@\./)   -> FALSE

(1)       } # if (&User-Name)  = notfound

(1)     } # policy filter_username = notfound

(1)     [preprocess] = ok

(1) auth_log: EXPAND
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d

(1) auth_log:    --> /var/log/freeradius/radacct/
192.168.128.34/auth-detail-20200901

(1) auth_log:
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/192.168.128.34/auth-detail-20200901

(1) auth_log: EXPAND %t

(1) auth_log:    --> Tue Sep  1 11:52:23 2020

(1)     [auth_log] = ok

(1)     [chap] = noop

(1)     [mschap] = noop

(1)     [digest] = noop

(1) suffix: Checking for suffix after "@"

(1) suffix: Looking up realm "ucn.cl" for User-Name = "[hidden email]"

(1) suffix: Found realm "ucn.cl"

(1) suffix: Adding Stripped-User-Name = "wifi"

(1) suffix: Adding Realm = "ucn.cl"

(1) suffix: Authentication realm is LOCAL

(1)     [suffix] = ok

(1) eap: Peer sent EAP Response (code 2) ID 91 length 157

(1) eap: Continuing tunnel setup

(1)     [eap] = ok

(1)   } # authorize = ok

(1) Found Auth-Type = eap

(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(1)   authenticate {

(1) eap: Expiring EAP session with state 0xfc98dff8fcc3cadd

(1) eap: Finished EAP session with state 0xfc98dff8fcc3cadd

(1) eap: Previous EAP request found for state 0xfc98dff8fcc3cadd, released
from the list

(1) eap: Peer sent packet with method EAP TTLS (21)

(1) eap: Calling submodule eap_ttls to process data

(1) eap_ttls: Authenticate

(1) eap_ttls: Continuing EAP-TLS

(1) eap_ttls: Peer indicated complete TLS record size will be 147 bytes

(1) eap_ttls: Got complete TLS record (147 bytes)

(1) eap_ttls: [eaptls verify] = length included

(1) eap_ttls: (other): before SSL initialization

(1) eap_ttls: TLS_accept: before SSL initialization

(1) eap_ttls: TLS_accept: before SSL initialization

(1) eap_ttls: <<< recv UNKNOWN TLS VERSION ?0304? [length 008e]

(1) eap_ttls: TLS_accept: SSLv3/TLS read client hello

(1) eap_ttls: >>> send TLS 1.2  [length 003d]

(1) eap_ttls: TLS_accept: SSLv3/TLS write server hello

(1) eap_ttls: >>> send TLS 1.2  [length 0d45]

(1) eap_ttls: TLS_accept: SSLv3/TLS write certificate

(1) eap_ttls: >>> send TLS 1.2  [length 024d]

(1) eap_ttls: TLS_accept: SSLv3/TLS write key exchange

(1) eap_ttls: >>> send TLS 1.2  [length 0004]

(1) eap_ttls: TLS_accept: SSLv3/TLS write server done

(1) eap_ttls: TLS_accept: Need to read more data: SSLv3/TLS write server
done

(1) eap_ttls: In SSL Handshake Phase

(1) eap_ttls: In SSL Accept mode

(1) eap_ttls: [eaptls process] = handled

(1) eap: Sending EAP Request (code 1) ID 92 length 1004

(1) eap: EAP session adding &reply:State = 0xfc98dff8fdc4cadd

(1)     [eap] = handled

(1)   } # authenticate = handled

(1) Using Post-Auth-Type Challenge

(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(1)   Challenge { ... } # empty sub-section is ignored

(1) Sent Access-Challenge Id 111 from 146.83.124.26:1812 to
192.168.128.34:39957 length 0

(1)   EAP-Message =
0x015c03ec15c000000fe7160303003d02000039030359d5354da526f46e73734ac9b4c806147b7bae612ec9e7fd6fe58961ef56e6ff00c030000011ff01000100000b000403000102001700001603030d450b000d41000d3e000601308205fd308203e5a003020102020101300d06092a864886f70d0101

(1)   Message-Authenticator = 0x00000000000000000000000000000000

(1)   State = 0xfc98dff8fdc4cadd585a7c0a5256b1cb

(1) Finished request

Waking up in 4.9 seconds.

(2) Received Access-Request Id 112 from 192.168.128.34:39957 to
146.83.124.26:1812 length 410

(2)   User-Name = "[hidden email]"

(2)   NAS-IP-Address = 192.168.128.34

(2)   Called-Station-Id = "36-18-0A-7B-A4-6E:Red Radius"

(2)   NAS-Port-Type = Wireless-802.11

(2)   Service-Type = Framed-User

(2)   NAS-Port = 1

(2)   Calling-Station-Id = "E4-6F-13-2C-A4-C3"

(2)   Connect-Info = "CONNECT 54.00 Mbps / 802.11n / RSSI: 62 / Channel: 11"

(2)   Acct-Session-Id = "1265B3D4CA450401"

(2)   Acct-Multi-Session-Id = "E27A7A7004BD7B9C"

(2)   WLAN-Pairwise-Cipher = 1027076

(2)   WLAN-Group-Cipher = 1027074

(2)   WLAN-AKM-Suite = 1027073

(2)   WLAN-Group-Mgmt-Cipher = 1027078

(2)   Attr-26.29671.2 =
0x55434e20416e746f66616761737461202d2053574150202d20776972656c657373

(2)   Attr-26.29671.3 = 0x41502d56312d536f706f727465

(2)   Attr-26.29671.4 =
0x20414c554d4e4f5320454455524f414d2046554e43494f4e4152494f5320524144495553205445434e49434f53205649

(2)   Meraki-Device-Name = "AP-V1-Soporte"

(2)   Framed-MTU = 1400

(2)   EAP-Message = 0x025c00061500

(2)   State = 0xfc98dff8fdc4cadd585a7c0a5256b1cb

(2)   Message-Authenticator = 0x83b5967ebe5b37e7447be803e0d0a7cc

(2) session-state: No cached attributes

(2) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default

(2)   authorize {

(2)     policy filter_username {

(2)       if (&User-Name) {

(2)       if (&User-Name)  -> TRUE

(2)       if (&User-Name)  {

(2)         if (&User-Name =~ / /) {

(2)         if (&User-Name =~ / /)  -> FALSE

(2)         if (&User-Name =~ /@[^@]*@/ ) {

(2)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE

(2)         if (&User-Name =~ /\.\./ ) {

(2)         if (&User-Name =~ /\.\./ )  -> FALSE

(2)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {

(2)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE

(2)         if (&User-Name =~ /\.$/)  {

(2)         if (&User-Name =~ /\.$/)   -> FALSE

(2)         if (&User-Name =~ /@\./)  {

(2)         if (&User-Name =~ /@\./)   -> FALSE

(2)       } # if (&User-Name)  = notfound

(2)     } # policy filter_username = notfound

(2)     [preprocess] = ok

(2) auth_log: EXPAND
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d

(2) auth_log:    --> /var/log/freeradius/radacct/
192.168.128.34/auth-detail-20200901

(2) auth_log:
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/192.168.128.34/auth-detail-20200901

(2) auth_log: EXPAND %t

(2) auth_log:    --> Tue Sep  1 11:52:23 2020

(2)     [auth_log] = ok

(2)     [chap] = noop

(2)     [mschap] = noop

(2)     [digest] = noop

(2) suffix: Checking for suffix after "@"

(2) suffix: Looking up realm "ucn.cl" for User-Name = "[hidden email]"

(2) suffix: Found realm "ucn.cl"

(2) suffix: Adding Stripped-User-Name = "wifi"

(2) suffix: Adding Realm = "ucn.cl"

(2) suffix: Authentication realm is LOCAL

(2)     [suffix] = ok

(2) eap: Peer sent EAP Response (code 2) ID 92 length 6

(2) eap: Continuing tunnel setup

(2)     [eap] = ok

(2)   } # authorize = ok

(2) Found Auth-Type = eap

(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(2)   authenticate {

(2) eap: Expiring EAP session with state 0xfc98dff8fdc4cadd

(2) eap: Finished EAP session with state 0xfc98dff8fdc4cadd

(2) eap: Previous EAP request found for state 0xfc98dff8fdc4cadd, released
from the list

(2) eap: Peer sent packet with method EAP TTLS (21)

(2) eap: Calling submodule eap_ttls to process data

(2) eap_ttls: Authenticate

(2) eap_ttls: Continuing EAP-TLS

(2) eap_ttls: Peer ACKed our handshake fragment

(2) eap_ttls: [eaptls verify] = request

(2) eap_ttls: [eaptls process] = handled

(2) eap: Sending EAP Request (code 1) ID 93 length 1004

(2) eap: EAP session adding &reply:State = 0xfc98dff8fec5cadd

(2)     [eap] = handled

(2)   } # authenticate = handled

(2) Using Post-Auth-Type Challenge

(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(2)   Challenge { ... } # empty sub-section is ignored

(2) Sent Access-Challenge Id 112 from 146.83.124.26:1812 to
192.168.128.34:39957 length 0

(2)   EAP-Message =
0x015d03ec15c000000fe7209dba66581b0203010001a34f304d30130603551d25040c300a06082b0601050507030130360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e636f6d2f6578616d706c655f63612e63726c300d06092a864886f70d01010b05000382

(2)   Message-Authenticator = 0x00000000000000000000000000000000

(2)   State = 0xfc98dff8fec5cadd585a7c0a5256b1cb

(2) Finished request

Waking up in 4.9 seconds.

(3) Received Access-Request Id 113 from 192.168.128.34:39957 to
146.83.124.26:1812 length 410

(3)   User-Name = "[hidden email]"

(3)   NAS-IP-Address = 192.168.128.34

(3)   Called-Station-Id = "36-18-0A-7B-A4-6E:Red Radius"

(3)   NAS-Port-Type = Wireless-802.11

(3)   Service-Type = Framed-User

(3)   NAS-Port = 1

(3)   Calling-Station-Id = "E4-6F-13-2C-A4-C3"

(3)   Connect-Info = "CONNECT 54.00 Mbps / 802.11n / RSSI: 64 / Channel: 11"

(3)   Acct-Session-Id = "1265B3D4CA450401"

(3)   Acct-Multi-Session-Id = "E27A7A7004BD7B9C"

(3)   WLAN-Pairwise-Cipher = 1027076

(3)   WLAN-Group-Cipher = 1027074

(3)   WLAN-AKM-Suite = 1027073

(3)   WLAN-Group-Mgmt-Cipher = 1027078

(3)   Attr-26.29671.2 =
0x55434e20416e746f66616761737461202d2053574150202d20776972656c657373

(3)   Attr-26.29671.3 = 0x41502d56312d536f706f727465

(3)   Attr-26.29671.4 =
0x20414c554d4e4f5320454455524f414d2046554e43494f4e4152494f5320524144495553205445434e49434f53205649

(3)   Meraki-Device-Name = "AP-V1-Soporte"

(3)   Framed-MTU = 1400

(3)   EAP-Message = 0x025d00061500

(3)   State = 0xfc98dff8fec5cadd585a7c0a5256b1cb

(3)   Message-Authenticator = 0x87ee959791b647ce6c381a68cb941141

(3) session-state: No cached attributes

(3) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default

(3)   authorize {

(3)     policy filter_username {

(3)       if (&User-Name) {

(3)       if (&User-Name)  -> TRUE

(3)       if (&User-Name)  {

(3)         if (&User-Name =~ / /) {

(3)         if (&User-Name =~ / /)  -> FALSE

(3)         if (&User-Name =~ /@[^@]*@/ ) {

(3)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE

(3)         if (&User-Name =~ /\.\./ ) {

(3)         if (&User-Name =~ /\.\./ )  -> FALSE

(3)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {

(3)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE

(3)         if (&User-Name =~ /\.$/)  {

(3)         if (&User-Name =~ /\.$/)   -> FALSE

(3)         if (&User-Name =~ /@\./)  {

(3)         if (&User-Name =~ /@\./)   -> FALSE

(3)       } # if (&User-Name)  = notfound

(3)     } # policy filter_username = notfound

(3)     [preprocess] = ok

(3) auth_log: EXPAND
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d

(3) auth_log:    --> /var/log/freeradius/radacct/
192.168.128.34/auth-detail-20200901

(3) auth_log:
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/192.168.128.34/auth-detail-20200901

(3) auth_log: EXPAND %t

(3) auth_log:    --> Tue Sep  1 11:52:23 2020

(3)     [auth_log] = ok

(3)     [chap] = noop

(3)     [mschap] = noop

(3)     [digest] = noop

(3) suffix: Checking for suffix after "@"

(3) suffix: Looking up realm "ucn.cl" for User-Name = "[hidden email]"

(3) suffix: Found realm "ucn.cl"

(3) suffix: Adding Stripped-User-Name = "wifi"

(3) suffix: Adding Realm = "ucn.cl"

(3) suffix: Authentication realm is LOCAL

(3)     [suffix] = ok

(3) eap: Peer sent EAP Response (code 2) ID 93 length 6

(3) eap: Continuing tunnel setup

(3)     [eap] = ok

(3)   } # authorize = ok

(3) Found Auth-Type = eap

(3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(3)   authenticate {

(3) eap: Expiring EAP session with state 0xfc98dff8fec5cadd

(3) eap: Finished EAP session with state 0xfc98dff8fec5cadd

(3) eap: Previous EAP request found for state 0xfc98dff8fec5cadd, released
from the list

(3) eap: Peer sent packet with method EAP TTLS (21)

(3) eap: Calling submodule eap_ttls to process data

(3) eap_ttls: Authenticate

(3) eap_ttls: Continuing EAP-TLS

(3) eap_ttls: Peer ACKed our handshake fragment

(3) eap_ttls: [eaptls verify] = request

(3) eap_ttls: [eaptls process] = handled

(3) eap: Sending EAP Request (code 1) ID 94 length 1004

(3) eap: EAP session adding &reply:State = 0xfc98dff8ffc6cadd

(3)     [eap] = handled

(3)   } # authenticate = handled

(3) Using Post-Auth-Type Challenge

(3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(3)   Challenge { ... } # empty sub-section is ignored

(3) Sent Access-Challenge Id 113 from 146.83.124.26:1812 to
192.168.128.34:39957 length 0

(3)   EAP-Message =
0x015e03ec15c000000fe7303140616c756d6e6f732e75636e2e636c3122302006035504030c19456e746964616420636572746966696361646f72612055434e30820222300d06092a864886f70d01010105000382020f003082020a0282020100bac4e13cd8c7fa57371bce6d41f22a26bcad2ffba6e97d

(3)   Message-Authenticator = 0x00000000000000000000000000000000

(3)   State = 0xfc98dff8ffc6cadd585a7c0a5256b1cb

(3) Finished request

Waking up in 4.9 seconds.

(4) Received Access-Request Id 114 from 192.168.128.34:39957 to
146.83.124.26:1812 length 410

(4)   User-Name = "[hidden email]"

(4)   NAS-IP-Address = 192.168.128.34

(4)   Called-Station-Id = "36-18-0A-7B-A4-6E:Red Radius"

(4)   NAS-Port-Type = Wireless-802.11

(4)   Service-Type = Framed-User

(4)   NAS-Port = 1

(4)   Calling-Station-Id = "E4-6F-13-2C-A4-C3"

(4)   Connect-Info = "CONNECT 54.00 Mbps / 802.11n / RSSI: 62 / Channel: 11"

(4)   Acct-Session-Id = "1265B3D4CA450401"

(4)   Acct-Multi-Session-Id = "E27A7A7004BD7B9C"

(4)   WLAN-Pairwise-Cipher = 1027076

(4)   WLAN-Group-Cipher = 1027074

(4)   WLAN-AKM-Suite = 1027073

(4)   WLAN-Group-Mgmt-Cipher = 1027078

(4)   Attr-26.29671.2 =
0x55434e20416e746f66616761737461202d2053574150202d20776972656c657373

(4)   Attr-26.29671.3 = 0x41502d56312d536f706f727465

(4)   Attr-26.29671.4 =
0x20414c554d4e4f5320454455524f414d2046554e43494f4e4152494f5320524144495553205445434e49434f53205649

(4)   Meraki-Device-Name = "AP-V1-Soporte"

(4)   Framed-MTU = 1400

(4)   EAP-Message = 0x025e00061500

(4)   State = 0xfc98dff8ffc6cadd585a7c0a5256b1cb

(4)   Message-Authenticator = 0xe30e38a9050dd13905814ea8672728b8

(4) session-state: No cached attributes

(4) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default

(4)   authorize {

(4)     policy filter_username {

(4)       if (&User-Name) {

(4)       if (&User-Name)  -> TRUE

(4)       if (&User-Name)  {

(4)         if (&User-Name =~ / /) {

(4)         if (&User-Name =~ / /)  -> FALSE

(4)         if (&User-Name =~ /@[^@]*@/ ) {

(4)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE

(4)         if (&User-Name =~ /\.\./ ) {

(4)         if (&User-Name =~ /\.\./ )  -> FALSE

(4)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {

(4)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE

(4)         if (&User-Name =~ /\.$/)  {

(4)         if (&User-Name =~ /\.$/)   -> FALSE

(4)         if (&User-Name =~ /@\./)  {

(4)         if (&User-Name =~ /@\./)   -> FALSE

(4)       } # if (&User-Name)  = notfound

(4)     } # policy filter_username = notfound

(4)     [preprocess] = ok

(4) auth_log: EXPAND
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d

(4) auth_log:    --> /var/log/freeradius/radacct/
192.168.128.34/auth-detail-20200901

(4) auth_log:
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/192.168.128.34/auth-detail-20200901

(4) auth_log: EXPAND %t

(4) auth_log:    --> Tue Sep  1 11:52:23 2020

(4)     [auth_log] = ok

(4)     [chap] = noop

(4)     [mschap] = noop

(4)     [digest] = noop

(4) suffix: Checking for suffix after "@"

(4) suffix: Looking up realm "ucn.cl" for User-Name = "[hidden email]"

(4) suffix: Found realm "ucn.cl"

(4) suffix: Adding Stripped-User-Name = "wifi"

(4) suffix: Adding Realm = "ucn.cl"

(4) suffix: Authentication realm is LOCAL

(4)     [suffix] = ok

(4) eap: Peer sent EAP Response (code 2) ID 94 length 6

(4) eap: Continuing tunnel setup

(4)     [eap] = ok

(4)   } # authorize = ok

(4) Found Auth-Type = eap

(4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(4)   authenticate {

(4) eap: Expiring EAP session with state 0xfc98dff8ffc6cadd

(4) eap: Finished EAP session with state 0xfc98dff8ffc6cadd

(4) eap: Previous EAP request found for state 0xfc98dff8ffc6cadd, released
from the list

(4) eap: Peer sent packet with method EAP TTLS (21)

(4) eap: Calling submodule eap_ttls to process data

(4) eap_ttls: Authenticate

(4) eap_ttls: Continuing EAP-TLS

(4) eap_ttls: Peer ACKed our handshake fragment

(4) eap_ttls: [eaptls verify] = request

(4) eap_ttls: [eaptls process] = handled

(4) eap: Sending EAP Request (code 1) ID 95 length 1004

(4) eap: EAP session adding &reply:State = 0xfc98dff8f8c7cadd

(4)     [eap] = handled

(4)   } # authenticate = handled

(4) Using Post-Auth-Type Challenge

(4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(4)   Challenge { ... } # empty sub-section is ignored

(4) Sent Access-Challenge Id 114 from 146.83.124.26:1812 to
192.168.128.34:39957 length 0

(4)   EAP-Message =
0x015f03ec15c000000fe7c77251950fa0fe126a12332e02a8771ae735a0577b0809945f2151bb00b8f395f3f54573f94c87a0ad1afb624ea621c50e5cd9581e9bd0b5cc20a6f0c9bdbbbe326850002220a5b201f4bee09362a04c3dea95c4263c7c8ae9852a2a4c882975dc2cf44699206592149806fb22

(4)   Message-Authenticator = 0x00000000000000000000000000000000

(4)   State = 0xfc98dff8f8c7cadd585a7c0a5256b1cb

(4) Finished request

Waking up in 4.9 seconds.

(5) Received Access-Request Id 115 from 192.168.128.34:39957 to
146.83.124.26:1812 length 410

(5)   User-Name = "[hidden email]"

(5)   NAS-IP-Address = 192.168.128.34

(5)   Called-Station-Id = "36-18-0A-7B-A4-6E:Red Radius"

(5)   NAS-Port-Type = Wireless-802.11

(5)   Service-Type = Framed-User

(5)   NAS-Port = 1

(5)   Calling-Station-Id = "E4-6F-13-2C-A4-C3"

(5)   Connect-Info = "CONNECT 54.00 Mbps / 802.11n / RSSI: 61 / Channel: 11"

(5)   Acct-Session-Id = "1265B3D4CA450401"

(5)   Acct-Multi-Session-Id = "E27A7A7004BD7B9C"

(5)   WLAN-Pairwise-Cipher = 1027076

(5)   WLAN-Group-Cipher = 1027074

(5)   WLAN-AKM-Suite = 1027073

(5)   WLAN-Group-Mgmt-Cipher = 1027078

(5)   Attr-26.29671.2 =
0x55434e20416e746f66616761737461202d2053574150202d20776972656c657373

(5)   Attr-26.29671.3 = 0x41502d56312d536f706f727465

(5)   Attr-26.29671.4 =
0x20414c554d4e4f5320454455524f414d2046554e43494f4e4152494f5320524144495553205445434e49434f53205649

(5)   Meraki-Device-Name = "AP-V1-Soporte"

(5)   Framed-MTU = 1400

(5)   EAP-Message = 0x025f00061500

(5)   State = 0xfc98dff8f8c7cadd585a7c0a5256b1cb

(5)   Message-Authenticator = 0xaff5d23d6d7f617ed2f417cf8fc6b64a

(5) session-state: No cached attributes

(5) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default

(5)   authorize {

(5)     policy filter_username {

(5)       if (&User-Name) {

(5)       if (&User-Name)  -> TRUE

(5)       if (&User-Name)  {

(5)         if (&User-Name =~ / /) {

(5)         if (&User-Name =~ / /)  -> FALSE

(5)         if (&User-Name =~ /@[^@]*@/ ) {

(5)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE

(5)         if (&User-Name =~ /\.\./ ) {

(5)         if (&User-Name =~ /\.\./ )  -> FALSE

(5)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {

(5)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE

(5)         if (&User-Name =~ /\.$/)  {

(5)         if (&User-Name =~ /\.$/)   -> FALSE

(5)         if (&User-Name =~ /@\./)  {

(5)         if (&User-Name =~ /@\./)   -> FALSE

(5)       } # if (&User-Name)  = notfound

(5)     } # policy filter_username = notfound

(5)     [preprocess] = ok

(5) auth_log: EXPAND
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d

(5) auth_log:    --> /var/log/freeradius/radacct/
192.168.128.34/auth-detail-20200901

(5) auth_log:
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/192.168.128.34/auth-detail-20200901

(5) auth_log: EXPAND %t

(5) auth_log:    --> Tue Sep  1 11:52:23 2020

(5)     [auth_log] = ok

(5)     [chap] = noop

(5)     [mschap] = noop

(5)     [digest] = noop

(5) suffix: Checking for suffix after "@"

(5) suffix: Looking up realm "ucn.cl" for User-Name = "[hidden email]"

(5) suffix: Found realm "ucn.cl"

(5) suffix: Adding Stripped-User-Name = "wifi"

(5) suffix: Adding Realm = "ucn.cl"

(5) suffix: Authentication realm is LOCAL

(5)     [suffix] = ok

(5) eap: Peer sent EAP Response (code 2) ID 95 length 6

(5) eap: Continuing tunnel setup

(5)     [eap] = ok

(5)   } # authorize = ok

(5) Found Auth-Type = eap

(5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(5)   authenticate {

(5) eap: Expiring EAP session with state 0xfc98dff8f8c7cadd

(5) eap: Finished EAP session with state 0xfc98dff8f8c7cadd

(5) eap: Previous EAP request found for state 0xfc98dff8f8c7cadd, released
from the list

(5) eap: Peer sent packet with method EAP TTLS (21)

(5) eap: Calling submodule eap_ttls to process data

(5) eap_ttls: Authenticate

(5) eap_ttls: Continuing EAP-TLS

(5) eap_ttls: Peer ACKed our handshake fragment

(5) eap_ttls: [eaptls verify] = request

(5) eap_ttls: [eaptls process] = handled

(5) eap: Sending EAP Request (code 1) ID 96 length 105

(5) eap: EAP session adding &reply:State = 0xfc98dff8f9f8cadd

(5)     [eap] = handled

(5)   } # authenticate = handled

(5) Using Post-Auth-Type Challenge

(5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(5)   Challenge { ... } # empty sub-section is ignored

(5) Sent Access-Challenge Id 115 from 146.83.124.26:1812 to
192.168.128.34:39957 length 0

(5)   EAP-Message =
0x01600069158000000fe7dd02213dc082bf9030b18c868edd995a7861437222487c7d98135b10166d927771216da0a1f38f13952517a5b10fd057e10f81b1d606ac8ad24ac5f91c5598c268b6720be6ca68e3ccbd62d209eada0c2fbdbcd6bac416030300040e000000

(5)   Message-Authenticator = 0x00000000000000000000000000000000

(5)   State = 0xfc98dff8f9f8cadd585a7c0a5256b1cb

(5) Finished request

Waking up in 4.8 seconds.

(6) Received Access-Request Id 116 from 192.168.128.34:39957 to
146.83.124.26:1812 length 540

(6)   User-Name = "[hidden email]"

(6)   NAS-IP-Address = 192.168.128.34

(6)   Called-Station-Id = "36-18-0A-7B-A4-6E:Red Radius"

(6)   NAS-Port-Type = Wireless-802.11

(6)   Service-Type = Framed-User

(6)   NAS-Port = 1

(6)   Calling-Station-Id = "E4-6F-13-2C-A4-C3"

(6)   Connect-Info = "CONNECT 54.00 Mbps / 802.11n / RSSI: 54 / Channel: 11"

(6)   Acct-Session-Id = "1265B3D4CA450401"

(6)   Acct-Multi-Session-Id = "E27A7A7004BD7B9C"

(6)   WLAN-Pairwise-Cipher = 1027076

(6)   WLAN-Group-Cipher = 1027074

(6)   WLAN-AKM-Suite = 1027073

(6)   WLAN-Group-Mgmt-Cipher = 1027078

(6)   Attr-26.29671.2 =
0x55434e20416e746f66616761737461202d2053574150202d20776972656c657373

(6)   Attr-26.29671.3 = 0x41502d56312d536f706f727465

(6)   Attr-26.29671.4 =
0x20414c554d4e4f5320454455524f414d2046554e43494f4e4152494f5320524144495553205445434e49434f53205649

(6)   Meraki-Device-Name = "AP-V1-Soporte"

(6)   Framed-MTU = 1400

(6)   EAP-Message =
0x0260008815800000007e1603030046100000424104163f372687eb80d249bb061304fc52817ba0e4862fd5f6c419a118480627b974461bb79fb895d856f47fd3242fb08d24956729ee640f4880b162d4ab1d6c83f914030300010116030300280000000000000000fcf6e3d255b1273d62447e0e0cb40f

(6)   State = 0xfc98dff8f9f8cadd585a7c0a5256b1cb

(6)   Message-Authenticator = 0x419fc3b739475b963f44b66a473e4c5a

(6) session-state: No cached attributes

(6) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default

(6)   authorize {

(6)     policy filter_username {

(6)       if (&User-Name) {

(6)       if (&User-Name)  -> TRUE

(6)       if (&User-Name)  {

(6)         if (&User-Name =~ / /) {

(6)         if (&User-Name =~ / /)  -> FALSE

(6)         if (&User-Name =~ /@[^@]*@/ ) {

(6)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE

(6)         if (&User-Name =~ /\.\./ ) {

(6)         if (&User-Name =~ /\.\./ )  -> FALSE

(6)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {

(6)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE

(6)         if (&User-Name =~ /\.$/)  {

(6)         if (&User-Name =~ /\.$/)   -> FALSE

(6)         if (&User-Name =~ /@\./)  {

(6)         if (&User-Name =~ /@\./)   -> FALSE

(6)       } # if (&User-Name)  = notfound

(6)     } # policy filter_username = notfound

(6)     [preprocess] = ok

(6) auth_log: EXPAND
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d

(6) auth_log:    --> /var/log/freeradius/radacct/
192.168.128.34/auth-detail-20200901

(6) auth_log:
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/192.168.128.34/auth-detail-20200901

(6) auth_log: EXPAND %t

(6) auth_log:    --> Tue Sep  1 11:52:23 2020

(6)     [auth_log] = ok

(6)     [chap] = noop

(6)     [mschap] = noop

(6)     [digest] = noop

(6) suffix: Checking for suffix after "@"

(6) suffix: Looking up realm "ucn.cl" for User-Name = "[hidden email]"

(6) suffix: Found realm "ucn.cl"

(6) suffix: Adding Stripped-User-Name = "wifi"

(6) suffix: Adding Realm = "ucn.cl"

(6) suffix: Authentication realm is LOCAL

(6)     [suffix] = ok

(6) eap: Peer sent EAP Response (code 2) ID 96 length 136

(6) eap: Continuing tunnel setup

(6)     [eap] = ok

(6)   } # authorize = ok

(6) Found Auth-Type = eap

(6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(6)   authenticate {

(6) eap: Expiring EAP session with state 0xfc98dff8f9f8cadd

(6) eap: Finished EAP session with state 0xfc98dff8f9f8cadd

(6) eap: Previous EAP request found for state 0xfc98dff8f9f8cadd, released
from the list

(6) eap: Peer sent packet with method EAP TTLS (21)

(6) eap: Calling submodule eap_ttls to process data

(6) eap_ttls: Authenticate

(6) eap_ttls: Continuing EAP-TLS

(6) eap_ttls: Peer indicated complete TLS record size will be 126 bytes

(6) eap_ttls: Got complete TLS record (126 bytes)

(6) eap_ttls: [eaptls verify] = length included

(6) eap_ttls: TLS_accept: SSLv3/TLS write server done

(6) eap_ttls: <<< recv TLS 1.2  [length 0046]

(6) eap_ttls: TLS_accept: SSLv3/TLS read client key exchange

(6) eap_ttls: TLS_accept: SSLv3/TLS read change cipher spec

(6) eap_ttls: <<< recv TLS 1.2  [length 0010]

(6) eap_ttls: TLS_accept: SSLv3/TLS read finished

(6) eap_ttls: >>> send TLS 1.2  [length 0001]

(6) eap_ttls: TLS_accept: SSLv3/TLS write change cipher spec

(6) eap_ttls: >>> send TLS 1.2  [length 0010]

(6) eap_ttls: TLS_accept: SSLv3/TLS write finished

(6) eap_ttls: (other): SSL negotiation finished successfully

(6) eap_ttls: SSL Connection Established

(6) eap_ttls: [eaptls process] = handled

(6) eap: Sending EAP Request (code 1) ID 97 length 61

(6) eap: EAP session adding &reply:State = 0xfc98dff8faf9cadd

(6)     [eap] = handled

(6)   } # authenticate = handled

(6) Using Post-Auth-Type Challenge

(6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(6)   Challenge { ... } # empty sub-section is ignored

(6) Sent Access-Challenge Id 116 from 146.83.124.26:1812 to
192.168.128.34:39957 length 0

(6)   EAP-Message =
0x0161003d158000000033140303000101160303002886804395e9752affc89dde1b411debdf4e3c00db259a47945801253f950c3be9826f2ce57374f1bb

(6)   Message-Authenticator = 0x00000000000000000000000000000000

(6)   State = 0xfc98dff8faf9cadd585a7c0a5256b1cb

(6) Finished request

Waking up in 4.8 seconds.

(7) Received Access-Request Id 117 from 192.168.128.34:39957 to
146.83.124.26:1812 length 483

(7)   User-Name = "[hidden email]"

(7)   NAS-IP-Address = 192.168.128.34

(7)   Called-Station-Id = "36-18-0A-7B-A4-6E:Red Radius"

(7)   NAS-Port-Type = Wireless-802.11

(7)   Service-Type = Framed-User

(7)   NAS-Port = 1

(7)   Calling-Station-Id = "E4-6F-13-2C-A4-C3"

(7)   Connect-Info = "CONNECT 54.00 Mbps / 802.11n / RSSI: 58 / Channel: 11"

(7)   Acct-Session-Id = "1265B3D4CA450401"

(7)   Acct-Multi-Session-Id = "E27A7A7004BD7B9C"

(7)   WLAN-Pairwise-Cipher = 1027076

(7)   WLAN-Group-Cipher = 1027074

(7)   WLAN-AKM-Suite = 1027073

(7)   WLAN-Group-Mgmt-Cipher = 1027078

(7)   Attr-26.29671.2 =
0x55434e20416e746f66616761737461202d2053574150202d20776972656c657373

(7)   Attr-26.29671.3 = 0x41502d56312d536f706f727465

(7)   Attr-26.29671.4 =
0x20414c554d4e4f5320454455524f414d2046554e43494f4e4152494f5320524144495553205445434e49434f53205649

(7)   Meraki-Device-Name = "AP-V1-Soporte"

(7)   Framed-MTU = 1400

(7)   EAP-Message =
0x0261004f15800000004517030300400000000000000001b98cb06ad5a33b6d61e62a62728f25a6b571d54f423fc79aae25f51af5e30b1fdafb12a2506c68349dcdb3bd12e99f5dacbbcc1e8760a817

(7)   State = 0xfc98dff8faf9cadd585a7c0a5256b1cb

(7)   Message-Authenticator = 0xe7d95b4aa7b635f28e7f7014ad5e69d5

(7) session-state: No cached attributes

(7) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default

(7)   authorize {

(7)     policy filter_username {

(7)       if (&User-Name) {

(7)       if (&User-Name)  -> TRUE

(7)       if (&User-Name)  {

(7)         if (&User-Name =~ / /) {

(7)         if (&User-Name =~ / /)  -> FALSE

(7)         if (&User-Name =~ /@[^@]*@/ ) {

(7)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE

(7)         if (&User-Name =~ /\.\./ ) {

(7)         if (&User-Name =~ /\.\./ )  -> FALSE

(7)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {

(7)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE

(7)         if (&User-Name =~ /\.$/)  {

(7)         if (&User-Name =~ /\.$/)   -> FALSE

(7)         if (&User-Name =~ /@\./)  {

(7)         if (&User-Name =~ /@\./)   -> FALSE

(7)       } # if (&User-Name)  = notfound

(7)     } # policy filter_username = notfound

(7)     [preprocess] = ok

(7) auth_log: EXPAND
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d

(7) auth_log:    --> /var/log/freeradius/radacct/
192.168.128.34/auth-detail-20200901

(7) auth_log:
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/192.168.128.34/auth-detail-20200901

(7) auth_log: EXPAND %t

(7) auth_log:    --> Tue Sep  1 11:52:25 2020

(7)     [auth_log] = ok

(7)     [chap] = noop

(7)     [mschap] = noop

(7)     [digest] = noop

(7) suffix: Checking for suffix after "@"

(7) suffix: Looking up realm "ucn.cl" for User-Name = "[hidden email]"

(7) suffix: Found realm "ucn.cl"

(7) suffix: Adding Stripped-User-Name = "wifi"

(7) suffix: Adding Realm = "ucn.cl"

(7) suffix: Authentication realm is LOCAL

(7)     [suffix] = ok

(7) eap: Peer sent EAP Response (code 2) ID 97 length 79

(7) eap: Continuing tunnel setup

(7)     [eap] = ok

(7)   } # authorize = ok

(7) Found Auth-Type = eap

(7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(7)   authenticate {

(7) eap: Expiring EAP session with state 0xfc98dff8faf9cadd

(7) eap: Finished EAP session with state 0xfc98dff8faf9cadd

(7) eap: Previous EAP request found for state 0xfc98dff8faf9cadd, released
from the list

(7) eap: Peer sent packet with method EAP TTLS (21)

(7) eap: Calling submodule eap_ttls to process data

(7) eap_ttls: Authenticate

(7) eap_ttls: Continuing EAP-TLS

(7) eap_ttls: Peer indicated complete TLS record size will be 69 bytes

(7) eap_ttls: Got complete TLS record (69 bytes)

(7) eap_ttls: [eaptls verify] = length included

(7) eap_ttls: [eaptls process] = ok

(7) eap_ttls: Session established.  Proceeding to decode tunneled attributes

(7) eap_ttls: Got tunneled request

(7) eap_ttls:   User-Name = "[hidden email]"

(7) eap_ttls:   User-Password = "SoporteUcn"

(7) eap_ttls:   FreeRADIUS-Proxied-To = 127.0.0.1

(7) eap_ttls: Sending tunneled request

(7) Virtual server inner-tunnel received request

(7)   User-Name = "[hidden email]"

(7)   User-Password = "SoporteUcn"

(7)   FreeRADIUS-Proxied-To = 127.0.0.1

(7)   NAS-IP-Address = 192.168.128.34

(7)   Called-Station-Id = "36-18-0A-7B-A4-6E:Red Radius"

(7)   NAS-Port-Type = Wireless-802.11

(7)   Service-Type = Framed-User

(7)   NAS-Port = 1

(7)   Calling-Station-Id = "E4-6F-13-2C-A4-C3"

(7)   Connect-Info = "CONNECT 54.00 Mbps / 802.11n / RSSI: 58 / Channel: 11"

(7)   Acct-Session-Id = "1265B3D4CA450401"

(7)   Acct-Multi-Session-Id = "E27A7A7004BD7B9C"

(7)   WLAN-Pairwise-Cipher = 1027076

(7)   WLAN-Group-Cipher = 1027074

(7)   WLAN-AKM-Suite = 1027073

(7)   WLAN-Group-Mgmt-Cipher = 1027078

(7)   Attr-26.29671.2 =
0x55434e20416e746f66616761737461202d2053574150202d20776972656c657373

(7)   Attr-26.29671.3 = 0x41502d56312d536f706f727465

(7)   Attr-26.29671.4 =
0x20414c554d4e4f5320454455524f414d2046554e43494f4e4152494f5320524144495553205445434e49434f53205649

(7)   Meraki-Device-Name = "AP-V1-Soporte"

(7)   Framed-MTU = 1400

(7)   Event-Timestamp = "Sep  1 2020 11:52:25 -04"

(7) WARNING: Outer and inner identities are the same.  User privacy is
compromised.

(7) server inner-tunnel {

(7)   # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel

(7)     authorize {

(7)       policy filter_username {

(7)         if (&User-Name) {

(7)         if (&User-Name)  -> TRUE

(7)         if (&User-Name)  {

(7)           if (&User-Name =~ / /) {

(7)           if (&User-Name =~ / /)  -> FALSE

(7)           if (&User-Name =~ /@[^@]*@/ ) {

(7)           if (&User-Name =~ /@[^@]*@/ )  -> FALSE

(7)           if (&User-Name =~ /\.\./ ) {

(7)           if (&User-Name =~ /\.\./ )  -> FALSE

(7)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {

(7)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE

(7)           if (&User-Name =~ /\.$/)  {

(7)           if (&User-Name =~ /\.$/)   -> FALSE

(7)           if (&User-Name =~ /@\./)  {

(7)           if (&User-Name =~ /@\./)   -> FALSE

(7)         } # if (&User-Name)  = notfound

(7)       } # policy filter_username = notfound

(7)       [mschap] = noop

(7) suffix: Checking for suffix after "@"

(7) suffix: Looking up realm "ucn.cl" for User-Name = "[hidden email]"

(7) suffix: Found realm "ucn.cl"

(7) suffix: Adding Stripped-User-Name = "wifi"

(7) suffix: Adding Realm = "ucn.cl"

(7) suffix: Authentication realm is LOCAL

(7)       [suffix] = ok

(7)       update control {

(7)         &Proxy-To-Realm := LOCAL

(7)       } # update control = noop

(7) eap: No EAP-Message, not doing EAP

(7)       [eap] = noop

(7)       if (Realm == 'ucn.cl') {

(7)       if (Realm == 'ucn.cl')  -> TRUE

(7)       if (Realm == 'ucn.cl')  {

(7) first_files: EXPAND %{Virtual-Server}

(7) first_files:    --> inner-tunnel

(7) first_files: users: Matched entry DEFAULT at line 93

(7)         [first_files] = ok

(7)       } # if (Realm == 'ucn.cl')  = ok

(7)       if (Realm == 'alumnos.ucn.cl') {

(7)       if (Realm == 'alumnos.ucn.cl')  -> FALSE

(7) files: EXPAND %{Virtual-Server}

(7) files:    --> inner-tunnel

(7)       [files] = noop

(7) first_files: EXPAND %{Virtual-Server}

(7) first_files:    --> inner-tunnel

(7) first_files: users: Matched entry DEFAULT at line 93

(7)       [first_files] = ok

(7) second_files: EXPAND %{Virtual-Server}

(7) second_files:    --> inner-tunnel

(7) second_files: users: Matched entry DEFAULT at line 93

(7)       [second_files] = ok

(7)       [expiration] = noop

(7)       [logintime] = noop

(7)       [pap] = noop

(7)     } # authorize = ok

(7)   Found Auth-Type = pam

(7)   # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel

(7)     authenticate {

(7) pam: Using pamauth string "pam-imap-radius2" for pam.conf lookup

(7) pam: ERROR: pam_authenticate failed: Module is unknown

(7)       [pam] = reject

(7)     } # authenticate = reject

(7)   Failed to authenticate the user

(7)   Using Post-Auth-Type Reject

(7)   # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel

(7)     Post-Auth-Type REJECT {

(7) reply_log: EXPAND
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d

(7) reply_log:    --> /var/log/freeradius/radacct/
192.168.128.34/reply-detail-20200901

(7) reply_log:
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d
expands to /var/log/freeradius/radacct/192.168.128.34/reply-detail-20200901

(7) reply_log: WARNING: Skipping empty packet

(7)       [reply_log] = ok

(7) attr_filter.access_reject: EXPAND %{User-Name}

(7) attr_filter.access_reject:    --> [hidden email]

(7) attr_filter.access_reject: Matched entry DEFAULT at line 11

(7)       [attr_filter.access_reject] = updated

(7)       update outer.session-state {

(7)         &Module-Failure-Message := &request:Module-Failure-Message ->
'pam: pam_authenticate failed: Module is unknown'

(7)       } # update outer.session-state = noop

(7)     } # Post-Auth-Type REJECT = updated

(7) } # server inner-tunnel

(7) Virtual server sending reply

(7) eap_ttls: Got tunneled Access-Reject

(7) eap: ERROR: Failed continuing EAP TTLS (21) session.  EAP sub-module
failed

(7) eap: Sending EAP Failure (code 4) ID 97 length 4

(7) eap: Failed in EAP select

(7)     [eap] = invalid

(7)   } # authenticate = invalid

(7) Failed to authenticate the user

(7) Using Post-Auth-Type Reject

(7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(7)   Post-Auth-Type REJECT {

(7) attr_filter.access_reject: EXPAND %{User-Name}

(7) attr_filter.access_reject:    --> [hidden email]

(7) attr_filter.access_reject: Matched entry DEFAULT at line 11

(7)     [attr_filter.access_reject] = updated

(7)     [eap] = noop

(7) reply_log: EXPAND
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d

(7) reply_log:    --> /var/log/freeradius/radacct/
192.168.128.34/reply-detail-20200901

(7) reply_log:
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d
expands to /var/log/freeradius/radacct/192.168.128.34/reply-detail-20200901

(7) reply_log: EXPAND %t

(7) reply_log:    --> Tue Sep  1 11:52:25 2020

(7)     [reply_log] = ok

(7)     policy remove_reply_message_if_eap {

(7)       if (&reply:EAP-Message && &reply:Reply-Message) {

(7)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE

(7)       else {

(7)         [noop] = noop

(7)       } # else = noop

(7)     } # policy remove_reply_message_if_eap = noop

(7)   } # Post-Auth-Type REJECT = updated

(7) Delaying response for 1.000000 seconds

Waking up in 0.3 seconds.

Waking up in 0.6 seconds.

(7) Sending delayed response

(7) Sent Access-Reject Id 117 from 146.83.124.26:1812 to
192.168.128.34:39957 length 44

(7)   EAP-Message = 0x04610004

(7)   Message-Authenticator = 0x00000000000000000000000000000000

Waking up in 2.0 seconds.

(0) Cleaning up request packet ID 110 with timestamp +23

(1) Cleaning up request packet ID 111 with timestamp +23

(2) Cleaning up request packet ID 112 with timestamp +23

(3) Cleaning up request packet ID 113 with timestamp +23

(4) Cleaning up request packet ID 114 with timestamp +23

(5) Cleaning up request packet ID 115 with timestamp +23

(6) Cleaning up request packet ID 116 with timestamp +23

Waking up in 1.8 seconds.

(7) Cleaning up request packet ID 117 with timestamp +25


I apologize if I failed in properly doing your instructions but I'm at loss
here. Thank in advance.

El sáb., 29 ago. 2020 a las 6:20, Alan DeKok (<[hidden email]>)
escribió:

> On Aug 28, 2020, at 7:18 PM, HORMAZABAL PI�ONES BARBARA FRANCISCA <
> [hidden email]> wrote:
> >
> > Greetings, I'm a Freeradius newbie and I apologize if I make mistakes
> with
> > some concepts or get my point across (english is not my first language).
>
>   It's fine.
>
> > Anyway, I'm setting up freeradius in Ubuntu server 18.04 to authenticate
> > users (teachers, students) through their google accounts (we have a
> couple
> > of domains for each one), so I was adviced to use the PAM-IMAP module.
> When
> > trying to authenticate however, it fails going through the eap-peap
> > authentication. I read the output and checked that authentication is
> > invalid in the pam module however I do not know how to fix it.
>
>   PAM needs a clear-text password in the RADIUS request.  PEAP does not
> supply one.  You need to configure the clients to use TTLS with PAP inside
> of the tunnel.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: EAP Submodule failed. PAM module issue.

Alan DeKok-2
On Sep 1, 2020, at 12:02 PM, HORMAZABAL PI�ONES BARBARA FRANCISCA <[hidden email]> wrote:

>
> Thank you for answering, Alan. I changed the settings in the eap file and
> inner-tunnel. In the eap it's now eap_type = ttls. I'm still having
> problems with the PAM-IMAP module though.
>
> Looking around the internet I found that there was a type in setting the
> users with PAM. So I have them in my users file as
> DEFAULT Virtual-Server == inner-tunnel, Pam-Auth = "pam-imap-radius",
> Auth-Type = PAM
>
> Reading the output, these lines are causing the problem.
>
> (7) pam: Using pamauth string "pam-imap-radius2" for pam.conf lookup
> (7) pam: ERROR: pam_authenticate failed: Module is unknown

  That means you haven't made PAM aware of the "pam-imap-radius2" configuration.  

> For some reason it doesn't recognize that with the realm "ucn.cl" should be
> using pam-imap-radius and not pam-imap-radius2.

  So.... how did you configure FreeRADIUS to look for the realm "ucn.cl", and use the correct PAM-Auth?  It would help to describe that.

  The debug log shows:

> (7)       if (Realm == 'ucn.cl')  {
>
> (7) first_files: EXPAND %{Virtual-Server}
>
> (7) first_files:    --> inner-tunnel
>
> (7) first_files: users: Matched entry DEFAULT at line 93
>
> (7)         [first_files] = ok

  Which means that you can set PAM-Auth here, and set it to the correct value.
>
> (7)     authenticate {
>
> (7) pam: Using pamauth string "pam-imap-radius2" for pam.conf lookup

  Where does that come from?

  Alan DeKok/


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: EAP Submodule failed. PAM module issue.

bhp1
>  That means you haven't made PAM aware of the "pam-imap-radius2"
configuration.
I'm currently trying to figure that out. I have checked the PAM folders.
The all the pam-imap related files including pam_imap.conf are all in the
/etc/security/pam.d file. I also tried configuring the common-account and
common-auth files. Unless I'm missing a particular PAM file where to state
to use pam-imap
>So.... how did you configure FreeRADIUS to look for the realm "ucn.cl",
and use the correct PAM-Auth?  It would help to describe that.
I am following an eduram based configuration which states that for each
realm there should be a pam-imap file, pam-imap-radius, and users file for
each. For example the file pam_imap.conf has this configuration:

PAM_PasswordString = Password:
# If you use a certificate that is not in the default certificate store,
# you should specify the path to it here.
# Note that this option should *NOT* have an equals sign
CertificateFile /etc/ssl/certs/ca-certificates.crt

PAM_Server0 = imaps:imap.gmail.com:993
PAM_Domain = ucn.cl
PAM_BlockList = root, admin, Administrator, apache
PAM_HashEnable = yes
# This file must be writable by whatever uses PAM
PAM_HashFile = /var/cache/pam_imap/pam_imap.gdbm
# Keep a hash of good passwords to prevent overloading the IMAP server
PAM_HashDelta = 600

While one of the users file is stated that it should look like this:

test Realm == "ucn.cl", Cleartext-Password := "123456"

DEFAULT Virtual-Server == inner-tunnel, Pam-Auth := "pam-imap-radius", Auth-
Type = PAM

>Which means that you can set PAM-Auth here, and set it to the correct
value.
Sorry, but can you please explain this more? should I just write
"Auth-type: PAM" right after first_files?

> (7) pam: Using pamauth string "pam-imap-radius2" for pam.conf lookup

  >Where does that come from?
I still don't know what is going with that. I'm still trying to check the
pam config files.

  By the way I checked the logs in var/logs and this message appeared
Sep  1 16:57:06 radius-wifi freeradius: PAM unable to dlopen(pam_imap.so):
/lib/security/pam_imap.so: undefined symbol: pam_get_item
Sep  1 16:57:06 radius-wifi freeradius: PAM adding faulty module:
pam_imap.so

Sorry for the trouble


El mar., 1 sept. 2020 a las 14:42, Alan DeKok (<[hidden email]>)
escribió:

> On Sep 1, 2020, at 12:02 PM, HORMAZABAL PI�ONES BARBARA FRANCISCA <
> [hidden email]> wrote:
> >
> > Thank you for answering, Alan. I changed the settings in the eap file and
> > inner-tunnel. In the eap it's now eap_type = ttls. I'm still having
> > problems with the PAM-IMAP module though.
> >
> > Looking around the internet I found that there was a type in setting the
> > users with PAM. So I have them in my users file as
> > DEFAULT Virtual-Server == inner-tunnel, Pam-Auth = "pam-imap-radius",
> > Auth-Type = PAM
> >
> > Reading the output, these lines are causing the problem.
> >
> > (7) pam: Using pamauth string "pam-imap-radius2" for pam.conf lookup
> > (7) pam: ERROR: pam_authenticate failed: Module is unknown
>
>   That means you haven't made PAM aware of the "pam-imap-radius2"
> configuration.
>
> > For some reason it doesn't recognize that with the realm "ucn.cl"
> should be
> > using pam-imap-radius and not pam-imap-radius2.
>
>   So.... how did you configure FreeRADIUS to look for the realm "ucn.cl",
> and use the correct PAM-Auth?  It would help to describe that.
>
>   The debug log shows:
>
> > (7)       if (Realm == 'ucn.cl')  {
> >
> > (7) first_files: EXPAND %{Virtual-Server}
> >
> > (7) first_files:    --> inner-tunnel
> >
> > (7) first_files: users: Matched entry DEFAULT at line 93
> >
> > (7)         [first_files] = ok
>
>   Which means that you can set PAM-Auth here, and set it to the correct
> value.
> >
> > (7)     authenticate {
> >
> > (7) pam: Using pamauth string "pam-imap-radius2" for pam.conf lookup
>
>   Where does that come from?
>
>   Alan DeKok/
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: EAP Submodule failed. PAM module issue.

Alan DeKok-2
On Sep 1, 2020, at 5:13 PM, HORMAZABAL PI�ONES BARBARA FRANCISCA <[hidden email]> wrote:
>> So.... how did you configure FreeRADIUS to look for the realm "ucn.cl",
> > and use the correct PAM-Auth?  It would help to describe that.
> I am following an eduram based configuration which states that for each
> realm there should be a pam-imap file, pam-imap-radius, and users file for
> each. For example the file pam_imap.conf has this configuration:

  That doesn't really answer my question.  If I ask how did you configure *FreeRADIUS*, I don't need to see a bunch of configuration files for PAM.

  Creating solutions requires a methodical approach, and paying attention to details.

> While one of the users file is stated that it should look like this:
>
> test Realm == "ucn.cl", Cleartext-Password := "123456"
>
> DEFAULT Virtual-Server == inner-tunnel, Pam-Auth := "pam-imap-radius", Auth-
> Type = PAM

  Which sets PAM-Auth.  But not to "pam-imap-radius2", as the debug log shows.

  So which FreeRADIUS file did you change to set PAM-Auth to "pam-imap-radius2" ?

>> Which means that you can set PAM-Auth here, and set it to the correct
> value.
> Sorry, but can you please explain this more? should I just write
> "Auth-type: PAM" right after first_files?

  You posted a "users" file entry which sets PAM-Auth.   So... you know how to set PAM-Auth.

 And no, When I say "PAM-Auth", I don't mean "Auth-Type = PAM".

>> (7) pam: Using pamauth string "pam-imap-radius2" for pam.conf lookup
>
>> Where does that come from?
> I still don't know what is going with that. I'm still trying to check the
> pam config files.

  You posted a *FREERADIUS* debug output which showed that *FREERADIUS* was using "pam-imap-radius2".

  Search the *FREERADIUS* configuration files for that.  You should know which one.  It's not in the default configuration, which means you edited something, and added that.

  So... which file did you edit?

>  By the way I checked the logs in var/logs and this message appeared
> Sep  1 16:57:06 radius-wifi freeradius: PAM unable to dlopen(pam_imap.so):
> /lib/security/pam_imap.so: undefined symbol: pam_get_item
> Sep  1 16:57:06 radius-wifi freeradius: PAM adding faulty module:
> pam_imap.so

  Ask the PAM people how their software works.  We didn't write pam_imap, and we know nothing about it.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: EAP Submodule failed. PAM module issue.

bhp1
I apologize for the late reply. So I couldn't find a way to fix it and
ended up trying to redo it all over again, re-installing freeradius and
all. However, whenever I try to compile the module there is an
incompatibility problem. Turns out this module and any other module I have
looked for that authenticates against gmail is obsolete with freeradius 3.
The modules work only for version 2, I tried setting up freeradius 2 but I
have another error with installing with the make and make install modules
so that's another thing out of the question.

Is there any other way to authenticate against gmail in freeradius 3?

El mar., 1 sept. 2020 a las 18:40, Alan DeKok (<[hidden email]>)
escribió:

> On Sep 1, 2020, at 5:13 PM, HORMAZABAL PI�ONES BARBARA FRANCISCA <
> [hidden email]> wrote:
> >> So.... how did you configure FreeRADIUS to look for the realm "ucn.cl",
> > > and use the correct PAM-Auth?  It would help to describe that.
> > I am following an eduram based configuration which states that for each
> > realm there should be a pam-imap file, pam-imap-radius, and users file
> for
> > each. For example the file pam_imap.conf has this configuration:
>
>   That doesn't really answer my question.  If I ask how did you configure
> *FreeRADIUS*, I don't need to see a bunch of configuration files for PAM.
>
>   Creating solutions requires a methodical approach, and paying attention
> to details.
>
> > While one of the users file is stated that it should look like this:
> >
> > test Realm == "ucn.cl", Cleartext-Password := "123456"
> >
> > DEFAULT Virtual-Server == inner-tunnel, Pam-Auth := "pam-imap-radius",
> Auth-
> > Type = PAM
>
>   Which sets PAM-Auth.  But not to "pam-imap-radius2", as the debug log
> shows.
>
>   So which FreeRADIUS file did you change to set PAM-Auth to
> "pam-imap-radius2" ?
>
> >> Which means that you can set PAM-Auth here, and set it to the correct
> > value.
> > Sorry, but can you please explain this more? should I just write
> > "Auth-type: PAM" right after first_files?
>
>   You posted a "users" file entry which sets PAM-Auth.   So... you know
> how to set PAM-Auth.
>
>  And no, When I say "PAM-Auth", I don't mean "Auth-Type = PAM".
>
> >> (7) pam: Using pamauth string "pam-imap-radius2" for pam.conf lookup
> >
> >> Where does that come from?
> > I still don't know what is going with that. I'm still trying to check the
> > pam config files.
>
>   You posted a *FREERADIUS* debug output which showed that *FREERADIUS*
> was using "pam-imap-radius2".
>
>   Search the *FREERADIUS* configuration files for that.  You should know
> which one.  It's not in the default configuration, which means you edited
> something, and added that.
>
>   So... which file did you edit?
>
> >  By the way I checked the logs in var/logs and this message appeared
> > Sep  1 16:57:06 radius-wifi freeradius: PAM unable to
> dlopen(pam_imap.so):
> > /lib/security/pam_imap.so: undefined symbol: pam_get_item
> > Sep  1 16:57:06 radius-wifi freeradius: PAM adding faulty module:
> > pam_imap.so
>
>   Ask the PAM people how their software works.  We didn't write pam_imap,
> and we know nothing about it.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: EAP Submodule failed. PAM module issue.

Alan DeKok-2
On Sep 16, 2020, at 7:05 PM, HORMAZABAL PI�ONES BARBARA FRANCISCA <[hidden email]> wrote:
>
> I apologize for the late reply. So I couldn't find a way to fix it and
> ended up trying to redo it all over again, re-installing freeradius and
> all. However, whenever I try to compile the module there is an
> incompatibility problem. Turns out this module and any other module I have
> looked for that authenticates against gmail is obsolete with freeradius 3.

  So... which modules are those?  It would help to say what they are.

  The server doesn't include a module to authenticate against gmail.  if there are third-party modules, well, we don't know anything about them.

  I really wish that people would submit their modules back to us.  That way everyone could benefit from their work.

> The modules work only for version 2, I tried setting up freeradius 2 but I
> have another error with installing with the make and make install modules
> so that's another thing out of the question.

  "i did stuff and an error happened".

  Please read the docs for how to ask GOOD questions:

http://wiki.freeradius.org/list-help

> Is there any other way to authenticate against gmail in freeradius 3?

  Use a Perl or Python script.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: EAP Submodule failed. PAM module issue.

bhp1
 >So... which modules are those?  It would help to say what they are.

 The modules tried were the PAM-IMAP
https://github.com/wdoekes/pam-imap
and rlm_gauth. They are both third party.
https://github.com/portellaa/rlm_gauth

>  "i did stuff and an error happened".

  >Please read the docs for how to ask GOOD questions:

When trying to execute the "make" command and "make install" in freeradius
2.2.10 this is the output given:

Make.inc:116: *** Building FREERADIUS requires libtool. Stop.

Even though libtool is already installed.

>Use a Perl or Python script.
Thanks. I'll look into that.

Best regards.

El mié., 16 sept. 2020 a las 21:22, Alan DeKok (<[hidden email]>)
escribió:

> On Sep 16, 2020, at 7:05 PM, HORMAZABAL PI�ONES BARBARA FRANCISCA <
> [hidden email]> wrote:
> >
> > I apologize for the late reply. So I couldn't find a way to fix it and
> > ended up trying to redo it all over again, re-installing freeradius and
> > all. However, whenever I try to compile the module there is an
> > incompatibility problem. Turns out this module and any other module I
> have
> > looked for that authenticates against gmail is obsolete with freeradius
> 3.
>
>   So... which modules are those?  It would help to say what they are.
>
>   The server doesn't include a module to authenticate against gmail.  if
> there are third-party modules, well, we don't know anything about them.
>
>   I really wish that people would submit their modules back to us.  That
> way everyone could benefit from their work.
>
> > The modules work only for version 2, I tried setting up freeradius 2 but
> I
> > have another error with installing with the make and make install modules
> > so that's another thing out of the question.
>
>   "i did stuff and an error happened".
>
>   Please read the docs for how to ask GOOD questions:
>
> http://wiki.freeradius.org/list-help
>
> > Is there any other way to authenticate against gmail in freeradius 3?
>
>   Use a Perl or Python script.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: EAP Submodule failed. PAM module issue.

Alan DeKok-2
On Sep 16, 2020, at 10:30 PM, HORMAZABAL PI�ONES BARBARA FRANCISCA <[hidden email]> wrote:
>
>> So... which modules are those?  It would help to say what they are.
>
> The modules tried were the PAM-IMAP
> https://github.com/wdoekes/pam-imap

  That isn't a FreeRADIUS module.

> and rlm_gauth. They are both third party.
> https://github.com/portellaa/rlm_gauth

  Thats small enough that it should be trivial to port it to v3.

>> "i did stuff and an error happened".
>
>> Please read the docs for how to ask GOOD questions:
>
> When trying to execute the "make" command and "make install" in freeradius
> 2.2.10 this is the output given:
>
> Make.inc:116: *** Building FREERADIUS requires libtool. Stop.
>
> Even though libtool is already installed.

  You didn't run "configure" before running "make".  The documentation says to do this.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: EAP Submodule failed. PAM module issue.

bhp1
>That's small enough that it should be trivial to port it to v3.
Sorry if it's trivial but how can I do this?

>You didn't run "configure" before running "make".  The documentation says
to do this.
I did run configure and then make and make install. I was reading the
documentation while doing this. However a different error appeared today
when doing the process again:

eap_tls.c:132:28: error: dereferencing pointer to incomplete type 'SSL
{aka struct ssl_st}'
            tls_session->ssl->session);
                            ^~
Makefile:25: recipe for target 'eap_tls.lo' failed
make[7]: *** [eap_tls.lo] Error 1
make[7]: Leaving directory '/opt/freeradius_2_2_10/src/modules/rlm_eap/libeap'
Makefile:54: recipe for target 'libeap' failed
make[6]: *** [libeap] Error 2
make[6]: Leaving directory '/opt/freeradius_2_2_10/src/modules/rlm_eap'
Makefile:37: recipe for target 'rlm_eap' failed
make[5]: *** [rlm_eap] Error 2
make[5]: Leaving directory '/opt/freeradius_2_2_10/src/modules'
Makefile:12: recipe for target 'all' failed
make[4]: *** [all] Error 2
make[4]: Leaving directory '/opt/freeradius_2_2_10/src/modules'
Makefile:39: recipe for target 'modules' failed
make[3]: *** [modules] Error 2
make[3]: Leaving directory '/opt/freeradius_2_2_10'


El mié., 16 sept. 2020 a las 23:45, Alan DeKok (<[hidden email]>)
escribió:

> On Sep 16, 2020, at 10:30 PM, HORMAZABAL PI�ONES BARBARA FRANCISCA <
> [hidden email]> wrote:
> >
> >> So... which modules are those?  It would help to say what they are.
> >
> > The modules tried were the PAM-IMAP
> > https://github.com/wdoekes/pam-imap
>
>   That isn't a FreeRADIUS module.
>
> > and rlm_gauth. They are both third party.
> > https://github.com/portellaa/rlm_gauth
>
>   Thats small enough that it should be trivial to port it to v3.
>
> >> "i did stuff and an error happened".
> >
> >> Please read the docs for how to ask GOOD questions:
> >
> > When trying to execute the "make" command and "make install" in
> freeradius
> > 2.2.10 this is the output given:
> >
> > Make.inc:116: *** Building FREERADIUS requires libtool. Stop.
> >
> > Even though libtool is already installed.
>
>   You didn't run "configure" before running "make".  The documentation
> says to do this.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: EAP Submodule failed. PAM module issue.

Alan DeKok-2
On Sep 17, 2020, at 2:12 PM, HORMAZABAL PI�ONES BARBARA FRANCISCA <[hidden email]> wrote
>> That's small enough that it should be trivial to port it to v3.
> Sorry if it's trivial but how can I do this?

  You need to know C.

>> You didn't run "configure" before running "make".  The documentation says
> to do this.
> I did run configure and then make and make install. I was reading the
> documentation while doing this. However a different error appeared today
> when doing the process again:
>
> eap_tls.c:132:28: error: dereferencing pointer to incomplete type 'SSL
> {aka struct ssl_st}'
>            tls_session->ssl->session);
>                            ^~

  Hmm... you're using a newer version of OpenSSL.  Oh well.  v2 isn't supported, and hasn't been updated for newer versions of OpenSSL.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html