Trouble With Eap-TTLS - PAP - LDAP - Azure AD DS

classic Classic list List threaded Threaded
7 messages Options
| Threaded
Open this post in threaded view
|

Trouble With Eap-TTLS - PAP - LDAP - Azure AD DS

Bryce Long
Hello! I am trying to use azure ad through Azure Domain services as an auth
for our wifi.

I have read several posts from people on this forum and have been thru all
the instructions in the config files for freeradius and the freewebsite.
I'm new to all this and I know I'm missing something.

I can get Pap to work per the setup and I think Eap to work as well (Not
sure here?)

My ldap bind works when I use rad test but anything else fails

I've also looked at the error messages and warnings in the debug but I'm
still missing something in a config somewhere.

Please help!

here is my debug log

   ipv6addr = ::
  port = 0
   limit {
    max_connections = 16
    lifetime = 0
    idle_timeout = 30
   }
}
listen {
  type = "acct"
  ipv6addr = ::
  port = 0
   limit {
    max_connections = 16
    lifetime = 0
    idle_timeout = 30
   }
}
listen {
  type = "auth"
  ipaddr = 127.0.0.1
  port = 18120
}
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on proxy address * port 45825
Listening on proxy address :: port 41484
Ready to process requests
(0) Received Access-Request Id 114 from 68.45.161.30:1824 to 10.0.1.5:1812
length 123
(0)   User-Name = "dtown"
(0)   NAS-IP-Address = 68.45.161.30
(0)   Called-Station-Id = "7823aed64a00"
(0)   Calling-Station-Id = "a483e742cff0"
(0)   NAS-Identifier = "7823aed64a00"
(0)   NAS-Port = 125
(0)   Framed-MTU = 1400
(0)   NAS-Port-Type = Wireless-802.11
(0)   EAP-Message = 0x0200000a0164746f776e
(0)   Message-Authenticator = 0xc4b316926a530a22a2915e885854b423
(0) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(0)   authorize {
(0)     policy filter_username {
(0)       if (&User-Name) {
(0)       if (&User-Name)  -> TRUE
(0)       if (&User-Name)  {
(0)         if (&User-Name =~ / /) {
(0)         if (&User-Name =~ / /)  -> FALSE
(0)         if (&User-Name =~ /@[^@]*@/ ) {
(0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(0)         if (&User-Name =~ /\.\./ ) {
(0)         if (&User-Name =~ /\.\./ )  -> FALSE
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE
(0)         if (&User-Name =~ /\.$/)  {
(0)         if (&User-Name =~ /\.$/)   -> FALSE
(0)         if (&User-Name =~ /@\./)  {
(0)         if (&User-Name =~ /@\./)   -> FALSE
(0)       } # if (&User-Name)  = notfound
(0)     } # policy filter_username = notfound
(0)     [preprocess] = ok
(0)     [chap] = noop
(0)     [mschap] = noop
(0)     [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "dtown", looking up realm NULL
(0) suffix: No such realm "NULL"
(0)     [suffix] = noop
(0) eap: Peer sent EAP Response (code 2) ID 0 length 10
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(0)     [eap] = ok
(0)   } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file /etc/freeradius/sites-enabled/default
(0)   authenticate {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_md5 to process data
(0) eap_md5: Issuing MD5 Challenge
(0) eap: Sending EAP Request (code 1) ID 1 length 22
(0) eap: EAP session adding &reply:State = 0x749ecc9b749fc856
(0)     [eap] = handled
(0)   } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) # Executing group from file /etc/freeradius/sites-enabled/default
(0)   Challenge { ... } # empty sub-section is ignored
(0) Sent Access-Challenge Id 114 from 10.0.1.5:1812 to 68.45.161.30:1824
length 0
(0)   EAP-Message = 0x0101001604105b9005bc07e64ece96b8e8753b9faa7d
(0)   Message-Authenticator = 0x00000000000000000000000000000000
(0)   State = 0x749ecc9b749fc8560d9a9245bf7c0b3d
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 115 from 68.45.161.30:1824 to 10.0.1.5:1812
length 139
(1)   User-Name = "dtown"
(1)   NAS-IP-Address = 68.45.161.30
(1)   Called-Station-Id = "7823aed64a00"
(1)   Calling-Station-Id = "a483e742cff0"
(1)   NAS-Identifier = "7823aed64a00"
(1)   NAS-Port = 125
(1)   Framed-MTU = 1400
(1)   State = 0x749ecc9b749fc8560d9a9245bf7c0b3d
(1)   NAS-Port-Type = Wireless-802.11
(1)   EAP-Message = 0x020100080319152b
(1)   Message-Authenticator = 0x0ffdac48427e34cb2a5461df93be7d94
(1) session-state: No cached attributes
(1) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(1)   authorize {
(1)     policy filter_username {
(1)       if (&User-Name) {
(1)       if (&User-Name)  -> TRUE
(1)       if (&User-Name)  {
(1)         if (&User-Name =~ / /) {
(1)         if (&User-Name =~ / /)  -> FALSE
(1)         if (&User-Name =~ /@[^@]*@/ ) {
(1)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(1)         if (&User-Name =~ /\.\./ ) {
(1)         if (&User-Name =~ /\.\./ )  -> FALSE
(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE
(1)         if (&User-Name =~ /\.$/)  {
(1)         if (&User-Name =~ /\.$/)   -> FALSE
(1)         if (&User-Name =~ /@\./)  {
(1)         if (&User-Name =~ /@\./)   -> FALSE
(1)       } # if (&User-Name)  = notfound
(1)     } # policy filter_username = notfound
(1)     [preprocess] = ok
(1)     [chap] = noop
(1)     [mschap] = noop
(1)     [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "dtown", looking up realm NULL
(1) suffix: No such realm "NULL"
(1)     [suffix] = noop
(1) eap: Peer sent EAP Response (code 2) ID 1 length 8
(1) eap: No EAP Start, assuming it's an on-going EAP conversation
(1)     [eap] = updated
(1)   } # authorize = updated
(1) Found Auth-Type = eap
(1) # Executing group from file /etc/freeradius/sites-enabled/default
(1)   authenticate {
(1) eap: Expiring EAP session with state 0x749ecc9b749fc856
(1) eap: Finished EAP session with state 0x749ecc9b749fc856
(1) eap: Previous EAP request found for state 0x749ecc9b749fc856, released
from the list
(1) eap: Peer sent packet with method EAP NAK (3)
(1) eap: Found mutually acceptable type PEAP (25)
(1) eap: Calling submodule eap_peap to process data
(1) eap_peap: Initiating new TLS session
(1) eap_peap: [eaptls start] = request
(1) eap: Sending EAP Request (code 1) ID 2 length 6
(1) eap: EAP session adding &reply:State = 0x749ecc9b759cd556
(1)     [eap] = handled
(1)   } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) # Executing group from file /etc/freeradius/sites-enabled/default
(1)   Challenge { ... } # empty sub-section is ignored
(1) Sent Access-Challenge Id 115 from 10.0.1.5:1812 to 68.45.161.30:1824
length 0
(1)   EAP-Message = 0x010200061920
(1)   Message-Authenticator = 0x00000000000000000000000000000000
(1)   State = 0x749ecc9b759cd5560d9a9245bf7c0b3d
(1) Finished request
Waking up in 4.9 seconds.
(2) Received Access-Request Id 116 from 68.45.161.30:1824 to 10.0.1.5:1812
length 292
(2)   User-Name = "dtown"
(2)   NAS-IP-Address = 68.45.161.30
(2)   Called-Station-Id = "7823aed64a00"
(2)   Calling-Station-Id = "a483e742cff0"
(2)   NAS-Identifier = "7823aed64a00"
(2)   NAS-Port = 125
(2)   Framed-MTU = 1400
(2)   State = 0x749ecc9b759cd5560d9a9245bf7c0b3d
(2)   NAS-Port-Type = Wireless-802.11
(2)   EAP-Message =
0x020200a119800000009716030100920100008e03035fd3baf05c37c33a4fc237ff3e32630f58d2c0662e8ca4f4eae0445c4427bf5600002c00ffc02cc02bc024c023c00ac009c008c030c02fc028c027c014c013c012009d009c003d003c0035002f000a01000039000a00080006001700180019000b00020100000d00120010040102010501060104030203050306030005000501000000000012000000170000
(2)   Message-Authenticator = 0xb050e9f9e27e2b66aa11cfe13f1bb1f2
(2) session-state: No cached attributes
(2) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(2)   authorize {
(2)     policy filter_username {
(2)       if (&User-Name) {
(2)       if (&User-Name)  -> TRUE
(2)       if (&User-Name)  {
(2)         if (&User-Name =~ / /) {
(2)         if (&User-Name =~ / /)  -> FALSE
(2)         if (&User-Name =~ /@[^@]*@/ ) {
(2)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(2)         if (&User-Name =~ /\.\./ ) {
(2)         if (&User-Name =~ /\.\./ )  -> FALSE
(2)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(2)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE
(2)         if (&User-Name =~ /\.$/)  {
(2)         if (&User-Name =~ /\.$/)   -> FALSE
(2)         if (&User-Name =~ /@\./)  {
(2)         if (&User-Name =~ /@\./)   -> FALSE
(2)       } # if (&User-Name)  = notfound
(2)     } # policy filter_username = notfound
(2)     [preprocess] = ok
(2)     [chap] = noop
(2)     [mschap] = noop
(2)     [digest] = noop
(2) suffix: Checking for suffix after "@"
(2) suffix: No '@' in User-Name = "dtown", looking up realm NULL
(2) suffix: No such realm "NULL"
(2)     [suffix] = noop
(2) eap: Peer sent EAP Response (code 2) ID 2 length 161
(2) eap: Continuing tunnel setup
(2)     [eap] = ok
(2)   } # authorize = ok
(2) Found Auth-Type = eap
(2) # Executing group from file /etc/freeradius/sites-enabled/default
(2)   authenticate {
(2) eap: Expiring EAP session with state 0x749ecc9b759cd556
(2) eap: Finished EAP session with state 0x749ecc9b759cd556
(2) eap: Previous EAP request found for state 0x749ecc9b759cd556, released
from the list
(2) eap: Peer sent packet with method EAP PEAP (25)
(2) eap: Calling submodule eap_peap to process data
(2) eap_peap: Continuing EAP-TLS
(2) eap_peap: Peer indicated complete TLS record size will be 151 bytes
(2) eap_peap: Got complete TLS record (151 bytes)
(2) eap_peap: [eaptls verify] = length included
(2) eap_peap: (other): before SSL initialization
(2) eap_peap: TLS_accept: before SSL initialization
(2) eap_peap: TLS_accept: before SSL initialization
(2) eap_peap: <<< recv TLS 1.3  [length 0092]
(2) eap_peap: TLS_accept: SSLv3/TLS read client hello
(2) eap_peap: >>> send TLS 1.2  [length 003d]
(2) eap_peap: TLS_accept: SSLv3/TLS write server hello
(2) eap_peap: >>> send TLS 1.2  [length 0903]
(2) eap_peap: TLS_accept: SSLv3/TLS write certificate
(2) eap_peap: >>> send TLS 1.2  [length 014d]
(2) eap_peap: TLS_accept: SSLv3/TLS write key exchange
(2) eap_peap: >>> send TLS 1.2  [length 0004]
(2) eap_peap: TLS_accept: SSLv3/TLS write server done
(2) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write server
done
(2) eap_peap: TLS - In Handshake Phase
(2) eap_peap: TLS - got 2725 bytes of data
(2) eap_peap: [eaptls process] = handled
(2) eap: Sending EAP Request (code 1) ID 3 length 1004
(2) eap: EAP session adding &reply:State = 0x749ecc9b769dd556
(2)     [eap] = handled
(2)   } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) # Executing group from file /etc/freeradius/sites-enabled/default
(2)   Challenge { ... } # empty sub-section is ignored
(2) Sent Access-Challenge Id 116 from 10.0.1.5:1812 to 68.45.161.30:1824
length 0
(2)   EAP-Message =
0x010303ec19c000000aa5160303003d0200003903034149d7c0d850734fb7c49763ac77e8ca484976d6c3a6b0a286a0ab601b1b7b0100c030000011ff01000100000b0004030001020017000016030309030b0008ff0008fc0003f8308203f4308202dca003020102020101300d06092a864886f70d01010b0500308193310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e6f72673126302406035504030c1d4578616d706c6520436572746966696361746520417574686f72697479301e170d3230313231303133343331395a170d3231303230383133343331395a307c310b3009060355040613024652310f300d06035504080c0652616469757331153013060355040a0c0c4578616d706c6520496e632e3123302106035504030c1a4578616d70
(2)   Message-Authenticator = 0x00000000000000000000000000000000
(2)   State = 0x749ecc9b769dd5560d9a9245bf7c0b3d
(2) Finished request
Waking up in 4.8 seconds.
(3) Received Access-Request Id 117 from 68.45.161.30:1824 to 10.0.1.5:1812
length 137
(3)   User-Name = "dtown"
(3)   NAS-IP-Address = 68.45.161.30
(3)   Called-Station-Id = "7823aed64a00"
(3)   Calling-Station-Id = "a483e742cff0"
(3)   NAS-Identifier = "7823aed64a00"
(3)   NAS-Port = 125
(3)   Framed-MTU = 1400
(3)   State = 0x749ecc9b769dd5560d9a9245bf7c0b3d
(3)   NAS-Port-Type = Wireless-802.11
(3)   EAP-Message = 0x020300061900
(3)   Message-Authenticator = 0x834c6579fac00cffba174a77e16bba33
(3) session-state: No cached attributes
(3) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(3)   authorize {
(3)     policy filter_username {
(3)       if (&User-Name) {
(3)       if (&User-Name)  -> TRUE
(3)       if (&User-Name)  {
(3)         if (&User-Name =~ / /) {
(3)         if (&User-Name =~ / /)  -> FALSE
(3)         if (&User-Name =~ /@[^@]*@/ ) {
(3)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(3)         if (&User-Name =~ /\.\./ ) {
(3)         if (&User-Name =~ /\.\./ )  -> FALSE
(3)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(3)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE
(3)         if (&User-Name =~ /\.$/)  {
(3)         if (&User-Name =~ /\.$/)   -> FALSE
(3)         if (&User-Name =~ /@\./)  {
(3)         if (&User-Name =~ /@\./)   -> FALSE
(3)       } # if (&User-Name)  = notfound
(3)     } # policy filter_username = notfound
(3)     [preprocess] = ok
(3)     [chap] = noop
(3)     [mschap] = noop
(3)     [digest] = noop
(3) suffix: Checking for suffix after "@"
(3) suffix: No '@' in User-Name = "dtown", looking up realm NULL
(3) suffix: No such realm "NULL"
(3)     [suffix] = noop
(3) eap: Peer sent EAP Response (code 2) ID 3 length 6
(3) eap: Continuing tunnel setup
(3)     [eap] = ok
(3)   } # authorize = ok
(3) Found Auth-Type = eap
(3) # Executing group from file /etc/freeradius/sites-enabled/default
(3)   authenticate {
(3) eap: Expiring EAP session with state 0x749ecc9b769dd556
(3) eap: Finished EAP session with state 0x749ecc9b769dd556
(3) eap: Previous EAP request found for state 0x749ecc9b769dd556, released
from the list
(3) eap: Peer sent packet with method EAP PEAP (25)
(3) eap: Calling submodule eap_peap to process data
(3) eap_peap: Continuing EAP-TLS
(3) eap_peap: Peer ACKed our handshake fragment
(3) eap_peap: [eaptls verify] = request
(3) eap_peap: [eaptls process] = handled
(3) eap: Sending EAP Request (code 1) ID 4 length 1000
(3) eap: EAP session adding &reply:State = 0x749ecc9b779ad556
(3)     [eap] = handled
(3)   } # authenticate = handled
(3) Using Post-Auth-Type Challenge
(3) # Executing group from file /etc/freeradius/sites-enabled/default
(3)   Challenge { ... } # empty sub-section is ignored
(3) Sent Access-Challenge Id 117 from 10.0.1.5:1812 to 68.45.161.30:1824
length 0
(3)   EAP-Message =
0x010403e819404acb7e8c4c92936c99a480a4072d09ccc9b96cde7a13be01677daa723ad5ece4655d938f50df53e1cf39ec11da750c2ab652c02d26b8ca68f1bca4e3b898bacf34d9d52f87d1aa9acd39f67bb63b563469d4325ecb5b14d5480bb83a40804c59dab2bc4bf4d6820004fe308204fa308203e2a00302010202147efb48f4d14f992a5c09aee2b04dc6dc6f4771a0300d06092a864886f70d01010b0500308193310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e6f72673126302406035504030c1d4578616d706c6520436572746966696361746520417574686f72697479301e170d3230313231303133343331395a170d3231303230383133343331395a308193310b3009060355040613024652310f300d06035504080c0652616469
(3)   Message-Authenticator = 0x00000000000000000000000000000000
(3)   State = 0x749ecc9b779ad5560d9a9245bf7c0b3d
(3) Finished request
Waking up in 4.7 seconds.
(4) Received Access-Request Id 118 from 68.45.161.30:1824 to 10.0.1.5:1812
length 137
(4)   User-Name = "dtown"
(4)   NAS-IP-Address = 68.45.161.30
(4)   Called-Station-Id = "7823aed64a00"
(4)   Calling-Station-Id = "a483e742cff0"
(4)   NAS-Identifier = "7823aed64a00"
(4)   NAS-Port = 125
(4)   Framed-MTU = 1400
(4)   State = 0x749ecc9b779ad5560d9a9245bf7c0b3d
(4)   NAS-Port-Type = Wireless-802.11
(4)   EAP-Message = 0x020400061900
(4)   Message-Authenticator = 0x60af64804bd551969cbdeee1ccc4c597
(4) session-state: No cached attributes
(4) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(4)   authorize {
(4)     policy filter_username {
(4)       if (&User-Name) {
(4)       if (&User-Name)  -> TRUE
(4)       if (&User-Name)  {
(4)         if (&User-Name =~ / /) {
(4)         if (&User-Name =~ / /)  -> FALSE
(4)         if (&User-Name =~ /@[^@]*@/ ) {
(4)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(4)         if (&User-Name =~ /\.\./ ) {
(4)         if (&User-Name =~ /\.\./ )  -> FALSE
(4)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(4)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE
(4)         if (&User-Name =~ /\.$/)  {
(4)         if (&User-Name =~ /\.$/)   -> FALSE
(4)         if (&User-Name =~ /@\./)  {
(4)         if (&User-Name =~ /@\./)   -> FALSE
(4)       } # if (&User-Name)  = notfound
(4)     } # policy filter_username = notfound
(4)     [preprocess] = ok
(4)     [chap] = noop
(4)     [mschap] = noop
(4)     [digest] = noop
(4) suffix: Checking for suffix after "@"
(4) suffix: No '@' in User-Name = "dtown", looking up realm NULL
(4) suffix: No such realm "NULL"
(4)     [suffix] = noop
(4) eap: Peer sent EAP Response (code 2) ID 4 length 6
(4) eap: Continuing tunnel setup
(4)     [eap] = ok
(4)   } # authorize = ok
(4) Found Auth-Type = eap
(4) # Executing group from file /etc/freeradius/sites-enabled/default
(4)   authenticate {
(4) eap: Expiring EAP session with state 0x749ecc9b779ad556
(4) eap: Finished EAP session with state 0x749ecc9b779ad556
(4) eap: Previous EAP request found for state 0x749ecc9b779ad556, released
from the list
(4) eap: Peer sent packet with method EAP PEAP (25)
(4) eap: Calling submodule eap_peap to process data
(4) eap_peap: Continuing EAP-TLS
(4) eap_peap: Peer ACKed our handshake fragment
(4) eap_peap: [eaptls verify] = request
(4) eap_peap: [eaptls process] = handled
(4) eap: Sending EAP Request (code 1) ID 5 length 743
(4) eap: EAP session adding &reply:State = 0x749ecc9b709bd556
(4)     [eap] = handled
(4)   } # authenticate = handled
(4) Using Post-Auth-Type Challenge
(4) # Executing group from file /etc/freeradius/sites-enabled/default
(4)   Challenge { ... } # empty sub-section is ignored
(4) Sent Access-Challenge Id 118 from 10.0.1.5:1812 to 68.45.161.30:1824
length 0
(4)   EAP-Message =
0x010502e7190072746966696361746520417574686f7269747982147efb48f4d14f992a5c09aee2b04dc6dc6f4771a0300f0603551d130101ff040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e6f72672f6578616d706c655f63612e63726c300d06092a864886f70d01010b05000382010100293909cda29461712f345f76b29b939188d76ce0c6ab57d7fa11cc01ac150394f75923c9e0bafdeb86edd65e493998ee8c269d523d5aebeab7360d4d64429477ab372d945b09bb64a381987a6626d07daf88f684eb5a95ffdfb2f52a8ccdc684ba9b2150653f1688a6b65bec50ddab6c4a49db720049b77310b628303806547b7a1952e5574f5f4239b8f0f8944a6c4df15a7a491e21fc3ec8663588c379a3c09e5e5e34dec122ddf1c6f2c881342fac4de71c7e1c9f910537770099bf811a60ceea205253591fd66893499dbb89ae8dab773afbdad3f3c196c3593a69180d5156040029fe86ee13cbe88d
(4)   Message-Authenticator = 0x00000000000000000000000000000000
(4)   State = 0x749ecc9b709bd5560d9a9245bf7c0b3d
(4) Finished request
Waking up in 4.6 seconds.
(5) Received Access-Request Id 119 from 68.45.161.30:1824 to 10.0.1.5:1812
length 267
(5)   User-Name = "dtown"
(5)   NAS-IP-Address = 68.45.161.30
(5)   Called-Station-Id = "7823aed64a00"
(5)   Calling-Station-Id = "a483e742cff0"
(5)   NAS-Identifier = "7823aed64a00"
(5)   NAS-Port = 125
(5)   Framed-MTU = 1400
(5)   State = 0x749ecc9b709bd5560d9a9245bf7c0b3d
(5)   NAS-Port-Type = Wireless-802.11
(5)   EAP-Message =
0x0205008819800000007e1603030046100000424104a28febeb0bb5f0922c97a95a5811f1696d6f4c2d375be0e34172007a28356a1068e9734682743ae0ae572000372fc2df84b48af1a34607c1f7703210b33f7f691403030001011603030028e3277115802d5ed3e247c8b34b1b3e062cf33600daf2c24d78ae457b1ade2f852f97aa0aaff65dd4
(5)   Message-Authenticator = 0xac005f74adeffb71241ac5773458d9b3
(5) session-state: No cached attributes
(5) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(5)   authorize {
(5)     policy filter_username {
(5)       if (&User-Name) {
(5)       if (&User-Name)  -> TRUE
(5)       if (&User-Name)  {
(5)         if (&User-Name =~ / /) {
(5)         if (&User-Name =~ / /)  -> FALSE
(5)         if (&User-Name =~ /@[^@]*@/ ) {
(5)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(5)         if (&User-Name =~ /\.\./ ) {
(5)         if (&User-Name =~ /\.\./ )  -> FALSE
(5)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(5)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE
(5)         if (&User-Name =~ /\.$/)  {
(5)         if (&User-Name =~ /\.$/)   -> FALSE
(5)         if (&User-Name =~ /@\./)  {
(5)         if (&User-Name =~ /@\./)   -> FALSE
(5)       } # if (&User-Name)  = notfound
(5)     } # policy filter_username = notfound
(5)     [preprocess] = ok
(5)     [chap] = noop
(5)     [mschap] = noop
(5)     [digest] = noop
(5) suffix: Checking for suffix after "@"
(5) suffix: No '@' in User-Name = "dtown", looking up realm NULL
(5) suffix: No such realm "NULL"
(5)     [suffix] = noop
(5) eap: Peer sent EAP Response (code 2) ID 5 length 136
(5) eap: Continuing tunnel setup
(5)     [eap] = ok
(5)   } # authorize = ok
(5) Found Auth-Type = eap
(5) # Executing group from file /etc/freeradius/sites-enabled/default
(5)   authenticate {
(5) eap: Expiring EAP session with state 0x749ecc9b709bd556
(5) eap: Finished EAP session with state 0x749ecc9b709bd556
(5) eap: Previous EAP request found for state 0x749ecc9b709bd556, released
from the list
(5) eap: Peer sent packet with method EAP PEAP (25)
(5) eap: Calling submodule eap_peap to process data
(5) eap_peap: Continuing EAP-TLS
(5) eap_peap: Peer indicated complete TLS record size will be 126 bytes
(5) eap_peap: Got complete TLS record (126 bytes)
(5) eap_peap: [eaptls verify] = length included
(5) eap_peap: TLS_accept: SSLv3/TLS write server done
(5) eap_peap: <<< recv TLS 1.2  [length 0046]
(5) eap_peap: TLS_accept: SSLv3/TLS read client key exchange
(5) eap_peap: TLS_accept: SSLv3/TLS read change cipher spec
(5) eap_peap: <<< recv TLS 1.2  [length 0010]
(5) eap_peap: TLS_accept: SSLv3/TLS read finished
(5) eap_peap: >>> send TLS 1.2  [length 0001]
(5) eap_peap: TLS_accept: SSLv3/TLS write change cipher spec
(5) eap_peap: >>> send TLS 1.2  [length 0010]
(5) eap_peap: TLS_accept: SSLv3/TLS write finished
(5) eap_peap: (other): SSL negotiation finished successfully
(5) eap_peap: TLS - Connection Established
(5) eap_peap: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(5) eap_peap: TLS-Session-Version = "TLS 1.2"
(5) eap_peap: TLS - got 51 bytes of data
(5) eap_peap: [eaptls process] = handled
(5) eap: Sending EAP Request (code 1) ID 6 length 57
(5) eap: EAP session adding &reply:State = 0x749ecc9b7198d556
(5)     [eap] = handled
(5)   } # authenticate = handled
(5) Using Post-Auth-Type Challenge
(5) # Executing group from file /etc/freeradius/sites-enabled/default
(5)   Challenge { ... } # empty sub-section is ignored
(5) session-state: Saving cached attributes
(5)   TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(5)   TLS-Session-Version = "TLS 1.2"
(5) Sent Access-Challenge Id 119 from 10.0.1.5:1812 to 68.45.161.30:1824
length 0
(5)   EAP-Message =
0x0106003919001403030001011603030028ab6860cd676579b8791ad027b85f2cc62cef4b5e2398c38a789b83ee466bb6216435f7b2d366eadb
(5)   Message-Authenticator = 0x00000000000000000000000000000000
(5)   State = 0x749ecc9b7198d5560d9a9245bf7c0b3d
(5) Finished request
Waking up in 4.6 seconds.
(6) Received Access-Request Id 120 from 68.45.161.30:1824 to 10.0.1.5:1812
length 137
(6)   User-Name = "dtown"
(6)   NAS-IP-Address = 68.45.161.30
(6)   Called-Station-Id = "7823aed64a00"
(6)   Calling-Station-Id = "a483e742cff0"
(6)   NAS-Identifier = "7823aed64a00"
(6)   NAS-Port = 125
(6)   Framed-MTU = 1400
(6)   State = 0x749ecc9b7198d5560d9a9245bf7c0b3d
(6)   NAS-Port-Type = Wireless-802.11
(6)   EAP-Message = 0x020600061900
(6)   Message-Authenticator = 0xe9cc34f3ffc2b01148aadd11d1488c75
(6) Restoring &session-state
(6)   &session-state:TLS-Session-Cipher-Suite =
"ECDHE-RSA-AES256-GCM-SHA384"
(6)   &session-state:TLS-Session-Version = "TLS 1.2"
(6) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(6)   authorize {
(6)     policy filter_username {
(6)       if (&User-Name) {
(6)       if (&User-Name)  -> TRUE
(6)       if (&User-Name)  {
(6)         if (&User-Name =~ / /) {
(6)         if (&User-Name =~ / /)  -> FALSE
(6)         if (&User-Name =~ /@[^@]*@/ ) {
(6)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(6)         if (&User-Name =~ /\.\./ ) {
(6)         if (&User-Name =~ /\.\./ )  -> FALSE
(6)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(6)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE
(6)         if (&User-Name =~ /\.$/)  {
(6)         if (&User-Name =~ /\.$/)   -> FALSE
(6)         if (&User-Name =~ /@\./)  {
(6)         if (&User-Name =~ /@\./)   -> FALSE
(6)       } # if (&User-Name)  = notfound
(6)     } # policy filter_username = notfound
(6)     [preprocess] = ok
(6)     [chap] = noop
(6)     [mschap] = noop
(6)     [digest] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "dtown", looking up realm NULL
(6) suffix: No such realm "NULL"
(6)     [suffix] = noop
(6) eap: Peer sent EAP Response (code 2) ID 6 length 6
(6) eap: Continuing tunnel setup
(6)     [eap] = ok
(6)   } # authorize = ok
(6) Found Auth-Type = eap
(6) # Executing group from file /etc/freeradius/sites-enabled/default
(6)   authenticate {
(6) eap: Expiring EAP session with state 0x749ecc9b7198d556
(6) eap: Finished EAP session with state 0x749ecc9b7198d556
(6) eap: Previous EAP request found for state 0x749ecc9b7198d556, released
from the list
(6) eap: Peer sent packet with method EAP PEAP (25)
(6) eap: Calling submodule eap_peap to process data
(6) eap_peap: Continuing EAP-TLS
(6) eap_peap: Peer ACKed our handshake fragment.  handshake is finished
(6) eap_peap: [eaptls verify] = success
(6) eap_peap: [eaptls process] = success
(6) eap_peap: Session established.  Decoding tunneled attributes
(6) eap_peap: PEAP state TUNNEL ESTABLISHED
(6) eap: Sending EAP Request (code 1) ID 7 length 40
(6) eap: EAP session adding &reply:State = 0x749ecc9b7299d556
(6)     [eap] = handled
(6)   } # authenticate = handled
(6) Using Post-Auth-Type Challenge
(6) # Executing group from file /etc/freeradius/sites-enabled/default
(6)   Challenge { ... } # empty sub-section is ignored
(6) session-state: Saving cached attributes
(6)   TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(6)   TLS-Session-Version = "TLS 1.2"
(6) Sent Access-Challenge Id 120 from 10.0.1.5:1812 to 68.45.161.30:1824
length 0
(6)   EAP-Message =
0x010700281900170303001dab6860cd676579b9c9c7c6538c84a36bb004ad177a41505c31ef35af47
(6)   Message-Authenticator = 0x00000000000000000000000000000000
(6)   State = 0x749ecc9b7299d5560d9a9245bf7c0b3d
(6) Finished request
Waking up in 4.5 seconds.
(7) Received Access-Request Id 121 from 68.45.161.30:1824 to 10.0.1.5:1812
length 172
(7)   User-Name = "dtown"
(7)   NAS-IP-Address = 68.45.161.30
(7)   Called-Station-Id = "7823aed64a00"
(7)   Calling-Station-Id = "a483e742cff0"
(7)   NAS-Identifier = "7823aed64a00"
(7)   NAS-Port = 125
(7)   Framed-MTU = 1400
(7)   State = 0x749ecc9b7299d5560d9a9245bf7c0b3d
(7)   NAS-Port-Type = Wireless-802.11
(7)   EAP-Message =
0x020700291900170303001ee3277115802d5ed4bc164f722798531c9d7f02629fac47c95c8e628766ff
(7)   Message-Authenticator = 0x48b8d15b4c4f0070c13caeba3c46ccfe
(7) Restoring &session-state
(7)   &session-state:TLS-Session-Cipher-Suite =
"ECDHE-RSA-AES256-GCM-SHA384"
(7)   &session-state:TLS-Session-Version = "TLS 1.2"
(7) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(7)   authorize {
(7)     policy filter_username {
(7)       if (&User-Name) {
(7)       if (&User-Name)  -> TRUE
(7)       if (&User-Name)  {
(7)         if (&User-Name =~ / /) {
(7)         if (&User-Name =~ / /)  -> FALSE
(7)         if (&User-Name =~ /@[^@]*@/ ) {
(7)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(7)         if (&User-Name =~ /\.\./ ) {
(7)         if (&User-Name =~ /\.\./ )  -> FALSE
(7)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(7)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE
(7)         if (&User-Name =~ /\.$/)  {
(7)         if (&User-Name =~ /\.$/)   -> FALSE
(7)         if (&User-Name =~ /@\./)  {
(7)         if (&User-Name =~ /@\./)   -> FALSE
(7)       } # if (&User-Name)  = notfound
(7)     } # policy filter_username = notfound
(7)     [preprocess] = ok
(7)     [chap] = noop
(7)     [mschap] = noop
(7)     [digest] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "dtown", looking up realm NULL
(7) suffix: No such realm "NULL"
(7)     [suffix] = noop
(7) eap: Peer sent EAP Response (code 2) ID 7 length 41
(7) eap: Continuing tunnel setup
(7)     [eap] = ok
(7)   } # authorize = ok
(7) Found Auth-Type = eap
(7) # Executing group from file /etc/freeradius/sites-enabled/default
(7)   authenticate {
(7) eap: Expiring EAP session with state 0x749ecc9b7299d556
(7) eap: Finished EAP session with state 0x749ecc9b7299d556
(7) eap: Previous EAP request found for state 0x749ecc9b7299d556, released
from the list
(7) eap: Peer sent packet with method EAP PEAP (25)
(7) eap: Calling submodule eap_peap to process data
(7) eap_peap: Continuing EAP-TLS
(7) eap_peap: [eaptls verify] = ok
(7) eap_peap: Done initial handshake
(7) eap_peap: [eaptls process] = ok
(7) eap_peap: Session established.  Decoding tunneled attributes
(7) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(7) eap_peap: Identity - dtown
(7) eap_peap: Got inner identity 'dtown'
(7) eap_peap: Setting default EAP type for tunneled EAP session
(7) eap_peap: Got tunneled request
(7) eap_peap:   EAP-Message = 0x0207000a0164746f776e
(7) eap_peap: Setting User-Name to dtown
(7) eap_peap: Sending tunneled request to inner-tunnel
(7) eap_peap:   EAP-Message = 0x0207000a0164746f776e
(7) eap_peap:   FreeRADIUS-Proxied-To = 127.0.0.1
(7) eap_peap:   User-Name = "dtown"
(7) Virtual server inner-tunnel received request
(7)   EAP-Message = 0x0207000a0164746f776e
(7)   FreeRADIUS-Proxied-To = 127.0.0.1
(7)   User-Name = "dtown"
(7) WARNING: Outer and inner identities are the same.  User privacy is
compromised.
(7) server inner-tunnel {
(7)   # Executing section authorize from file
/etc/freeradius/sites-enabled/inner-tunnel
(7)     authorize {
(7)       policy filter_username {
(7)         if (&User-Name) {
(7)         if (&User-Name)  -> TRUE
(7)         if (&User-Name)  {
(7)           if (&User-Name =~ / /) {
(7)           if (&User-Name =~ / /)  -> FALSE
(7)           if (&User-Name =~ /@[^@]*@/ ) {
(7)           if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(7)           if (&User-Name =~ /\.\./ ) {
(7)           if (&User-Name =~ /\.\./ )  -> FALSE
(7)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(7)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(7)           if (&User-Name =~ /\.$/)  {
(7)           if (&User-Name =~ /\.$/)   -> FALSE
(7)           if (&User-Name =~ /@\./)  {
(7)           if (&User-Name =~ /@\./)   -> FALSE
(7)         } # if (&User-Name)  = notfound
(7)       } # policy filter_username = notfound
(7)       [chap] = noop
(7)       [mschap] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "dtown", looking up realm NULL
(7) suffix: No such realm "NULL"
(7)       [suffix] = noop
(7)       update control {
(7)         &Proxy-To-Realm := LOCAL
(7)       } # update control = noop
(7) eap: Peer sent EAP Response (code 2) ID 7 length 10
(7) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(7)       [eap] = ok
(7)     } # authorize = ok
(7)   Found Auth-Type = eap
(7)   # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
(7)     authenticate {
(7) eap: Peer sent packet with method EAP Identity (1)
(7) eap: Calling submodule eap_mschapv2 to process data
(7) eap_mschapv2: Issuing Challenge
(7) eap: Sending EAP Request (code 1) ID 8 length 43
(7) eap: EAP session adding &reply:State = 0x5daed4a35da6ce1f
(7)       [eap] = handled
(7)     } # authenticate = handled
(7) } # server inner-tunnel
(7) Virtual server sending reply
(7)   EAP-Message =
0x0108002b1a0108002610fda36be34d5835d4e5707f95f7ba61ad667265657261646975732d332e302e3231
(7)   Message-Authenticator = 0x00000000000000000000000000000000
(7)   State = 0x5daed4a35da6ce1f5d1d1b40ddc30e5a
(7) eap_peap: Got tunneled reply code 11
(7) eap_peap:   EAP-Message =
0x0108002b1a0108002610fda36be34d5835d4e5707f95f7ba61ad667265657261646975732d332e302e3231
(7) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_peap:   State = 0x5daed4a35da6ce1f5d1d1b40ddc30e5a
(7) eap_peap: Got tunneled reply RADIUS code 11
(7) eap_peap:   EAP-Message =
0x0108002b1a0108002610fda36be34d5835d4e5707f95f7ba61ad667265657261646975732d332e302e3231
(7) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_peap:   State = 0x5daed4a35da6ce1f5d1d1b40ddc30e5a
(7) eap_peap: Got tunneled Access-Challenge
(7) eap: Sending EAP Request (code 1) ID 8 length 74
(7) eap: EAP session adding &reply:State = 0x749ecc9b7396d556
(7)     [eap] = handled
(7)   } # authenticate = handled
(7) Using Post-Auth-Type Challenge
(7) # Executing group from file /etc/freeradius/sites-enabled/default
(7)   Challenge { ... } # empty sub-section is ignored
(7) session-state: Saving cached attributes
(7)   TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(7)   TLS-Session-Version = "TLS 1.2"
(7) Sent Access-Challenge Id 121 from 10.0.1.5:1812 to 68.45.161.30:1824
length 0
(7)   EAP-Message =
0x0108004a1900170303003fab6860cd676579ba5da69c46a36a4ada177ebb9815838a7895cedb20e47336c0ff9a6b1fc50076ed429c2c0e6c4d08099cb3ce1588e996659cfa9f474edf48
(7)   Message-Authenticator = 0x00000000000000000000000000000000
(7)   State = 0x749ecc9b7396d5560d9a9245bf7c0b3d
(7) Finished request
Waking up in 4.4 seconds.
(8) Received Access-Request Id 122 from 68.45.161.30:1824 to 10.0.1.5:1812
length 226
(8)   User-Name = "dtown"
(8)   NAS-IP-Address = 68.45.161.30
(8)   Called-Station-Id = "7823aed64a00"
(8)   Calling-Station-Id = "a483e742cff0"
(8)   NAS-Identifier = "7823aed64a00"
(8)   NAS-Port = 125
(8)   Framed-MTU = 1400
(8)   State = 0x749ecc9b7396d5560d9a9245bf7c0b3d
(8)   NAS-Port-Type = Wireless-802.11
(8)   EAP-Message =
0x0208005f19001703030054e3277115802d5ed51cdae37d534fb40d32faa53975c2112f2a8f3d0a0f1c6ebcabebc6adf24a91f72cdf023696db57b08f8e0384bedaebf5435e68d77469eefc4adf89749b0906e476d06cb27319d180252acdda
(8)   Message-Authenticator = 0xb9d5b39508bd6f731e5e6668a92603dd
(8) Restoring &session-state
(8)   &session-state:TLS-Session-Cipher-Suite =
"ECDHE-RSA-AES256-GCM-SHA384"
(8)   &session-state:TLS-Session-Version = "TLS 1.2"
(8) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(8)   authorize {
(8)     policy filter_username {
(8)       if (&User-Name) {
(8)       if (&User-Name)  -> TRUE
(8)       if (&User-Name)  {
(8)         if (&User-Name =~ / /) {
(8)         if (&User-Name =~ / /)  -> FALSE
(8)         if (&User-Name =~ /@[^@]*@/ ) {
(8)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(8)         if (&User-Name =~ /\.\./ ) {
(8)         if (&User-Name =~ /\.\./ )  -> FALSE
(8)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(8)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE
(8)         if (&User-Name =~ /\.$/)  {
(8)         if (&User-Name =~ /\.$/)   -> FALSE
(8)         if (&User-Name =~ /@\./)  {
(8)         if (&User-Name =~ /@\./)   -> FALSE
(8)       } # if (&User-Name)  = notfound
(8)     } # policy filter_username = notfound
(8)     [preprocess] = ok
(8)     [chap] = noop
(8)     [mschap] = noop
(8)     [digest] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "dtown", looking up realm NULL
(8) suffix: No such realm "NULL"
(8)     [suffix] = noop
(8) eap: Peer sent EAP Response (code 2) ID 8 length 95
(8) eap: Continuing tunnel setup
(8)     [eap] = ok
(8)   } # authorize = ok
(8) Found Auth-Type = eap
(8) # Executing group from file /etc/freeradius/sites-enabled/default
(8)   authenticate {
(8) eap: Expiring EAP session with state 0x5daed4a35da6ce1f
(8) eap: Finished EAP session with state 0x749ecc9b7396d556
(8) eap: Previous EAP request found for state 0x749ecc9b7396d556, released
from the list
(8) eap: Peer sent packet with method EAP PEAP (25)
(8) eap: Calling submodule eap_peap to process data
(8) eap_peap: Continuing EAP-TLS
(8) eap_peap: [eaptls verify] = ok
(8) eap_peap: Done initial handshake
(8) eap_peap: [eaptls process] = ok
(8) eap_peap: Session established.  Decoding tunneled attributes
(8) eap_peap: PEAP state phase2
(8) eap_peap: EAP method MSCHAPv2 (26)
(8) eap_peap: Got tunneled request
(8) eap_peap:   EAP-Message =
0x020800401a0208003b31b3a561282461f972e08f36d0073a340300000000000000006cfd5c6a2d438860eef9631da70a0cf093cc39f0a06598a60064746f776e
(8) eap_peap: Setting User-Name to dtown
(8) eap_peap: Sending tunneled request to inner-tunnel
(8) eap_peap:   EAP-Message =
0x020800401a0208003b31b3a561282461f972e08f36d0073a340300000000000000006cfd5c6a2d438860eef9631da70a0cf093cc39f0a06598a60064746f776e
(8) eap_peap:   FreeRADIUS-Proxied-To = 127.0.0.1
(8) eap_peap:   User-Name = "dtown"
(8) eap_peap:   State = 0x5daed4a35da6ce1f5d1d1b40ddc30e5a
(8) Virtual server inner-tunnel received request
(8)   EAP-Message =
0x020800401a0208003b31b3a561282461f972e08f36d0073a340300000000000000006cfd5c6a2d438860eef9631da70a0cf093cc39f0a06598a60064746f776e
(8)   FreeRADIUS-Proxied-To = 127.0.0.1
(8)   User-Name = "dtown"
(8)   State = 0x5daed4a35da6ce1f5d1d1b40ddc30e5a
(8) WARNING: Outer and inner identities are the same.  User privacy is
compromised.
(8) server inner-tunnel {
(8)   session-state: No cached attributes
(8)   # Executing section authorize from file
/etc/freeradius/sites-enabled/inner-tunnel
(8)     authorize {
(8)       policy filter_username {
(8)         if (&User-Name) {
(8)         if (&User-Name)  -> TRUE
(8)         if (&User-Name)  {
(8)           if (&User-Name =~ / /) {
(8)           if (&User-Name =~ / /)  -> FALSE
(8)           if (&User-Name =~ /@[^@]*@/ ) {
(8)           if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(8)           if (&User-Name =~ /\.\./ ) {
(8)           if (&User-Name =~ /\.\./ )  -> FALSE
(8)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(8)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(8)           if (&User-Name =~ /\.$/)  {
(8)           if (&User-Name =~ /\.$/)   -> FALSE
(8)           if (&User-Name =~ /@\./)  {
(8)           if (&User-Name =~ /@\./)   -> FALSE
(8)         } # if (&User-Name)  = notfound
(8)       } # policy filter_username = notfound
(8)       [chap] = noop
(8)       [mschap] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "dtown", looking up realm NULL
(8) suffix: No such realm "NULL"
(8)       [suffix] = noop
(8)       update control {
(8)         &Proxy-To-Realm := LOCAL
(8)       } # update control = noop
(8) eap: Peer sent EAP Response (code 2) ID 8 length 64
(8) eap: No EAP Start, assuming it's an on-going EAP conversation
(8)       [eap] = updated
(8)       [files] = noop
rlm_ldap (ldap): Closing connection (0): Hit idle_timeout, was idle for 65
seconds
rlm_ldap (ldap): Closing connection (1): Hit idle_timeout, was idle for 65
seconds
rlm_ldap (ldap): Closing connection (2): Hit idle_timeout, was idle for 65
seconds
rlm_ldap (ldap): You probably need to lower "min"
rlm_ldap (ldap): Closing connection (3): Hit idle_timeout, was idle for 65
seconds
rlm_ldap (ldap): You probably need to lower "min"
rlm_ldap (ldap): Closing connection (4): Hit idle_timeout, was idle for 65
seconds
rlm_ldap (ldap): You probably need to lower "min"
rlm_ldap (ldap): 0 of 0 connections in use.  You  may need to increase
"spare"
rlm_ldap (ldap): Opening additional connection (5), 1 of 32 pending slots
used
rlm_ldap (ldap): Connecting to ldap://developertown.com:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Reserved connection (5)
(8) ldap: EXPAND (cn=%{%{Stripped-User-Name}:-%{User-Name}})
(8) ldap:    --> (cn=dtown)
(8) ldap: Performing search in "OU=AADDC Users, DC=developertown,dc=com"
with filter "(cn=dtown)", scope "sub"
(8) ldap: Waiting for search result...
(8) ldap: User object found at DN "CN=dtown,OU=AADDC
Users,DC=developertown,DC=com"
(8) ldap: Processing user attributes
(8) ldap: WARNING: No "known good" password added. Ensure the admin user
has permission to read the password attribute
(8) ldap: WARNING: PAP authentication will *NOT* work with Active Directory
(if that is what you were trying to configure)
rlm_ldap (ldap): Released connection (5)
Need 2 more connections to reach min connections (3)
rlm_ldap (ldap): Opening additional connection (6), 1 of 31 pending slots
used
rlm_ldap (ldap): Connecting to ldap://developertown.com:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(8)       [ldap] = ok
(8)       [expiration] = noop
(8)       [logintime] = noop
(8)       [pap] = noop
(8)     } # authorize = updated
(8)   Found Auth-Type = eap
(8)   # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
(8)     authenticate {
(8) eap: Expiring EAP session with state 0x5daed4a35da6ce1f
(8) eap: Finished EAP session with state 0x5daed4a35da6ce1f
(8) eap: Previous EAP request found for state 0x5daed4a35da6ce1f, released
from the list
(8) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(8) eap: Calling submodule eap_mschapv2 to process data
(8) eap_mschapv2: # Executing group from file
/etc/freeradius/sites-enabled/inner-tunnel
(8) eap_mschapv2:   authenticate {
(8) mschap: WARNING: No Cleartext-Password configured.  Cannot create
NT-Password
(8) mschap: Creating challenge hash with username: dtown
(8) mschap: Client is using MS-CHAPv2
(8) mschap: ERROR: FAILED: No NT-Password.  Cannot perform authentication
(8) mschap: ERROR: MS-CHAP2-Response is incorrect
(8) eap_mschapv2:     [mschap] = reject
(8) eap_mschapv2:   } # authenticate = reject
(8) eap: Sending EAP Failure (code 4) ID 8 length 4
(8) eap: Freeing handler
(8)       [eap] = reject
(8)     } # authenticate = reject
(8)   Failed to authenticate the user
(8)   Using Post-Auth-Type Reject
(8)   # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
(8)     Post-Auth-Type REJECT {
(8) attr_filter.access_reject: EXPAND %{User-Name}
(8) attr_filter.access_reject:    --> dtown
(8) attr_filter.access_reject: Matched entry DEFAULT at line 11
(8)       [attr_filter.access_reject] = updated
(8)       update outer.session-state {
(8)         &Module-Failure-Message := &request:Module-Failure-Message ->
'mschap: FAILED: No NT-Password.  Cannot perform authentication'
(8)       } # update outer.session-state = noop
(8)     } # Post-Auth-Type REJECT = updated
(8) } # server inner-tunnel
(8) Virtual server sending reply
(8)   MS-CHAP-Error = "\010E=691 R=1 C=3470efc6beebf4771fe9b420897b9c03 V=3
M=Authentication rejected"
(8)   EAP-Message = 0x04080004
(8)   Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap: Got tunneled reply code 3
(8) eap_peap:   MS-CHAP-Error = "\010E=691 R=1
C=3470efc6beebf4771fe9b420897b9c03 V=3 M=Authentication rejected"
(8) eap_peap:   EAP-Message = 0x04080004
(8) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap: Got tunneled reply RADIUS code 3
(8) eap_peap:   MS-CHAP-Error = "\010E=691 R=1
C=3470efc6beebf4771fe9b420897b9c03 V=3 M=Authentication rejected"
(8) eap_peap:   EAP-Message = 0x04080004
(8) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap: Tunneled authentication was rejected
(8) eap_peap: FAILURE
(8) eap: Sending EAP Request (code 1) ID 9 length 46
(8) eap: EAP session adding &reply:State = 0x749ecc9b7c97d556
(8)     [eap] = handled
(8)   } # authenticate = handled
(8) Using Post-Auth-Type Challenge
(8) # Executing group from file /etc/freeradius/sites-enabled/default
(8)   Challenge { ... } # empty sub-section is ignored
(8) session-state: Saving cached attributes
(8)   TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(8)   TLS-Session-Version = "TLS 1.2"
(8)   Module-Failure-Message := "mschap: FAILED: No NT-Password.  Cannot
perform authentication"
(8) Sent Access-Challenge Id 122 from 10.0.1.5:1812 to 68.45.161.30:1824
length 0
(8)   EAP-Message =
0x0109002e19001703030023ab6860cd676579bbf8e24db65e3b3ad7c73a183632753492b3bcd66ede043aa9335aa9
(8)   Message-Authenticator = 0x00000000000000000000000000000000
(8)   State = 0x749ecc9b7c97d5560d9a9245bf7c0b3d
(8) Finished request
Waking up in 4.3 seconds.
(9) Received Access-Request Id 123 from 68.45.161.30:1824 to 10.0.1.5:1812
length 177
(9)   User-Name = "dtown"
(9)   NAS-IP-Address = 68.45.161.30
(9)   Called-Station-Id = "7823aed64a00"
(9)   Calling-Station-Id = "a483e742cff0"
(9)   NAS-Identifier = "7823aed64a00"
(9)   NAS-Port = 125
(9)   Framed-MTU = 1400
(9)   State = 0x749ecc9b7c97d5560d9a9245bf7c0b3d
(9)   NAS-Port-Type = Wireless-802.11
(9)   EAP-Message =
0x0209002e19001703030023e3277115802d5ed625e1da95b903138f9d2c1b64790aaef5e83488b5236ccedd4b6283
(9)   Message-Authenticator = 0xe96dd63632d387be9f2c5cfb51fd45d3
(9) Restoring &session-state
(9)   &session-state:TLS-Session-Cipher-Suite =
"ECDHE-RSA-AES256-GCM-SHA384"
(9)   &session-state:TLS-Session-Version = "TLS 1.2"
(9)   &session-state:Module-Failure-Message := "mschap: FAILED: No
NT-Password.  Cannot perform authentication"
(9) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(9)   authorize {
(9)     policy filter_username {
(9)       if (&User-Name) {
(9)       if (&User-Name)  -> TRUE
(9)       if (&User-Name)  {
(9)         if (&User-Name =~ / /) {
(9)         if (&User-Name =~ / /)  -> FALSE
(9)         if (&User-Name =~ /@[^@]*@/ ) {
(9)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(9)         if (&User-Name =~ /\.\./ ) {
(9)         if (&User-Name =~ /\.\./ )  -> FALSE
(9)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(9)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE
(9)         if (&User-Name =~ /\.$/)  {
(9)         if (&User-Name =~ /\.$/)   -> FALSE
(9)         if (&User-Name =~ /@\./)  {
(9)         if (&User-Name =~ /@\./)   -> FALSE
(9)       } # if (&User-Name)  = notfound
(9)     } # policy filter_username = notfound
(9)     [preprocess] = ok
(9)     [chap] = noop
(9)     [mschap] = noop
(9)     [digest] = noop
(9) suffix: Checking for suffix after "@"
(9) suffix: No '@' in User-Name = "dtown", looking up realm NULL
(9) suffix: No such realm "NULL"
(9)     [suffix] = noop
(9) eap: Peer sent EAP Response (code 2) ID 9 length 46
(9) eap: Continuing tunnel setup
(9)     [eap] = ok
(9)   } # authorize = ok
(9) Found Auth-Type = eap
(9) # Executing group from file /etc/freeradius/sites-enabled/default
(9)   authenticate {
(9) eap: Expiring EAP session with state 0x749ecc9b7c97d556
(9) eap: Finished EAP session with state 0x749ecc9b7c97d556
(9) eap: Previous EAP request found for state 0x749ecc9b7c97d556, released
from the list
(9) eap: Peer sent packet with method EAP PEAP (25)
(9) eap: Calling submodule eap_peap to process data
(9) eap_peap: Continuing EAP-TLS
(9) eap_peap: [eaptls verify] = ok
(9) eap_peap: Done initial handshake
(9) eap_peap: [eaptls process] = ok
(9) eap_peap: Session established.  Decoding tunneled attributes
(9) eap_peap: PEAP state send tlv failure
(9) eap_peap: Received EAP-TLV response
(9) eap_peap:   ERROR: The users session was previously rejected: returning
reject (again.)
(9) eap_peap:   This means you need to read the PREVIOUS messages in the
debug output
(9) eap_peap:   to find out the reason why the user was rejected
(9) eap_peap:   Look for "reject" or "fail".  Those earlier messages will
tell you
(9) eap_peap:   what went wrong, and how to fix the problem
(9) eap: ERROR: Failed continuing EAP PEAP (25) session.  EAP sub-module
failed
(9) eap: Sending EAP Failure (code 4) ID 9 length 4
(9) eap: Failed in EAP select
(9)     [eap] = invalid
(9)   } # authenticate = invalid
(9) Failed to authenticate the user
(9) Using Post-Auth-Type Reject
(9) # Executing group from file /etc/freeradius/sites-enabled/default
(9)   Post-Auth-Type REJECT {
(9) attr_filter.access_reject: EXPAND %{User-Name}
(9) attr_filter.access_reject:    --> dtown
(9) attr_filter.access_reject: Matched entry DEFAULT at line 11
(9)     [attr_filter.access_reject] = updated
(9)     [eap] = noop
(9)     policy remove_reply_message_if_eap {
(9)       if (&reply:EAP-Message && &reply:Reply-Message) {
(9)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(9)       else {
(9)         [noop] = noop
(9)       } # else = noop
(9)     } # policy remove_reply_message_if_eap = noop
(9)   } # Post-Auth-Type REJECT = updated
(9) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(9) Sending delayed response
(9) Sent Access-Reject Id 123 from 10.0.1.5:1812 to 68.45.161.30:1824
length 44
(9)   EAP-Message = 0x04090004
(9)   Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.2 seconds.
(0) Cleaning up request packet ID 114 with timestamp +65
(1) Cleaning up request packet ID 115 with timestamp +65
(2) Cleaning up request packet ID 116 with timestamp +65
(3) Cleaning up request packet ID 117 with timestamp +65
(4) Cleaning up request packet ID 118 with timestamp +65
(5) Cleaning up request packet ID 119 with timestamp +65
(6) Cleaning up request packet ID 120 with timestamp +65
(7) Cleaning up request packet ID 121 with timestamp +65
Waking up in 0.1 seconds.
(8) Cleaning up request packet ID 122 with timestamp +65
(9) Cleaning up request packet ID 123 with timestamp +65
Ready to process requests
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Trouble With Eap-TTLS - PAP - LDAP - Azure AD DS

Alan Buxey
| Threaded
Open this post in threaded view
|

Re: Trouble With Eap-TTLS - PAP - LDAP - Azure AD DS

Bryce Long
I'm guessing the password as the auth mechanism?

I was just now reading from another post that I only really have 2 choices:
I either have to store the passwords somewhere for mschap to work or I have
to set the server to use ttls and pap?


On Fri, Dec 11, 2020 at 1:58 PM Alan Buxey <[hidden email]> wrote:

> hi,
>
>
> http://deployingradius.com/documents/protocols/oracles.html
> http://deployingradius.com/documents/protocols/compatibility.html
>
> what are you trying to pull from the LDAP for the user?
>
> alan
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Trouble With Eap-TTLS - PAP - LDAP - Azure AD DS

Sven Hartge-5
On 11.12.20 20:06, Bryce Long wrote:

> I was just now reading from another post that I only really have 2 choices:
> I either have to store the passwords somewhere for mschap to work or I have
> to set the server to use ttls and pap?

First choice: Yes, the one with the most compatibility.

Second choice: Problematic. The Client drives the conversation and if
the Client says "I wann do PEAP-MSCHAPv2!" then there is nothing the
RADIUS server can do to convince him otherwise.

Since PEAP-MSCHAPv2 is still the most compatible protocol for WiFi you
really have no other choice than the first choice.

Unless you want to drown in support requests. (Ask me how I know.)

Grüße,
Sven.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Trouble With Eap-TTLS - PAP - LDAP - Azure AD DS

Bryce Long
That makes sense lol

Thank you for responding!

Could you guide me or tell me how I can best store those passwords? I don't
have a lot of experience in this area

Is this done in the free radius config files or somewhere else?

I read somewhere about changing the attributes for nt-password or pointing
that that attribute but I couldn't find anything that really explained it
in detail

Again thank you to everyone who responds been banging my head against this
for a little while

On Fri, Dec 11, 2020 at 3:24 PM Sven Hartge <[hidden email]> wrote:

> On 11.12.20 20:06, Bryce Long wrote:
>
> > I was just now reading from another post that I only really have 2
> choices:
> > I either have to store the passwords somewhere for mschap to work or I
> have
> > to set the server to use ttls and pap?
>
> First choice: Yes, the one with the most compatibility.
>
> Second choice: Problematic. The Client drives the conversation and if
> the Client says "I wann do PEAP-MSCHAPv2!" then there is nothing the
> RADIUS server can do to convince him otherwise.
>
> Since PEAP-MSCHAPv2 is still the most compatible protocol for WiFi you
> really have no other choice than the first choice.
>
> Unless you want to drown in support requests. (Ask me how I know.)
>
> Grüße,
> Sven.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Trouble With Eap-TTLS - PAP - LDAP - Azure AD DS

Sven Hartge-5
On 11.12.20 21:36, Bryce Long wrote:

> Could you guide me or tell me how I can best store those passwords? I don't
> have a lot of experience in this area

In my case, using a normal OpenLDAP directory for authentication, I just
created an additional attribute in my existing schema which holds the
password.

The users have a web interface which they use to set said password.

In the configuration for the ldap module I then just pull that attribute
into the control list

update {
   control:Cleartext-Password += 'gifb-NetzPassword'
}

That takes care of everything, all the other modules will find it and
use it.

How to do this with Azure AD: No idea.

Grüße,
Sven.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Trouble With Eap-TTLS - PAP - LDAP - Azure AD DS

Alan Buxey
hi,

> How to do this with Azure AD: No idea.

currently,same here. AzureAD is something I am currently working on

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html