radius and ldap authentication.

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

radius and ldap authentication.

Mohd Akhbar
I want to connect radius with my ldap (389 Directory) and my user password
in SHA. Actually taking over the task from colleague. Please give some
advice. Thank you.

===========================================
[root@eduroam-idp ~]# radiusd -X
radiusd: FreeRADIUS Version 2.2.6, for host x86_64-redhat-linux-gnu, built
on Jul 17 2017 at 23:07:34
Copyright (C) 1999-2013 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
For more information about these matters, see the file named COPYRIGHT.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/smsotp
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/ntlm_auth
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/ldap
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/otp
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/rediswho
including configuration file /etc/raddb/modules/ldap.BAK
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/opendirectory
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/cui
including configuration file /etc/raddb/modules/dhcp_sqlippool
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/radrelay
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/soh
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/replicate
including configuration file /etc/raddb/modules/redis
including configuration file /etc/raddb/modules/cache
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/dynamic_clients
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/inner-tunnel
including configuration file /etc/raddb/sites-enabled/eduroam-inner-tunnel
including configuration file /etc/raddb/sites-enabled/control-socket
including configuration file /etc/raddb/sites-enabled/default
main {
        allow_core_dumps = no
}
including dictionary file /etc/raddb/dictionary
main {
        name = "radiusd"
        prefix = "/usr"
        localstatedir = "/var"
        sbindir = "/usr/sbin"
        logdir = "/var/log/radius"
        run_dir = "/var/run/radiusd"
        libdir = "/usr/lib"
        radacctdir = "/var/log/radius/radacct"
        hostname_lookups = no
        max_request_time = 30
        cleanup_delay = 5
        max_requests = 1024
        pidfile = "/var/run/radiusd/radiusd.pid"
        checkrad = "/usr/sbin/checkrad"
        debug_level = 0
        proxy_requests = yes
 log {
        stripped_names = no
        auth = yes
        auth_badpass = no
        auth_goodpass = no
 }
 security {
        max_attributes = 200
        reject_delay = 1
        status_server = yes
 }
}
radiusd: #### Loading Realms and Home Servers ####
 proxy server {
        retry_delay = 5
        retry_count = 3
        default_fallback = yes
        dead_time = 120
        wake_all_if_all_dead = no
 }
 realm ~^(.+\.)?uthm\.edu\.my$ {
        authhost = LOCAL
        accthost = LOCAL
 }
 realm DEFAULT {
        nostrip
        authhost = 192.168.241.12:1812
        secret = TcMvKbBdVChdYdeY
 }
 realm suffix {
 }
radiusd: #### Loading Clients ####
 client localhost {
        ipaddr = 192.168.241.12
        netmask = 32
        require_message_authenticator = no
        secret = "TcMvKbBdVChdYdeY"
        shortname = "radsec"
        nastype = "other"
        virtual_server = "eduroam-inner-tunnel"
 }
radiusd: #### Instantiating modules ####
 instantiate {
 Module: Linked to module rlm_expr
 Module: Instantiating module "expr" from file /etc/raddb/modules/expr
 }
radiusd: #### Loading Virtual Servers ####
server { # from file
 modules {
  Module: Creating Auth-Type = digest
  Module: Creating Post-Auth-Type = REJECT
 Module: Checking authenticate {...} for more modules to load
 Module: Linked to module rlm_pap
 Module: Instantiating module "pap" from file /etc/raddb/modules/pap
  pap {
        encryption_scheme = "auto"
        auto_header = yes
  }
 Module: Linked to module rlm_chap
 Module: Instantiating module "chap" from file /etc/raddb/modules/chap
 Module: Linked to module rlm_mschap
 Module: Instantiating module "mschap" from file /etc/raddb/modules/mschap
  mschap {
        use_mppe = yes
        require_encryption = no
        require_strong = no
        with_ntdomain_hack = no
        allow_retry = yes
  }
 Module: Linked to module rlm_digest
 Module: Instantiating module "digest" from file /etc/raddb/modules/digest
 Module: Linked to module rlm_unix
 Module: Instantiating module "unix" from file /etc/raddb/modules/unix
  unix {
        radwtmp = "/var/log/radius/radwtmp"
  }
 Module: Linked to module rlm_eap
 Module: Instantiating module "eap" from file /etc/raddb/eap.conf
  eap {
        default_eap_type = "peap"
        timer_expire = 60
        ignore_unknown_eap_types = no
        cisco_accounting_username_bug = no
        max_sessions = 2048
  }
 Module: Linked to sub-module rlm_eap_tls
 Module: Instantiating eap-tls
   tls {
        rsa_key_exchange = no
        dh_key_exchange = yes
        rsa_key_length = 512
        dh_key_length = 512
        verify_depth = 0
        pem_file_type = yes
        private_key_file = "/etc/letsencrypt/live/
idp.uthm.edu.my/privkey.pem"
        certificate_file = "/etc/letsencrypt/live/idp.uthm.edu.my/cert.pem"
        CA_file = "/etc/letsencrypt/live/idp.uthm.edu.my/chain.pem"
        dh_file = "/etc/certs/dh"
        random_file = "/dev/urandom"
        fragment_size = 1024
        include_length = yes
        check_crl = no
        cipher_list = "DEFAULT"
        ecdh_curve = "prime256v1"
   }
WARNING: rlm_eap_tls: Unable to set DH parameters.  DH cipher suites may
not work!
WARNING: Fix this by running the OpenSSL command listed in eap.conf
 Module: Linked to sub-module rlm_eap_ttls
 Module: Instantiating eap-ttls
   ttls {
        default_eap_type = "mschapv2"
        copy_request_to_tunnel = yes
        use_tunneled_reply = yes
        virtual_server = "eduroam-inner-tunnel"
        include_length = yes
   }
 Module: Linked to sub-module rlm_eap_peap
 Module: Instantiating eap-peap
   peap {
        default_eap_type = "mschapv2"
        copy_request_to_tunnel = yes
        use_tunneled_reply = yes
        proxy_tunneled_request_as_eap = yes
        virtual_server = "eduroam-inner-tunnel"
        soh = no
   }
 Module: Linked to sub-module rlm_eap_mschapv2
 Module: Instantiating eap-mschapv2
   mschapv2 {
        with_ntdomain_hack = no
        send_error = no
   }
 Module: Checking authorize {...} for more modules to load
 Module: Linked to module rlm_preprocess
 Module: Instantiating module "preprocess" from file
/etc/raddb/modules/preprocess
  preprocess {
        huntgroups = "/etc/raddb/huntgroups"
        hints = "/etc/raddb/hints"
        with_ascend_hack = no
        ascend_channels_per_line = 23
        with_ntdomain_hack = no
        with_specialix_jetstream_hack = no
        with_cisco_vsa_hack = no
        with_alvarion_vsa_hack = no
  }
reading pairlist file /etc/raddb/huntgroups
reading pairlist file /etc/raddb/hints
 Module: Linked to module rlm_realm
 Module: Instantiating module "suffix" from file /etc/raddb/modules/realm
  realm suffix {
        format = "suffix"
        delimiter = "@"
        ignore_default = no
        ignore_null = no
  }
 Module: Linked to module rlm_files
 Module: Instantiating module "files" from file /etc/raddb/modules/files
  files {
        usersfile = "/etc/raddb/users"
        acctusersfile = "/etc/raddb/acct_users"
        preproxy_usersfile = "/etc/raddb/preproxy_users"
        compat = "no"
  }
reading pairlist file /etc/raddb/users
reading pairlist file /etc/raddb/acct_users
reading pairlist file /etc/raddb/preproxy_users
 Module: Linked to module rlm_ldap
 Module: Instantiating module "ldap" from file /etc/raddb/modules/ldap
  ldap {
        server = "ldap.uthm.edu.my"
        port = 389
        password = "mypassword"
        expect_password = yes
        identity = "cn=Directory Manager"
        net_timeout = 1
        timeout = 4
        timelimit = 3
        max_uses = 0
        tls_mode = no
        start_tls = no
        tls_require_cert = "allow"
        basedn = "dc=uthm,dc=edu,dc=my"
        filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
        base_filter = "(objectclass=inetOrgPerson)"
        auto_header = no
        access_attr = "uid"
        access_attr_used_for_allow = yes
        groupname_attribute = "cn"
        groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
        dictionary_mapping = "/etc/raddb/ldap.attrmap"
        ldap_debug = 0
        ldap_connections_number = 10
        compare_check_items = no
        do_xlat = yes
        set_auth_type = yes
  }
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap
rlm_ldap: Over-riding set_auth_type, as there is no module ldap listed in
the "authenticate" section.
rlm_ldap: reading ldap<->radius mappings from file /etc/raddb/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP userPassword mapped to RADIUS Password-With-Header
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address
rlm_ldap: LDAP uid mapped to RADIUS User-Name
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
rlm_ldap: LDAP radiusClass mapped to RADIUS Class
rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS
Framed-AppleTalk-Link
rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS
Framed-AppleTalk-Network
rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS
Framed-AppleTalk-Zone
rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message
rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type
rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type
rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS
Tunnel-Private-Group-Id
conns: 0x7f75996694a0
 Module: Linked to module rlm_expiration
 Module: Instantiating module "expiration" from file
/etc/raddb/modules/expiration
  expiration {
        reply-message = "Password Has Expired  "
  }
 Module: Linked to module rlm_logintime
 Module: Instantiating module "logintime" from file
/etc/raddb/modules/logintime
  logintime {
        reply-message = "You are calling outside your allowed timespan  "
        minimum-timeout = 60
  }
 Module: Checking preacct {...} for more modules to load
 Module: Linked to module rlm_acct_unique
 Module: Instantiating module "acct_unique" from file
/etc/raddb/modules/acct_unique
  acct_unique {
        key = "User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Identifier,
NAS-Port"
  }
 Module: Checking accounting {...} for more modules to load
 Module: Linked to module rlm_detail
 Module: Instantiating module "detail" from file /etc/raddb/modules/detail
  detail {
        detailfile =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
        header = "%t"
        detailperm = 384
        dirperm = 493
        locking = no
        log_packet_header = no
  }
 Module: Linked to module rlm_exec
 Module: Instantiating module "exec" from file /etc/raddb/modules/exec
  exec {
        wait = no
        input_pairs = "request"
        shell_escape = yes
        timeout = 10
  }
 Module: Linked to module rlm_attr_filter
 Module: Instantiating module "attr_filter.accounting_response" from file
/etc/raddb/modules/attr_filter
  attr_filter attr_filter.accounting_response {
        attrsfile = "/etc/raddb/attrs.accounting_response"
        key = "%{User-Name}"
        relaxed = no
  }
reading pairlist file /etc/raddb/attrs.accounting_response
 Module: Checking session {...} for more modules to load
 Module: Linked to module rlm_radutmp
 Module: Instantiating module "radutmp" from file /etc/raddb/modules/radutmp
  radutmp {
        filename = "/var/log/radius/radutmp"
        username = "%{User-Name}"
        case_sensitive = yes
        check_with_nas = yes
        perm = 384
        callerid = yes
  }
 Module: Checking post-proxy {...} for more modules to load
 Module: Checking post-auth {...} for more modules to load
 Module: Instantiating module "attr_filter.access_reject" from file
/etc/raddb/modules/attr_filter
  attr_filter attr_filter.access_reject {
        attrsfile = "/etc/raddb/attrs.access_reject"
        key = "%{User-Name}"
        relaxed = no
  }
reading pairlist file /etc/raddb/attrs.access_reject
 } # modules
} # server
server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel
 modules {
 Module: Checking authenticate {...} for more modules to load
 Module: Checking authorize {...} for more modules to load
 Module: Checking session {...} for more modules to load
 Module: Checking post-proxy {...} for more modules to load
 Module: Checking post-auth {...} for more modules to load
 } # modules
} # server
server eduroam-inner-tunnel { # from file
/etc/raddb/sites-enabled/eduroam-inner-tunnel
 modules {
 Module: Checking authenticate {...} for more modules to load
 Module: Checking authorize {...} for more modules to load
 Module: Instantiating module "auth_log" from file
/etc/raddb/modules/detail.log
  detail auth_log {
        detailfile =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
        header = "%t"
        detailperm = 384
        dirperm = 493
        locking = no
        log_packet_header = no
  }
 Module: Checking post-auth {...} for more modules to load
 Module: Instantiating module "reply_log" from file
/etc/raddb/modules/detail.log
  detail reply_log {
        detailfile =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
        header = "%t"
        detailperm = 384
        dirperm = 493
        locking = no
        log_packet_header = no
  }
 } # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
        type = "auth"
        ipaddr = 127.0.0.1
        port = 0
}
listen {
        type = "acct"
        ipaddr = 127.0.0.1
        port = 0
}
listen {
        type = "control"
 listen {
        socket = "/var/run/radiusd/radiusd.sock"
 }
}
listen {
        type = "auth"
        ipaddr = 127.0.0.1
        port = 18120
}
Listening on authentication address 127.0.0.1 port 1812
Listening on accounting address 127.0.0.1 port 1813
Listening on command file /var/run/radiusd/radiusd.sock
Listening on authentication address 127.0.0.1 port 18120 as server
inner-tunnel
Listening on proxy address * port 1217
Ready to process requests.
rad_recv: Status-Server packet from host 192.168.241.12 port 56951, id=0,
length=38
        Message-Authenticator = 0xbf53e4c9a8a5a0bb431dc680c121d53d
server eduroam-inner-tunnel {
} # server eduroam-inner-tunnel
Sending Access-Accept of id 0 to 192.168.241.12 port 56951
Finished request 0.
Cleaning up request 0 ID 0 with timestamp +18
Going to the next request
Ready to process requests.

============================



log when i try to connect as user test.
-================================

rad_recv: Access-Request packet from host 192.168.241.12 port 56951,
id=150, length=223
        User-Name = "[hidden email]"
        NAS-IP-Address = 192.168.241.12
        NAS-Port = 0
        NAS-Identifier = "eduroam"
        NAS-Port-Type = Wireless-802.11
        Calling-Station-Id = "606720CB37CC"
        Called-Station-Id = "001A1E012EE8"
        Service-Type = Login-User
        Framed-MTU = 1100
        EAP-Message = 0x020100150174657374407574686d2e6564752e6d79
        Aruba-Essid-Name = "eduroam"
        Aruba-Location-Id = "PTM-MIS"
        Aruba-AP-Group = "MC-A05-Pusat_Teknologi_Maklumat"
        Message-Authenticator = 0xdc2b75e509a96ab724feaf3d03953633
server eduroam-inner-tunnel {
# Executing section authorize from file
/etc/raddb/sites-enabled/eduroam-inner-tunnel
+group authorize {
[auth_log]      expand: %{Packet-Src-IP-Address} -> 192.168.241.12
[auth_log]      expand:
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
-> /var/log/radius/radacct/192.168.241.12/auth-detail-20170811
[auth_log]
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/192.168.241.12/auth-detail-20170811
[auth_log]      expand: %t -> Fri Aug 11 12:48:34 2017
++[auth_log] = ok
[suffix] Looking up realm "uthm.edu.my" for User-Name = "[hidden email]"
[suffix] Found realm "~^(.+\.)?uthm\.edu\.my$"
[suffix] Adding Stripped-User-Name = "test"
[suffix] Adding Realm = "uthm.edu.my"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[ldap] performing user authorization for test
[ldap]  expand: %{Stripped-User-Name} -> test
[ldap]  expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=test)
[ldap]  expand: dc=uthm,dc=edu,dc=my -> dc=uthm,dc=edu,dc=my
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] attempting LDAP reconnection
  [ldap] (re)connect to ldap.uthm.edu.my:389, authentication 0
  [ldap] bind as cn=Directory Manager/ik4k388x to ldap.uthm.edu.my:389
  [ldap] waiting for bind result ...
  [ldap] Bind was successful
  [ldap] performing search in dc=uthm,dc=edu,dc=my, with filter (uid=test)
[ldap] checking if remote access for test is allowed by uid
[ldap] looking for check items in directory...
  [ldap] uid -> User-Name == "test"
  [ldap] userPassword -> Password-With-Header ==
"{SHA}m8NFSdVl2VBbKH3gzSCsd74dPyw="
[ldap] looking for reply items in directory...
[ldap] user test authorized to use remote access
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] = ok
++[files] = noop
++[mschap] = noop
[pap] No clear-text password in the request.  Not performing PAP.
++[pap] = noop
[eap] EAP packet type response id 1 length 21
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/eduroam-inner-tunnel
+group authenticate {
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] = handled
+} # group authenticate = handled
} # server eduroam-inner-tunnel
Sending Access-Challenge of id 150 to 192.168.241.12 port 56951
        EAP-Message = 0x010200061920
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x8fae4f288fac56d7f54a19d8916d3466
Finished request 7.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Status-Server packet from host 192.168.241.12 port 56951, id=0,
length=38
        Message-Authenticator = 0xecface185786ea7a6b82e20ad361fc34
server eduroam-inner-tunnel {
} # server eduroam-inner-tunnel
Sending Access-Accept of id 0 to 192.168.241.12 port 56951
Finished request 8.
Cleaning up request 8 ID 0 with timestamp +220
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.241.12 port 56951,
id=151, length=398
        User-Name = "[hidden email]"
        NAS-IP-Address = 192.168.241.12
        NAS-Port = 0
        NAS-Identifier = "eduroam"
        NAS-Port-Type = Wireless-802.11
        Calling-Station-Id = "606720CB37CC"
        Called-Station-Id = "001A1E012EE8"
        Service-Type = Login-User
        Framed-MTU = 1100
        EAP-Message =
0x020200b21980000000a816030300a30100009f0303598d3725e7a897863c61fbd68a95003f647bab3f0324fa2da6110b4e8860890200003cc02cc02bc030c02f009f009ec024c023c028c027c00ac009c014c01300390033009d009c003d003c0035002f000a006a0040003800320013000500040100003a000500050100000000000a0006000400170018000b00020100000d0010000e04010501020104030503020302020023000000170000ff01000100
        State = 0x8fae4f288fac56d7f54a19d8916d3466
        Aruba-Essid-Name = "eduroam"
        Aruba-Location-Id = "PTM-MIS"
        Aruba-AP-Group = "MC-A05-Pusat_Teknologi_Maklumat"
        Message-Authenticator = 0x063c2c71061d7ae5e121a4058281fa1d
server eduroam-inner-tunnel {
# Executing section authorize from file
/etc/raddb/sites-enabled/eduroam-inner-tunnel
+group authorize {
[auth_log]      expand: %{Packet-Src-IP-Address} -> 192.168.241.12
[auth_log]      expand:
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
-> /var/log/radius/radacct/192.168.241.12/auth-detail-20170811
[auth_log]
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/192.168.241.12/auth-detail-20170811
[auth_log]      expand: %t -> Fri Aug 11 12:48:34 2017
++[auth_log] = ok
[suffix] Looking up realm "uthm.edu.my" for User-Name = "[hidden email]"
[suffix] Found realm "~^(.+\.)?uthm\.edu\.my$"
[suffix] Adding Stripped-User-Name = "test"
[suffix] Adding Realm = "uthm.edu.my"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[ldap] performing user authorization for test
[ldap]  expand: %{Stripped-User-Name} -> test
[ldap]  expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=test)
[ldap]  expand: dc=uthm,dc=edu,dc=my -> dc=uthm,dc=edu,dc=my
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in dc=uthm,dc=edu,dc=my, with filter (uid=test)
[ldap] checking if remote access for test is allowed by uid
[ldap] looking for check items in directory...
  [ldap] uid -> User-Name == "test"
  [ldap] userPassword -> Password-With-Header ==
"{SHA}m8NFSdVl2VBbKH3gzSCsd74dPyw="
[ldap] looking for reply items in directory...
[ldap] user test authorized to use remote access
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] = ok
++[files] = noop
++[mschap] = noop
[pap] No clear-text password in the request.  Not performing PAP.
++[pap] = noop
[eap] EAP packet type response id 2 length 178
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/eduroam-inner-tunnel
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
  TLS Length 168
[peap] Length Included
[peap] eaptls_verify returned 11
[peap]     (other): before/accept initialization
[peap]     TLS_accept: before/accept initialization
[peap] <<< Unknown TLS version [length 00a3]
[peap]     TLS_accept: SSLv3 read client hello A
[peap] >>> Unknown TLS version [length 0039]
[peap]     TLS_accept: SSLv3 write server hello A
[peap] >>> Unknown TLS version [length 09a8]
[peap]     TLS_accept: SSLv3 write certificate A
[peap] >>> Unknown TLS version [length 014d]
[peap]     TLS_accept: SSLv3 write key exchange A
[peap] >>> Unknown TLS version [length 0004]
[peap]     TLS_accept: SSLv3 write server done A
[peap]     TLS_accept: SSLv3 flush data
[peap]     TLS_accept: Need to read more data: SSLv3 read client
certificate A
[peap]     TLS_accept: Need to read more data: SSLv3 read client
certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
} # server eduroam-inner-tunnel
Sending Access-Challenge of id 151 to 192.168.241.12 port 56951
        EAP-Message =
0x0103040019c000000b461603030039020000350303598d3722b66051021af8c426626367198fc97f2723232f6c27daed0144df5f6600c03000000dff01000100000b00040300010216030309a80b0009a40009a100050530820501308203e9a0030201020212043ed440d5ecca3c0ac65f015b543248e449300d06092a864886f70d01010b0500304a310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074312330210603550403131a4c6574277320456e637279707420417574686f72697479205833301e170d3137303732373031333630305a170d3137313032353031333630305a301a3118301606035504
        EAP-Message =
0x03130f6964702e7574686d2e6564752e6d7930820122300d06092a864886f70d01010105000382010f003082010a0282010100d23d855a6505d658f13890992c15d80251c49843e4d5bec8bfa049143a3496f2a18e04e2b397ce12be6b6af0aa25ac0b11c11602fcb355f2adf34dbfdd7158301070cd34317ddf09ecb2a4bd946d38769371c5d305cc5a0b95d812533561307ea748f676fc68fbbf6b2ae4736c74cab3399d9a3b3ec9a393c939967f0f3414010c18172663d9ab62f8beba8909cde4ea7dafbd21c13f304014ca457bcb32ff3c92ee1b5495fdffd587db664c8afa902ccac201dc89a3f3cb358b348eb606ed616f56c82dada466370f14
        EAP-Message =
0xf8f54004db5d26f078fff6d3d064623a47337c0fccaff2b8005968d04175c0ecaeb6ff49e952dcf1b679290e7ca8b857baec65cdaabb0203010001a382020f3082020b300e0603551d0f0101ff0404030205a0301d0603551d250416301406082b0601050507030106082b06010505070302300c0603551d130101ff04023000301d0603551d0e04160414f5c39602b5276cfcccfb5394192bb8607a1c7c2a301f0603551d23041830168014a84a6a63047dddbae6d139b7a64565eff3a8eca1306f06082b0601050507010104633061302e06082b060105050730018622687474703a2f2f6f6373702e696e742d78332e6c657473656e63727970742e
        EAP-Message =
0x6f7267302f06082b060105050730028623687474703a2f2f636572742e696e742d78332e6c657473656e63727970742e6f72672f301a0603551d1104133011820f6964702e7574686d2e6564752e6d793081fe0603551d200481f63081f33008060667810c0102013081e6060b2b0601040182df130101013081d6302606082b06010505070201161a687474703a2f2f6370732e6c657473656e63727970742e6f72673081ab06082b0601050507020230819e0c819b54686973204365727469666963617465206d6179206f6e6c792062652072656c6965642075706f6e2062792052656c79696e67205061727469657320616e64206f6e6c7920696e
        EAP-Message = 0x206163636f7264616e636520
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x8fae4f288ead56d7f54a19d8916d3466
Finished request 9.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.241.12 port 56951,
id=152, length=226
        User-Name = "[hidden email]"
        NAS-IP-Address = 192.168.241.12
        NAS-Port = 0
        NAS-Identifier = "eduroam"
        NAS-Port-Type = Wireless-802.11
        Calling-Station-Id = "606720CB37CC"
        Called-Station-Id = "001A1E012EE8"
        Service-Type = Login-User
        Framed-MTU = 1100
        EAP-Message = 0x020300061900
        State = 0x8fae4f288ead56d7f54a19d8916d3466
        Aruba-Essid-Name = "eduroam"
        Aruba-Location-Id = "PTM-MIS"
        Aruba-AP-Group = "MC-A05-Pusat_Teknologi_Maklumat"
        Message-Authenticator = 0x169f17aff5bf1ec04b4c7b2e442b3ed9
server eduroam-inner-tunnel {
# Executing section authorize from file
/etc/raddb/sites-enabled/eduroam-inner-tunnel
+group authorize {
[auth_log]      expand: %{Packet-Src-IP-Address} -> 192.168.241.12
[auth_log]      expand:
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
-> /var/log/radius/radacct/192.168.241.12/auth-detail-20170811
[auth_log]
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/192.168.241.12/auth-detail-20170811
[auth_log]      expand: %t -> Fri Aug 11 12:48:34 2017
++[auth_log] = ok
[suffix] Looking up realm "uthm.edu.my" for User-Name = "[hidden email]"
[suffix] Found realm "~^(.+\.)?uthm\.edu\.my$"
[suffix] Adding Stripped-User-Name = "test"
[suffix] Adding Realm = "uthm.edu.my"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[ldap] performing user authorization for test
[ldap]  expand: %{Stripped-User-Name} -> test
[ldap]  expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=test)
[ldap]  expand: dc=uthm,dc=edu,dc=my -> dc=uthm,dc=edu,dc=my
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in dc=uthm,dc=edu,dc=my, with filter (uid=test)
[ldap] checking if remote access for test is allowed by uid
[ldap] looking for check items in directory...
  [ldap] uid -> User-Name == "test"
  [ldap] userPassword -> Password-With-Header ==
"{SHA}m8NFSdVl2VBbKH3gzSCsd74dPyw="
[ldap] looking for reply items in directory...
[ldap] user test authorized to use remote access
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] = ok
++[files] = noop
++[mschap] = noop
[pap] No clear-text password in the request.  Not performing PAP.
++[pap] = noop
[eap] EAP packet type response id 3 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/eduroam-inner-tunnel
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
} # server eduroam-inner-tunnel
Sending Access-Challenge of id 152 to 192.168.241.12 port 56951
        EAP-Message =
0x010403fc1940776974682074686520436572746966696361746520506f6c69637920666f756e642061742068747470733a2f2f6c657473656e63727970742e6f72672f7265706f7369746f72792f300d06092a864886f70d01010b050003820101006af6a364c1c07b19bfaf54a31b10c74de4e2c2113b30dcbdcb77a5b82f6cbdf369ede76ef835056ea2f6d2bf4fb1f9ad5ff3530e0047caed7a469747b9869a2997f574c94cf2d2bb09798f00e2f84483d7562d851cfdeaa034cb9cadddb6826a6323673edd921eb1c070c5dcc03f862de9fa868028a8b3eff046d08a15af03035b8785019f81b076ca6b85722d4ed4789c0291055c85fac2ad0a49
        EAP-Message =
0x2e57a9f8bd5a07f22977812adc3b2a11d725c86a3aa0a93700b5c61830cbc6081f26520d3b9ce6339fab2a6f58fab00c2648142c337a3c4939feb309e711eb02d96e9e1a4cc468696c233e5429c4fc69a5e2055d14fba459a279cc8f13a96ae7f5d01c4a1f000496308204923082037aa00302010202100a0141420000015385736a0b85eca708300d06092a864886f70d01010b0500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3136303331373136343034365a170d3231303331373136343034365a304a310b3009
        EAP-Message =
0x06035504061302555331163014060355040a130d4c6574277320456e6372797074312330210603550403131a4c6574277320456e637279707420417574686f7269747920583330820122300d06092a864886f70d01010105000382010f003082010a02820101009cd30cf05ae52e47b7725d3783b3686330ead735261925e1bdbe35f170922fb7b84b4105aba99e350858ecb12ac468870ba3e375e4e6f3a76271ba7981601fd7919a9ff3d0786771c8690e9591cffee699e9603c48cc7eca4d7712249d471b5aebb9ec1e37001c9cac7ba705eace4aebbd41e53698b9cbfd6d3c9668df232a42900c867467c87fa59ab8526114133f65e98287cbdbfa
        EAP-Message =
0x0e56f68689f3853f9786afb0dc1aef6b0d95167dc42ba065b299043675806bac4af31b9049782fa2964f2a20252904c674c0d031cd8f31389516baa833b843f1b11fc3307fa27931133d2d36f8e3fcf2336ab93931c5afc48d0d1d641633aafa8429b6d40bc0d87dc3930203010001a382017d3082017930120603551d130101ff040830060101ff020100300e0603551d0f0101ff040403020186307f06082b0601050507010104733071303206082b060105050730018626687474703a2f2f697372672e747275737469642e6f6373702e6964656e74727573742e636f6d303b06082b06010505073002862f687474703a2f2f617070732e6964656e
        EAP-Message = 0x74727573742e636f
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x8fae4f288daa56d7f54a19d8916d3466
Finished request 10.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.241.12 port 56951,
id=153, length=226
        User-Name = "[hidden email]"
        NAS-IP-Address = 192.168.241.12
        NAS-Port = 0
        NAS-Identifier = "eduroam"
        NAS-Port-Type = Wireless-802.11
        Calling-Station-Id = "606720CB37CC"
        Called-Station-Id = "001A1E012EE8"
        Service-Type = Login-User
        Framed-MTU = 1100
        EAP-Message = 0x020400061900
        State = 0x8fae4f288daa56d7f54a19d8916d3466
        Aruba-Essid-Name = "eduroam"
        Aruba-Location-Id = "PTM-MIS"
        Aruba-AP-Group = "MC-A05-Pusat_Teknologi_Maklumat"
        Message-Authenticator = 0xc60aac92364e2b6924ae3770ca74f5e0
server eduroam-inner-tunnel {
# Executing section authorize from file
/etc/raddb/sites-enabled/eduroam-inner-tunnel
+group authorize {
[auth_log]      expand: %{Packet-Src-IP-Address} -> 192.168.241.12
[auth_log]      expand:
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
-> /var/log/radius/radacct/192.168.241.12/auth-detail-20170811
[auth_log]
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/192.168.241.12/auth-detail-20170811
[auth_log]      expand: %t -> Fri Aug 11 12:48:34 2017
++[auth_log] = ok
[suffix] Looking up realm "uthm.edu.my" for User-Name = "[hidden email]"
[suffix] Found realm "~^(.+\.)?uthm\.edu\.my$"
[suffix] Adding Stripped-User-Name = "test"
[suffix] Adding Realm = "uthm.edu.my"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[ldap] performing user authorization for test
[ldap]  expand: %{Stripped-User-Name} -> test
[ldap]  expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=test)
[ldap]  expand: dc=uthm,dc=edu,dc=my -> dc=uthm,dc=edu,dc=my
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in dc=uthm,dc=edu,dc=my, with filter (uid=test)
[ldap] checking if remote access for test is allowed by uid
[ldap] looking for check items in directory...
  [ldap] uid -> User-Name == "test"
  [ldap] userPassword -> Password-With-Header ==
"{SHA}m8NFSdVl2VBbKH3gzSCsd74dPyw="
[ldap] looking for reply items in directory...
[ldap] user test authorized to use remote access
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] = ok
++[files] = noop
++[mschap] = noop
[pap] No clear-text password in the request.  Not performing PAP.
++[pap] = noop
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/eduroam-inner-tunnel
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
} # server eduroam-inner-tunnel
Sending Access-Challenge of id 153 to 192.168.241.12 port 56951
        EAP-Message =
0x0105036019006d2f726f6f74732f647374726f6f74636178332e703763301f0603551d23041830168014c4a7b1a47b2c71fadbe14b9075ffc4156085891030540603551d20044d304b3008060667810c010201303f060b2b0601040182df130101013030302e06082b060105050702011622687474703a2f2f6370732e726f6f742d78312e6c657473656e63727970742e6f7267303c0603551d1f043530333031a02fa02d862b687474703a2f2f63726c2e6964656e74727573742e636f6d2f445354524f4f544341583343524c2e63726c301d0603551d0e04160414a84a6a63047dddbae6d139b7a64565eff3a8eca1300d06092a864886f70d0101
        EAP-Message =
0x0b05000382010100dd33d711f3635838dd1815fb0955be7656b97048a56947277bc2240892f15a1f4a1229372474511c6268b8cd957067e5f7a4bc4e2851cd9be8ae879dead8ba5aa1019adcf0dd6a1d6ad83e57239ea61e04629affd705cab71f3fc00a48bc94b0b66562e0c154e5a32aad20c4e9e6bbdcc8f6b5c332a398cc77a8e67965072bcb28fe3a165281ce520c2e5f83e8d50633fb776cce40ea329e1f925c41c1746c5b5d0a5f33cc4d9fac38f02f7b2c629dd9a3916f251b2f90b119463df67e1ba67a87b9a37a6d18fa25a5918715e0f2162f58b0062f2c6826c64b98cdda9f0cf97f90ed434a12444e6f737a28eaa4aa6e7b4c7d87dde0
        EAP-Message =
0xc90244a787afc3345bb442160303014d0c0001490300174104937ef4214267c66e54b943286f2aaee0d7136583436503bc9771b29543c715226c45d5d7a14e14877be87ae18304b19c725acb27d5f7e67dd6a95146c87bd69204010100801b8d8ce4a7e05deb44da62e7fdefc579ea4fa2d6ea86438b76661a461e2edf2dda7254e76c90ebd2c425149a7f4c202d80c553f6ac268a6726c01ff4defadb7a06049b147774e50009e8ea4e75c7277ca1ab7dd549a2f99eaadab70143e49b1de3ae104e73f307aca89d03f0165ec72ae32586aa3322fd193c34f8e254cb1035404691253be279552f8b22e7e645ccf06f48ddd89274421ac224636daf1fce
        EAP-Message =
0x6c8b5405eb5f25c413af4115fcaaaee24c89899d0a5de9676776b0c57c6d7e673a0439528bc4b55ba9f5572cedfbd3fc8405ea36f11d2661abc315739ccabafe8c19e498555e91a06ca95eac01dd688f2dd07779e92f3f84172551df1bdf2e7d16030300040e000000
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x8fae4f288cab56d7f54a19d8916d3466
Finished request 11.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.241.12 port 56951,
id=154, length=356
        User-Name = "[hidden email]"
        NAS-IP-Address = 192.168.241.12
        NAS-Port = 0
        NAS-Identifier = "eduroam"
        NAS-Port-Type = Wireless-802.11
        Calling-Station-Id = "606720CB37CC"
        Called-Station-Id = "001A1E012EE8"
        Service-Type = Login-User
        Framed-MTU = 1100
        EAP-Message =
0x0205008819800000007e1603030046100000424104c54e810e0876a2f48de285e28044b9d5705e0502717c3dc8017dc66f925db3a936b10c757bfdd0c306034d301be3d9f000b3d8e396baa95c8b466988a54e689b140303000101160303002800000000000000006ac72ce7125c46232cff9613def48589606506c06bf5ba73c81ef1a541f67972
        State = 0x8fae4f288cab56d7f54a19d8916d3466
        Aruba-Essid-Name = "eduroam"
        Aruba-Location-Id = "PTM-MIS"
        Aruba-AP-Group = "MC-A05-Pusat_Teknologi_Maklumat"
        Message-Authenticator = 0x9a6c65b38d5d36756f9d367c70d9c188
server eduroam-inner-tunnel {
# Executing section authorize from file
/etc/raddb/sites-enabled/eduroam-inner-tunnel
+group authorize {
[auth_log]      expand: %{Packet-Src-IP-Address} -> 192.168.241.12
[auth_log]      expand:
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
-> /var/log/radius/radacct/192.168.241.12/auth-detail-20170811
[auth_log]
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/192.168.241.12/auth-detail-20170811
[auth_log]      expand: %t -> Fri Aug 11 12:48:34 2017
++[auth_log] = ok
[suffix] Looking up realm "uthm.edu.my" for User-Name = "[hidden email]"
[suffix] Found realm "~^(.+\.)?uthm\.edu\.my$"
[suffix] Adding Stripped-User-Name = "test"
[suffix] Adding Realm = "uthm.edu.my"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[ldap] performing user authorization for test
[ldap]  expand: %{Stripped-User-Name} -> test
[ldap]  expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=test)
[ldap]  expand: dc=uthm,dc=edu,dc=my -> dc=uthm,dc=edu,dc=my
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in dc=uthm,dc=edu,dc=my, with filter (uid=test)
[ldap] checking if remote access for test is allowed by uid
[ldap] looking for check items in directory...
  [ldap] uid -> User-Name == "test"
  [ldap] userPassword -> Password-With-Header ==
"{SHA}m8NFSdVl2VBbKH3gzSCsd74dPyw="
[ldap] looking for reply items in directory...
[ldap] user test authorized to use remote access
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] = ok
++[files] = noop
++[mschap] = noop
[pap] No clear-text password in the request.  Not performing PAP.
++[pap] = noop
[eap] EAP packet type response id 5 length 136
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/eduroam-inner-tunnel
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
  TLS Length 126
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< Unknown TLS version [length 0046]
[peap]     TLS_accept: SSLv3 read client key exchange A
[peap] <<< Unknown TLS version [length 0001]
[peap] <<< Unknown TLS version [length 0010]
[peap]     TLS_accept: SSLv3 read finished A
[peap] >>> Unknown TLS version [length 0001]
[peap]     TLS_accept: SSLv3 write change cipher spec A
[peap] >>> Unknown TLS version [length 0010]
[peap]     TLS_accept: SSLv3 write finished A
[peap]     TLS_accept: SSLv3 flush data
[peap]     (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
} # server eduroam-inner-tunnel
Sending Access-Challenge of id 154 to 192.168.241.12 port 56951
        EAP-Message =
0x01060039190014030300010116030300281c8a45d0b7de86498defbc89a27764b06a43196af0bf4a2db7824809a50bd2d3e34b5b203a2345cd
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x8fae4f288ba856d7f54a19d8916d3466
Finished request 12.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.241.12 port 56951,
id=155, length=226
        User-Name = "[hidden email]"
        NAS-IP-Address = 192.168.241.12
        NAS-Port = 0
        NAS-Identifier = "eduroam"
        NAS-Port-Type = Wireless-802.11
        Calling-Station-Id = "606720CB37CC"
        Called-Station-Id = "001A1E012EE8"
        Service-Type = Login-User
        Framed-MTU = 1100
        EAP-Message = 0x020600061900
        State = 0x8fae4f288ba856d7f54a19d8916d3466
        Aruba-Essid-Name = "eduroam"
        Aruba-Location-Id = "PTM-MIS"
        Aruba-AP-Group = "MC-A05-Pusat_Teknologi_Maklumat"
        Message-Authenticator = 0xb3457d7a24957b9fa3781dc6b0c24295
server eduroam-inner-tunnel {
# Executing section authorize from file
/etc/raddb/sites-enabled/eduroam-inner-tunnel
+group authorize {
[auth_log]      expand: %{Packet-Src-IP-Address} -> 192.168.241.12
[auth_log]      expand:
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
-> /var/log/radius/radacct/192.168.241.12/auth-detail-20170811
[auth_log]
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/192.168.241.12/auth-detail-20170811
[auth_log]      expand: %t -> Fri Aug 11 12:48:36 2017
++[auth_log] = ok
[suffix] Looking up realm "uthm.edu.my" for User-Name = "[hidden email]"
[suffix] Found realm "~^(.+\.)?uthm\.edu\.my$"
[suffix] Adding Stripped-User-Name = "test"
[suffix] Adding Realm = "uthm.edu.my"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[ldap] performing user authorization for test
[ldap]  expand: %{Stripped-User-Name} -> test
[ldap]  expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=test)
[ldap]  expand: dc=uthm,dc=edu,dc=my -> dc=uthm,dc=edu,dc=my
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in dc=uthm,dc=edu,dc=my, with filter (uid=test)
[ldap] checking if remote access for test is allowed by uid
[ldap] looking for check items in directory...
  [ldap] uid -> User-Name == "test"
  [ldap] userPassword -> Password-With-Header ==
"{SHA}m8NFSdVl2VBbKH3gzSCsd74dPyw="
[ldap] looking for reply items in directory...
[ldap] user test authorized to use remote access
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] = ok
++[files] = noop
++[mschap] = noop
[pap] No clear-text password in the request.  Not performing PAP.
++[pap] = noop
[eap] EAP packet type response id 6 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/eduroam-inner-tunnel
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state TUNNEL ESTABLISHED
++[eap] = handled
+} # group authenticate = handled
} # server eduroam-inner-tunnel
Sending Access-Challenge of id 155 to 192.168.241.12 port 56951
        EAP-Message =
0x010700281900170303001d1c8a45d0b7de864ad470a8ed8a39384d931984faa55ad2ebc731ac4bbb
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x8fae4f288aa956d7f54a19d8916d3466
Finished request 13.
Going to the next request
Waking up in 2.6 seconds.
rad_recv: Access-Request packet from host 192.168.241.12 port 56951,
id=156, length=272
        User-Name = "[hidden email]"
        NAS-IP-Address = 192.168.241.12
        NAS-Port = 0
        NAS-Identifier = "eduroam"
        NAS-Port-Type = Wireless-802.11
        Calling-Station-Id = "606720CB37CC"
        Called-Station-Id = "001A1E012EE8"
        Service-Type = Login-User
        Framed-MTU = 1100
        EAP-Message =
0x0207003419001703030029000000000000000134f54fb6fe56b12faf31a04562eb50ddcfa3354f7bbfd1545aa0130c45e0dd385c
        State = 0x8fae4f288aa956d7f54a19d8916d3466
        Aruba-Essid-Name = "eduroam"
        Aruba-Location-Id = "PTM-MIS"
        Aruba-AP-Group = "MC-A05-Pusat_Teknologi_Maklumat"
        Message-Authenticator = 0xa7c3a3db99bf62cb53cf74ae99a4acd5
server eduroam-inner-tunnel {
# Executing section authorize from file
/etc/raddb/sites-enabled/eduroam-inner-tunnel
+group authorize {
[auth_log]      expand: %{Packet-Src-IP-Address} -> 192.168.241.12
[auth_log]      expand:
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
-> /var/log/radius/radacct/192.168.241.12/auth-detail-20170811
[auth_log]
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/192.168.241.12/auth-detail-20170811
[auth_log]      expand: %t -> Fri Aug 11 12:48:36 2017
++[auth_log] = ok
[suffix] Looking up realm "uthm.edu.my" for User-Name = "[hidden email]"
[suffix] Found realm "~^(.+\.)?uthm\.edu\.my$"
[suffix] Adding Stripped-User-Name = "test"
[suffix] Adding Realm = "uthm.edu.my"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[ldap] performing user authorization for test
[ldap]  expand: %{Stripped-User-Name} -> test
[ldap]  expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=test)
[ldap]  expand: dc=uthm,dc=edu,dc=my -> dc=uthm,dc=edu,dc=my
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in dc=uthm,dc=edu,dc=my, with filter (uid=test)
[ldap] checking if remote access for test is allowed by uid
[ldap] looking for check items in directory...
  [ldap] uid -> User-Name == "test"
  [ldap] userPassword -> Password-With-Header ==
"{SHA}m8NFSdVl2VBbKH3gzSCsd74dPyw="
[ldap] looking for reply items in directory...
[ldap] user test authorized to use remote access
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] = ok
++[files] = noop
++[mschap] = noop
[pap] No clear-text password in the request.  Not performing PAP.
++[pap] = noop
[eap] EAP packet type response id 7 length 52
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/eduroam-inner-tunnel
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state WAITING FOR INNER IDENTITY
[peap] Identity - [hidden email]
[peap] Got inner identity '[hidden email]'
[peap] Setting default EAP type for tunneled EAP session.
[peap] Got tunneled request
        EAP-Message = 0x020700150174657374407574686d2e6564752e6d79
server eduroam-inner-tunnel {
[peap] Setting User-Name to [hidden email]
Sending tunneled request
        EAP-Message = 0x020700150174657374407574686d2e6564752e6d79
        FreeRADIUS-Proxied-To = 127.0.0.1
        User-Name = "[hidden email]"
        NAS-IP-Address = 192.168.241.12
        NAS-Port = 0
        NAS-Identifier = "eduroam"
        NAS-Port-Type = Wireless-802.11
        Calling-Station-Id = "606720CB37CC"
        Called-Station-Id = "001A1E012EE8"
        Service-Type = Login-User
        Framed-MTU = 1100
        Aruba-Essid-Name = "eduroam"
        Aruba-Location-Id = "PTM-MIS"
        Aruba-AP-Group = "MC-A05-Pusat_Teknologi_Maklumat"
server eduroam-inner-tunnel {
# Executing section authorize from file
/etc/raddb/sites-enabled/eduroam-inner-tunnel
+group authorize {
[auth_log]      expand: %{Packet-Src-IP-Address} -> 192.168.241.12
[auth_log]      expand:
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
-> /var/log/radius/radacct/192.168.241.12/auth-detail-20170811
[auth_log]
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/192.168.241.12/auth-detail-20170811
[auth_log]      expand: %t -> Fri Aug 11 12:48:36 2017
++[auth_log] = ok
[suffix] Looking up realm "uthm.edu.my" for User-Name = "[hidden email]"
[suffix] Found realm "~^(.+\.)?uthm\.edu\.my$"
[suffix] Adding Stripped-User-Name = "test"
[suffix] Adding Realm = "uthm.edu.my"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[ldap] performing user authorization for test
[ldap]  expand: %{Stripped-User-Name} -> test
[ldap]  expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=test)
[ldap]  expand: dc=uthm,dc=edu,dc=my -> dc=uthm,dc=edu,dc=my
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in dc=uthm,dc=edu,dc=my, with filter (uid=test)
[ldap] checking if remote access for test is allowed by uid
[ldap] looking for check items in directory...
  [ldap] uid -> User-Name == "test"
  [ldap] userPassword -> Password-With-Header ==
"{SHA}m8NFSdVl2VBbKH3gzSCsd74dPyw="
[ldap] looking for reply items in directory...
[ldap] user test authorized to use remote access
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] = ok
++[files] = noop
++[mschap] = noop
[pap] No clear-text password in the request.  Not performing PAP.
++[pap] = noop
[eap] EAP packet type response id 7 length 21
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/eduroam-inner-tunnel
+group authenticate {
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] = handled
+} # group authenticate = handled
} # server eduroam-inner-tunnel
[peap] Got tunneled reply code 11
        EAP-Message =
0x0108002a1a0108002510343a9d3341344d17be103ba1b8102a4d74657374407574686d2e6564752e6d79
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xcbeddcf3cbe5c6059f24a1ca23970697
[peap] Got tunneled reply RADIUS code Access-Challenge
        EAP-Message =
0x0108002a1a0108002510343a9d3341344d17be103ba1b8102a4d74657374407574686d2e6564752e6d79
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xcbeddcf3cbe5c6059f24a1ca23970697
[peap] Got tunneled Access-Challenge
++[eap] = handled
+} # group authenticate = handled
} # server eduroam-inner-tunnel
Sending Access-Challenge of id 156 to 192.168.241.12 port 56951
        EAP-Message =
0x010800491900170303003e1c8a45d0b7de864b2d1e68270fa233de3ac15f3ba93a9d2e2df074591a16e288b38d1ec3175acf72ef0f30a6f19ee6e5a4e9b3ccb86e49568d7c2cb0af87
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x8fae4f2889a656d7f54a19d8916d3466
Finished request 14.
Going to the next request
Waking up in 2.6 seconds.
rad_recv: Access-Request packet from host 192.168.241.12 port 56951,
id=157, length=326
        User-Name = "[hidden email]"
        NAS-IP-Address = 192.168.241.12
        NAS-Port = 0
        NAS-Identifier = "eduroam"
        NAS-Port-Type = Wireless-802.11
        Calling-Station-Id = "606720CB37CC"
        Called-Station-Id = "001A1E012EE8"
        Service-Type = Login-User
        Framed-MTU = 1100
        EAP-Message =
0x0208006a1900170303005f0000000000000002e601a6aa39b3f001761524212d3ad0f41d4ed51d41f2ccd5e98cec19669d823871d2c63f9d0e24a20b54572e2f27420eee0f333e8bc450f328c4a5a29778e395986cd10574041407466476fa397de3d2e27c8e2408f5b2
        State = 0x8fae4f2889a656d7f54a19d8916d3466
        Aruba-Essid-Name = "eduroam"
        Aruba-Location-Id = "PTM-MIS"
        Aruba-AP-Group = "MC-A05-Pusat_Teknologi_Maklumat"
        Message-Authenticator = 0x1a31e183513b430559a36db139e98115
server eduroam-inner-tunnel {
# Executing section authorize from file
/etc/raddb/sites-enabled/eduroam-inner-tunnel
+group authorize {
[auth_log]      expand: %{Packet-Src-IP-Address} -> 192.168.241.12
[auth_log]      expand:
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
-> /var/log/radius/radacct/192.168.241.12/auth-detail-20170811
[auth_log]
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/192.168.241.12/auth-detail-20170811
[auth_log]      expand: %t -> Fri Aug 11 12:48:36 2017
++[auth_log] = ok
[suffix] Looking up realm "uthm.edu.my" for User-Name = "[hidden email]"
[suffix] Found realm "~^(.+\.)?uthm\.edu\.my$"
[suffix] Adding Stripped-User-Name = "test"
[suffix] Adding Realm = "uthm.edu.my"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[ldap] performing user authorization for test
[ldap]  expand: %{Stripped-User-Name} -> test
[ldap]  expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=test)
[ldap]  expand: dc=uthm,dc=edu,dc=my -> dc=uthm,dc=edu,dc=my
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in dc=uthm,dc=edu,dc=my, with filter (uid=test)
[ldap] checking if remote access for test is allowed by uid
[ldap] looking for check items in directory...
  [ldap] uid -> User-Name == "test"
  [ldap] userPassword -> Password-With-Header ==
"{SHA}m8NFSdVl2VBbKH3gzSCsd74dPyw="
[ldap] looking for reply items in directory...
[ldap] user test authorized to use remote access
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] = ok
++[files] = noop
++[mschap] = noop
[pap] No clear-text password in the request.  Not performing PAP.
++[pap] = noop
[eap] EAP packet type response id 8 length 106
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/eduroam-inner-tunnel
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
        EAP-Message =
0x0208004b1a02080046315a9c485813afb0d85fa3ff490bc740b30000000000000000710dff1dfc34e780f32401e4a4772847f532a4ce5e8b43500074657374407574686d2e6564752e6d79
server eduroam-inner-tunnel {
[peap] Setting User-Name to [hidden email]
Sending tunneled request
        EAP-Message =
0x0208004b1a02080046315a9c485813afb0d85fa3ff490bc740b30000000000000000710dff1dfc34e780f32401e4a4772847f532a4ce5e8b43500074657374407574686d2e6564752e6d79
        FreeRADIUS-Proxied-To = 127.0.0.1
        User-Name = "[hidden email]"
        State = 0xcbeddcf3cbe5c6059f24a1ca23970697
        NAS-IP-Address = 192.168.241.12
        NAS-Port = 0
        NAS-Identifier = "eduroam"
        NAS-Port-Type = Wireless-802.11
        Calling-Station-Id = "606720CB37CC"
        Called-Station-Id = "001A1E012EE8"
        Service-Type = Login-User
        Framed-MTU = 1100
        Aruba-Essid-Name = "eduroam"
        Aruba-Location-Id = "PTM-MIS"
        Aruba-AP-Group = "MC-A05-Pusat_Teknologi_Maklumat"
server eduroam-inner-tunnel {
# Executing section authorize from file
/etc/raddb/sites-enabled/eduroam-inner-tunnel
+group authorize {
[auth_log]      expand: %{Packet-Src-IP-Address} -> 192.168.241.12
[auth_log]      expand:
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
-> /var/log/radius/radacct/192.168.241.12/auth-detail-20170811
[auth_log]
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/192.168.241.12/auth-detail-20170811
[auth_log]      expand: %t -> Fri Aug 11 12:48:36 2017
++[auth_log] = ok
[suffix] Looking up realm "uthm.edu.my" for User-Name = "[hidden email]"
[suffix] Found realm "~^(.+\.)?uthm\.edu\.my$"
[suffix] Adding Stripped-User-Name = "test"
[suffix] Adding Realm = "uthm.edu.my"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[ldap] performing user authorization for test
[ldap]  expand: %{Stripped-User-Name} -> test
[ldap]  expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=test)
[ldap]  expand: dc=uthm,dc=edu,dc=my -> dc=uthm,dc=edu,dc=my
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in dc=uthm,dc=edu,dc=my, with filter (uid=test)
[ldap] checking if remote access for test is allowed by uid
[ldap] looking for check items in directory...
  [ldap] uid -> User-Name == "test"
  [ldap] userPassword -> Password-With-Header ==
"{SHA}m8NFSdVl2VBbKH3gzSCsd74dPyw="
[ldap] looking for reply items in directory...
[ldap] user test authorized to use remote access
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] = ok
++[files] = noop
++[mschap] = noop
[pap] No clear-text password in the request.  Not performing PAP.
++[pap] = noop
[eap] EAP packet type response id 8 length 75
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/eduroam-inner-tunnel
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file
/etc/raddb/sites-enabled/eduroam-inner-tunnel
[mschapv2] +group MS-CHAP {
[mschap] No Cleartext-Password configured.  Cannot create LM-Password.
[mschap] No Cleartext-Password configured.  Cannot create NT-Password.
[mschap] Creating challenge hash with username: [hidden email]
[mschap] Client is using MS-CHAPv2 for [hidden email], we need NT-Password
[mschap] FAILED: No NT/LM-Password.  Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] = reject
+} # group MS-CHAP = reject
[eap] Freeing handler
++[eap] = reject
+} # group authenticate = reject
Failed to authenticate the user.
Login incorrect: [[hidden email]] (from client radsec port 0 cli
606720CB37CC via TLS tunnel)
Using Post-Auth-Type REJECT
# Executing group from file /etc/raddb/sites-enabled/eduroam-inner-tunnel
+group REJECT {
[reply_log]     expand: %{Packet-Src-IP-Address} -> 192.168.241.12
[reply_log]     expand:
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d
-> /var/log/radius/radacct/192.168.241.12/reply-detail-20170811
[reply_log]
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d
expands to /var/log/radius/radacct/192.168.241.12/reply-detail-20170811
[reply_log]     expand: %t -> Fri Aug 11 12:48:36 2017
++[reply_log] = ok
+} # group REJECT = ok
} # server eduroam-inner-tunnel
[peap] Got tunneled reply code 3
        MS-CHAP-Error = "\010E=691 R=1"
        EAP-Message = 0x04080004
        Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code Access-Reject
        MS-CHAP-Error = "\010E=691 R=1"
        EAP-Message = 0x04080004
        Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] = handled
+} # group authenticate = handled
} # server eduroam-inner-tunnel
Sending Access-Challenge of id 157 to 192.168.241.12 port 56951
        EAP-Message =
0x0109002e190017030300231c8a45d0b7de864c86cfe8658e8f5a7692bff076e34cac34a4f898a86fb7d7bd87bd0d
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x8fae4f2888a756d7f54a19d8916d3466
Finished request 15.
Going to the next request
Waking up in 2.6 seconds.
rad_recv: Access-Request packet from host 192.168.241.12 port 56951,
id=158, length=266
        User-Name = "[hidden email]"
        NAS-IP-Address = 192.168.241.12
        NAS-Port = 0
        NAS-Identifier = "eduroam"
        NAS-Port-Type = Wireless-802.11
        Calling-Station-Id = "606720CB37CC"
        Called-Station-Id = "001A1E012EE8"
        Service-Type = Login-User
        Framed-MTU = 1100
        EAP-Message =
0x0209002e19001703030023000000000000000334b2a2f72bfaff9cb368e59ee145ac3b61bb33f10ff54368601eda
        State = 0x8fae4f2888a756d7f54a19d8916d3466
        Aruba-Essid-Name = "eduroam"
        Aruba-Location-Id = "PTM-MIS"
        Aruba-AP-Group = "MC-A05-Pusat_Teknologi_Maklumat"
        Message-Authenticator = 0x13d985f1b0164cab9128cf4e07b3a9e0
server eduroam-inner-tunnel {
# Executing section authorize from file
/etc/raddb/sites-enabled/eduroam-inner-tunnel
+group authorize {
[auth_log]      expand: %{Packet-Src-IP-Address} -> 192.168.241.12
[auth_log]      expand:
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
-> /var/log/radius/radacct/192.168.241.12/auth-detail-20170811
[auth_log]
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/192.168.241.12/auth-detail-20170811
[auth_log]      expand: %t -> Fri Aug 11 12:48:36 2017
++[auth_log] = ok
[suffix] Looking up realm "uthm.edu.my" for User-Name = "[hidden email]"
[suffix] Found realm "~^(.+\.)?uthm\.edu\.my$"
[suffix] Adding Stripped-User-Name = "test"
[suffix] Adding Realm = "uthm.edu.my"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[ldap] performing user authorization for test
[ldap]  expand: %{Stripped-User-Name} -> test
[ldap]  expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=test)
[ldap]  expand: dc=uthm,dc=edu,dc=my -> dc=uthm,dc=edu,dc=my
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in dc=uthm,dc=edu,dc=my, with filter (uid=test)
[ldap] checking if remote access for test is allowed by uid
[ldap] looking for check items in directory...
  [ldap] uid -> User-Name == "test"
  [ldap] userPassword -> Password-With-Header ==
"{SHA}m8NFSdVl2VBbKH3gzSCsd74dPyw="
[ldap] looking for reply items in directory...
[ldap] user test authorized to use remote access
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] = ok
++[files] = noop
++[mschap] = noop
[pap] No clear-text password in the request.  Not performing PAP.
++[pap] = noop
[eap] EAP packet type response id 9 length 46
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/eduroam-inner-tunnel
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state send tlv failure
[peap] Received EAP-TLV response.
[peap]  The users session was previously rejected: returning reject (again.)
[peap]  *** This means you need to read the PREVIOUS messages in the debug
output
[peap]  *** to find out the reason why the user was rejected.
[peap]  *** Look for "reject" or "fail".  Those earlier messages will tell
you.
[peap]  *** what went wrong, and how to fix the problem.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] = invalid
+} # group authenticate = invalid
Failed to authenticate the user.
Login incorrect: [[hidden email]] (from client radsec port 0 cli
606720CB37CC)
} # server eduroam-inner-tunnel
Using Post-Auth-Type REJECT
# Executing group from file /etc/raddb/sites-enabled/eduroam-inner-tunnel
+group REJECT {
[reply_log]     expand: %{Packet-Src-IP-Address} -> 192.168.241.12
[reply_log]     expand:
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d
-> /var/log/radius/radacct/192.168.241.12/reply-detail-20170811
[reply_log]
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d
expands to /var/log/radius/radacct/192.168.241.12/reply-detail-20170811
[reply_log]     expand: %t -> Fri Aug 11 12:48:36 2017
++[reply_log] = ok
+} # group REJECT = ok
Delaying reject of request 16 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 16
Sending Access-Reject of id 158 to 192.168.241.12 port 56951
        EAP-Message = 0x04090004
        Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 1.6 seconds.
Cleaning up request 7 ID 150 with timestamp +220
Cleaning up request 9 ID 151 with timestamp +220
Cleaning up request 10 ID 152 with timestamp +220
Cleaning up request 11 ID 153 with timestamp +220
Cleaning up request 12 ID 154 with timestamp +220
Waking up in 2.2 seconds.
Cleaning up request 13 ID 155 with timestamp +222
Cleaning up request 14 ID 156 with timestamp +222
Cleaning up request 15 ID 157 with timestamp +222
Waking up in 1.0 seconds.
Cleaning up request 16 ID 158 with timestamp +222
Ready to process requests.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: radius and ldap authentication.

Edelberto Franco
Dear,

I guess you do not have hashNT (sambaNTPasswd attribute) configured in
your LDAP, right? If it is true, configure it there or your
PEAP/MSCHAPv2 authentication won't work.
See the mods-available/ldap for examples about how configure NT-Password
(from FR) to LDAP hashNT attribute (maybe sambaNTPassword).
TTLS/PAP works, right?!

--E

Em 11-Aug-17 1:53 AM, Mohd Akhbar escreveu:

> I want to connect radius with my ldap (389 Directory) and my user password
> in SHA. Actually taking over the task from colleague. Please give some
> advice. Thank you.
>
> ===========================================
> [root@eduroam-idp ~]# radiusd -X
> radiusd: FreeRADIUS Version 2.2.6, for host x86_64-redhat-linux-gnu, built
> on Jul 17 2017 at 23:07:34
> Copyright (C) 1999-2013 The FreeRADIUS server project and contributors.
> There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
> PARTICULAR PURPOSE.
> You may redistribute copies of FreeRADIUS under the terms of the
> GNU General Public License.
> For more information about these matters, see the file named COPYRIGHT.
> Starting - reading configuration files ...
> including configuration file /etc/raddb/radiusd.conf
> including configuration file /etc/raddb/proxy.conf
> including configuration file /etc/raddb/clients.conf
> including files in directory /etc/raddb/modules/
> including configuration file /etc/raddb/modules/smsotp
> including configuration file /etc/raddb/modules/mac2vlan
> including configuration file /etc/raddb/modules/linelog
> including configuration file /etc/raddb/modules/pap
> including configuration file /etc/raddb/modules/sqlcounter_expire_on_login
> including configuration file /etc/raddb/modules/echo
> including configuration file /etc/raddb/modules/ntlm_auth
> including configuration file /etc/raddb/modules/mschap
> including configuration file /etc/raddb/modules/inner-eap
> including configuration file /etc/raddb/modules/smbpasswd
> including configuration file /etc/raddb/modules/pam
> including configuration file /etc/raddb/modules/ldap
> including configuration file /etc/raddb/modules/passwd
> including configuration file /etc/raddb/modules/realm
> including configuration file /etc/raddb/modules/acct_unique
> including configuration file /etc/raddb/modules/policy
> including configuration file /etc/raddb/modules/otp
> including configuration file /etc/raddb/modules/logintime
> including configuration file /etc/raddb/modules/rediswho
> including configuration file /etc/raddb/modules/ldap.BAK
> including configuration file /etc/raddb/modules/ippool
> including configuration file /etc/raddb/modules/opendirectory
> including configuration file /etc/raddb/modules/counter
> including configuration file /etc/raddb/modules/always
> including configuration file /etc/raddb/modules/detail
> including configuration file /etc/raddb/modules/expiration
> including configuration file /etc/raddb/modules/expr
> including configuration file /etc/raddb/modules/etc_group
> including configuration file /etc/raddb/modules/detail.example.com
> including configuration file /etc/raddb/modules/sradutmp
> including configuration file /etc/raddb/modules/sql_log
> including configuration file /etc/raddb/modules/files
> including configuration file /etc/raddb/modules/perl
> including configuration file /etc/raddb/modules/cui
> including configuration file /etc/raddb/modules/dhcp_sqlippool
> including configuration file /etc/raddb/modules/attr_filter
> including configuration file /etc/raddb/modules/radrelay
> including configuration file /etc/raddb/modules/chap
> including configuration file /etc/raddb/modules/soh
> including configuration file /etc/raddb/modules/unix
> including configuration file /etc/raddb/modules/mac2ip
> including configuration file /etc/raddb/modules/digest
> including configuration file /etc/raddb/modules/preprocess
> including configuration file /etc/raddb/modules/wimax
> including configuration file /etc/raddb/modules/checkval
> including configuration file /etc/raddb/modules/exec
> including configuration file /etc/raddb/modules/replicate
> including configuration file /etc/raddb/modules/redis
> including configuration file /etc/raddb/modules/cache
> including configuration file /etc/raddb/modules/detail.log
> including configuration file /etc/raddb/modules/dynamic_clients
> including configuration file /etc/raddb/modules/radutmp
> including configuration file /etc/raddb/modules/attr_rewrite
> including configuration file /etc/raddb/eap.conf
> including configuration file /etc/raddb/policy.conf
> including files in directory /etc/raddb/sites-enabled/
> including configuration file /etc/raddb/sites-enabled/inner-tunnel
> including configuration file /etc/raddb/sites-enabled/eduroam-inner-tunnel
> including configuration file /etc/raddb/sites-enabled/control-socket
> including configuration file /etc/raddb/sites-enabled/default
> main {
>          allow_core_dumps = no
> }
> including dictionary file /etc/raddb/dictionary
> main {
>          name = "radiusd"
>          prefix = "/usr"
>          localstatedir = "/var"
>          sbindir = "/usr/sbin"
>          logdir = "/var/log/radius"
>          run_dir = "/var/run/radiusd"
>          libdir = "/usr/lib"
>          radacctdir = "/var/log/radius/radacct"
>          hostname_lookups = no
>          max_request_time = 30
>          cleanup_delay = 5
>          max_requests = 1024
>          pidfile = "/var/run/radiusd/radiusd.pid"
>          checkrad = "/usr/sbin/checkrad"
>          debug_level = 0
>          proxy_requests = yes
>   log {
>          stripped_names = no
>          auth = yes
>          auth_badpass = no
>          auth_goodpass = no
>   }
>   security {
>          max_attributes = 200
>          reject_delay = 1
>          status_server = yes
>   }
> }
> radiusd: #### Loading Realms and Home Servers ####
>   proxy server {
>          retry_delay = 5
>          retry_count = 3
>          default_fallback = yes
>          dead_time = 120
>          wake_all_if_all_dead = no
>   }
>   realm ~^(.+\.)?uthm\.edu\.my$ {
>          authhost = LOCAL
>          accthost = LOCAL
>   }
>   realm DEFAULT {
>          nostrip
>          authhost = 192.168.241.12:1812
>          secret = TcMvKbBdVChdYdeY
>   }
>   realm suffix {
>   }
> radiusd: #### Loading Clients ####
>   client localhost {
>          ipaddr = 192.168.241.12
>          netmask = 32
>          require_message_authenticator = no
>          secret = "TcMvKbBdVChdYdeY"
>          shortname = "radsec"
>          nastype = "other"
>          virtual_server = "eduroam-inner-tunnel"
>   }
> radiusd: #### Instantiating modules ####
>   instantiate {
>   Module: Linked to module rlm_expr
>   Module: Instantiating module "expr" from file /etc/raddb/modules/expr
>   }
> radiusd: #### Loading Virtual Servers ####
> server { # from file
>   modules {
>    Module: Creating Auth-Type = digest
>    Module: Creating Post-Auth-Type = REJECT
>   Module: Checking authenticate {...} for more modules to load
>   Module: Linked to module rlm_pap
>   Module: Instantiating module "pap" from file /etc/raddb/modules/pap
>    pap {
>          encryption_scheme = "auto"
>          auto_header = yes
>    }
>   Module: Linked to module rlm_chap
>   Module: Instantiating module "chap" from file /etc/raddb/modules/chap
>   Module: Linked to module rlm_mschap
>   Module: Instantiating module "mschap" from file /etc/raddb/modules/mschap
>    mschap {
>          use_mppe = yes
>          require_encryption = no
>          require_strong = no
>          with_ntdomain_hack = no
>          allow_retry = yes
>    }
>   Module: Linked to module rlm_digest
>   Module: Instantiating module "digest" from file /etc/raddb/modules/digest
>   Module: Linked to module rlm_unix
>   Module: Instantiating module "unix" from file /etc/raddb/modules/unix
>    unix {
>          radwtmp = "/var/log/radius/radwtmp"
>    }
>   Module: Linked to module rlm_eap
>   Module: Instantiating module "eap" from file /etc/raddb/eap.conf
>    eap {
>          default_eap_type = "peap"
>          timer_expire = 60
>          ignore_unknown_eap_types = no
>          cisco_accounting_username_bug = no
>          max_sessions = 2048
>    }
>   Module: Linked to sub-module rlm_eap_tls
>   Module: Instantiating eap-tls
>     tls {
>          rsa_key_exchange = no
>          dh_key_exchange = yes
>          rsa_key_length = 512
>          dh_key_length = 512
>          verify_depth = 0
>          pem_file_type = yes
>          private_key_file = "/etc/letsencrypt/live/
> idp.uthm.edu.my/privkey.pem"
>          certificate_file = "/etc/letsencrypt/live/idp.uthm.edu.my/cert.pem"
>          CA_file = "/etc/letsencrypt/live/idp.uthm.edu.my/chain.pem"
>          dh_file = "/etc/certs/dh"
>          random_file = "/dev/urandom"
>          fragment_size = 1024
>          include_length = yes
>          check_crl = no
>          cipher_list = "DEFAULT"
>          ecdh_curve = "prime256v1"
>     }
> WARNING: rlm_eap_tls: Unable to set DH parameters.  DH cipher suites may
> not work!
> WARNING: Fix this by running the OpenSSL command listed in eap.conf
>   Module: Linked to sub-module rlm_eap_ttls
>   Module: Instantiating eap-ttls
>     ttls {
>          default_eap_type = "mschapv2"
>          copy_request_to_tunnel = yes
>          use_tunneled_reply = yes
>          virtual_server = "eduroam-inner-tunnel"
>          include_length = yes
>     }
>   Module: Linked to sub-module rlm_eap_peap
>   Module: Instantiating eap-peap
>     peap {
>          default_eap_type = "mschapv2"
>          copy_request_to_tunnel = yes
>          use_tunneled_reply = yes
>          proxy_tunneled_request_as_eap = yes
>          virtual_server = "eduroam-inner-tunnel"
>          soh = no
>     }
>   Module: Linked to sub-module rlm_eap_mschapv2
>   Module: Instantiating eap-mschapv2
>     mschapv2 {
>          with_ntdomain_hack = no
>          send_error = no
>     }
>   Module: Checking authorize {...} for more modules to load
>   Module: Linked to module rlm_preprocess
>   Module: Instantiating module "preprocess" from file
> /etc/raddb/modules/preprocess
>    preprocess {
>          huntgroups = "/etc/raddb/huntgroups"
>          hints = "/etc/raddb/hints"
>          with_ascend_hack = no
>          ascend_channels_per_line = 23
>          with_ntdomain_hack = no
>          with_specialix_jetstream_hack = no
>          with_cisco_vsa_hack = no
>          with_alvarion_vsa_hack = no
>    }
> reading pairlist file /etc/raddb/huntgroups
> reading pairlist file /etc/raddb/hints
>   Module: Linked to module rlm_realm
>   Module: Instantiating module "suffix" from file /etc/raddb/modules/realm
>    realm suffix {
>          format = "suffix"
>          delimiter = "@"
>          ignore_default = no
>          ignore_null = no
>    }
>   Module: Linked to module rlm_files
>   Module: Instantiating module "files" from file /etc/raddb/modules/files
>    files {
>          usersfile = "/etc/raddb/users"
>          acctusersfile = "/etc/raddb/acct_users"
>          preproxy_usersfile = "/etc/raddb/preproxy_users"
>          compat = "no"
>    }
> reading pairlist file /etc/raddb/users
> reading pairlist file /etc/raddb/acct_users
> reading pairlist file /etc/raddb/preproxy_users
>   Module: Linked to module rlm_ldap
>   Module: Instantiating module "ldap" from file /etc/raddb/modules/ldap
>    ldap {
>          server = "ldap.uthm.edu.my"
>          port = 389
>          password = "mypassword"
>          expect_password = yes
>          identity = "cn=Directory Manager"
>          net_timeout = 1
>          timeout = 4
>          timelimit = 3
>          max_uses = 0
>          tls_mode = no
>          start_tls = no
>          tls_require_cert = "allow"
>          basedn = "dc=uthm,dc=edu,dc=my"
>          filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
>          base_filter = "(objectclass=inetOrgPerson)"
>          auto_header = no
>          access_attr = "uid"
>          access_attr_used_for_allow = yes
>          groupname_attribute = "cn"
>          groupmembership_filter =
> "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
>          dictionary_mapping = "/etc/raddb/ldap.attrmap"
>          ldap_debug = 0
>          ldap_connections_number = 10
>          compare_check_items = no
>          do_xlat = yes
>          set_auth_type = yes
>    }
> rlm_ldap: Registering ldap_groupcmp for Ldap-Group
> rlm_ldap: Registering ldap_xlat with xlat_name ldap
> rlm_ldap: Over-riding set_auth_type, as there is no module ldap listed in
> the "authenticate" section.
> rlm_ldap: reading ldap<->radius mappings from file /etc/raddb/ldap.attrmap
> rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
> rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
> rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
> rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
> rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
> rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
> rlm_ldap: LDAP userPassword mapped to RADIUS Password-With-Header
> rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
> rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address
> rlm_ldap: LDAP uid mapped to RADIUS User-Name
> rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
> rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
> rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
> rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
> rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
> rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
> rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
> rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
> rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
> rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
> rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
> rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
> rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
> rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
> rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
> rlm_ldap: LDAP radiusClass mapped to RADIUS Class
> rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
> rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
> rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
> rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
> rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
> rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
> rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS
> Framed-AppleTalk-Link
> rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS
> Framed-AppleTalk-Network
> rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS
> Framed-AppleTalk-Zone
> rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
> rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
> rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message
> rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type
> rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type
> rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS
> Tunnel-Private-Group-Id
> conns: 0x7f75996694a0
>   Module: Linked to module rlm_expiration
>   Module: Instantiating module "expiration" from file
> /etc/raddb/modules/expiration
>    expiration {
>          reply-message = "Password Has Expired  "
>    }
>   Module: Linked to module rlm_logintime
>   Module: Instantiating module "logintime" from file
> /etc/raddb/modules/logintime
>    logintime {
>          reply-message = "You are calling outside your allowed timespan  "
>          minimum-timeout = 60
>    }
>   Module: Checking preacct {...} for more modules to load
>   Module: Linked to module rlm_acct_unique
>   Module: Instantiating module "acct_unique" from file
> /etc/raddb/modules/acct_unique
>    acct_unique {
>          key = "User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Identifier,
> NAS-Port"
>    }
>   Module: Checking accounting {...} for more modules to load
>   Module: Linked to module rlm_detail
>   Module: Instantiating module "detail" from file /etc/raddb/modules/detail
>    detail {
>          detailfile =
> "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
>          header = "%t"
>          detailperm = 384
>          dirperm = 493
>          locking = no
>          log_packet_header = no
>    }
>   Module: Linked to module rlm_exec
>   Module: Instantiating module "exec" from file /etc/raddb/modules/exec
>    exec {
>          wait = no
>          input_pairs = "request"
>          shell_escape = yes
>          timeout = 10
>    }
>   Module: Linked to module rlm_attr_filter
>   Module: Instantiating module "attr_filter.accounting_response" from file
> /etc/raddb/modules/attr_filter
>    attr_filter attr_filter.accounting_response {
>          attrsfile = "/etc/raddb/attrs.accounting_response"
>          key = "%{User-Name}"
>          relaxed = no
>    }
> reading pairlist file /etc/raddb/attrs.accounting_response
>   Module: Checking session {...} for more modules to load
>   Module: Linked to module rlm_radutmp
>   Module: Instantiating module "radutmp" from file /etc/raddb/modules/radutmp
>    radutmp {
>          filename = "/var/log/radius/radutmp"
>          username = "%{User-Name}"
>          case_sensitive = yes
>          check_with_nas = yes
>          perm = 384
>          callerid = yes
>    }
>   Module: Checking post-proxy {...} for more modules to load
>   Module: Checking post-auth {...} for more modules to load
>   Module: Instantiating module "attr_filter.access_reject" from file
> /etc/raddb/modules/attr_filter
>    attr_filter attr_filter.access_reject {
>          attrsfile = "/etc/raddb/attrs.access_reject"
>          key = "%{User-Name}"
>          relaxed = no
>    }
> reading pairlist file /etc/raddb/attrs.access_reject
>   } # modules
> } # server
> server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel
>   modules {
>   Module: Checking authenticate {...} for more modules to load
>   Module: Checking authorize {...} for more modules to load
>   Module: Checking session {...} for more modules to load
>   Module: Checking post-proxy {...} for more modules to load
>   Module: Checking post-auth {...} for more modules to load
>   } # modules
> } # server
> server eduroam-inner-tunnel { # from file
> /etc/raddb/sites-enabled/eduroam-inner-tunnel
>   modules {
>   Module: Checking authenticate {...} for more modules to load
>   Module: Checking authorize {...} for more modules to load
>   Module: Instantiating module "auth_log" from file
> /etc/raddb/modules/detail.log
>    detail auth_log {
>          detailfile =
> "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
>          header = "%t"
>          detailperm = 384
>          dirperm = 493
>          locking = no
>          log_packet_header = no
>    }
>   Module: Checking post-auth {...} for more modules to load
>   Module: Instantiating module "reply_log" from file
> /etc/raddb/modules/detail.log
>    detail reply_log {
>          detailfile =
> "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
>          header = "%t"
>          detailperm = 384
>          dirperm = 493
>          locking = no
>          log_packet_header = no
>    }
>   } # modules
> } # server
> radiusd: #### Opening IP addresses and Ports ####
> listen {
>          type = "auth"
>          ipaddr = 127.0.0.1
>          port = 0
> }
> listen {
>          type = "acct"
>          ipaddr = 127.0.0.1
>          port = 0
> }
> listen {
>          type = "control"
>   listen {
>          socket = "/var/run/radiusd/radiusd.sock"
>   }
> }
> listen {
>          type = "auth"
>          ipaddr = 127.0.0.1
>          port = 18120
> }
> Listening on authentication address 127.0.0.1 port 1812
> Listening on accounting address 127.0.0.1 port 1813
> Listening on command file /var/run/radiusd/radiusd.sock
> Listening on authentication address 127.0.0.1 port 18120 as server
> inner-tunnel
> Listening on proxy address * port 1217
> Ready to process requests.
> rad_recv: Status-Server packet from host 192.168.241.12 port 56951, id=0,
> length=38
>          Message-Authenticator = 0xbf53e4c9a8a5a0bb431dc680c121d53d
> server eduroam-inner-tunnel {
> } # server eduroam-inner-tunnel
> Sending Access-Accept of id 0 to 192.168.241.12 port 56951
> Finished request 0.
> Cleaning up request 0 ID 0 with timestamp +18
> Going to the next request
> Ready to process requests.
>
> ============================
>
>
>
> log when i try to connect as user test.
> -================================
>
> rad_recv: Access-Request packet from host 192.168.241.12 port 56951,
> id=150, length=223
>          User-Name = "[hidden email]"
>          NAS-IP-Address = 192.168.241.12
>          NAS-Port = 0
>          NAS-Identifier = "eduroam"
>          NAS-Port-Type = Wireless-802.11
>          Calling-Station-Id = "606720CB37CC"
>          Called-Station-Id = "001A1E012EE8"
>          Service-Type = Login-User
>          Framed-MTU = 1100
>          EAP-Message = 0x020100150174657374407574686d2e6564752e6d79
>          Aruba-Essid-Name = "eduroam"
>          Aruba-Location-Id = "PTM-MIS"
>          Aruba-AP-Group = "MC-A05-Pusat_Teknologi_Maklumat"
>          Message-Authenticator = 0xdc2b75e509a96ab724feaf3d03953633
> server eduroam-inner-tunnel {
> # Executing section authorize from file
> /etc/raddb/sites-enabled/eduroam-inner-tunnel
> +group authorize {
> [auth_log]      expand: %{Packet-Src-IP-Address} -> 192.168.241.12
> [auth_log]      expand:
> /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
> -> /var/log/radius/radacct/192.168.241.12/auth-detail-20170811
> [auth_log]
> /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
> expands to /var/log/radius/radacct/192.168.241.12/auth-detail-20170811
> [auth_log]      expand: %t -> Fri Aug 11 12:48:34 2017
> ++[auth_log] = ok
> [suffix] Looking up realm "uthm.edu.my" for User-Name = "[hidden email]"
> [suffix] Found realm "~^(.+\.)?uthm\.edu\.my$"
> [suffix] Adding Stripped-User-Name = "test"
> [suffix] Adding Realm = "uthm.edu.my"
> [suffix] Authentication realm is LOCAL.
> ++[suffix] = ok
> [ldap] performing user authorization for test
> [ldap]  expand: %{Stripped-User-Name} -> test
> [ldap]  expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=test)
> [ldap]  expand: dc=uthm,dc=edu,dc=my -> dc=uthm,dc=edu,dc=my
>    [ldap] ldap_get_conn: Checking Id: 0
>    [ldap] ldap_get_conn: Got Id: 0
>    [ldap] attempting LDAP reconnection
>    [ldap] (re)connect to ldap.uthm.edu.my:389, authentication 0
>    [ldap] bind as cn=Directory Manager/ik4k388x to ldap.uthm.edu.my:389
>    [ldap] waiting for bind result ...
>    [ldap] Bind was successful
>    [ldap] performing search in dc=uthm,dc=edu,dc=my, with filter (uid=test)
> [ldap] checking if remote access for test is allowed by uid
> [ldap] looking for check items in directory...
>    [ldap] uid -> User-Name == "test"
>    [ldap] userPassword -> Password-With-Header ==
> "{SHA}m8NFSdVl2VBbKH3gzSCsd74dPyw="
> [ldap] looking for reply items in directory...
> [ldap] user test authorized to use remote access
>    [ldap] ldap_release_conn: Release Id: 0
> ++[ldap] = ok
> ++[files] = noop
> ++[mschap] = noop
> [pap] No clear-text password in the request.  Not performing PAP.
> ++[pap] = noop
> [eap] EAP packet type response id 1 length 21
> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] = updated
> +} # group authorize = updated
> Found Auth-Type = EAP
> # Executing group from file /etc/raddb/sites-enabled/eduroam-inner-tunnel
> +group authenticate {
> [eap] EAP Identity
> [eap] processing type tls
> [tls] Initiate
> [tls] Start returned 1
> ++[eap] = handled
> +} # group authenticate = handled
> } # server eduroam-inner-tunnel
> Sending Access-Challenge of id 150 to 192.168.241.12 port 56951
>          EAP-Message = 0x010200061920
>          Message-Authenticator = 0x00000000000000000000000000000000
>          State = 0x8fae4f288fac56d7f54a19d8916d3466
> Finished request 7.
> Going to the next request
> Waking up in 4.9 seconds.
> rad_recv: Status-Server packet from host 192.168.241.12 port 56951, id=0,
> length=38
>          Message-Authenticator = 0xecface185786ea7a6b82e20ad361fc34
> server eduroam-inner-tunnel {
> } # server eduroam-inner-tunnel
> Sending Access-Accept of id 0 to 192.168.241.12 port 56951
> Finished request 8.
> Cleaning up request 8 ID 0 with timestamp +220
> Going to the next request
> Waking up in 4.9 seconds.
> rad_recv: Access-Request packet from host 192.168.241.12 port 56951,
> id=151, length=398
>          User-Name = "[hidden email]"
>          NAS-IP-Address = 192.168.241.12
>          NAS-Port = 0
>          NAS-Identifier = "eduroam"
>          NAS-Port-Type = Wireless-802.11
>          Calling-Station-Id = "606720CB37CC"
>          Called-Station-Id = "001A1E012EE8"
>          Service-Type = Login-User
>          Framed-MTU = 1100
>          EAP-Message =
> 0x020200b21980000000a816030300a30100009f0303598d3725e7a897863c61fbd68a95003f647bab3f0324fa2da6110b4e8860890200003cc02cc02bc030c02f009f009ec024c023c028c027c00ac009c014c01300390033009d009c003d003c0035002f000a006a0040003800320013000500040100003a000500050100000000000a0006000400170018000b00020100000d0010000e04010501020104030503020302020023000000170000ff01000100
>          State = 0x8fae4f288fac56d7f54a19d8916d3466
>          Aruba-Essid-Name = "eduroam"
>          Aruba-Location-Id = "PTM-MIS"
>          Aruba-AP-Group = "MC-A05-Pusat_Teknologi_Maklumat"
>          Message-Authenticator = 0x063c2c71061d7ae5e121a4058281fa1d
> server eduroam-inner-tunnel {
> # Executing section authorize from file
> /etc/raddb/sites-enabled/eduroam-inner-tunnel
> +group authorize {
> [auth_log]      expand: %{Packet-Src-IP-Address} -> 192.168.241.12
> [auth_log]      expand:
> /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
> -> /var/log/radius/radacct/192.168.241.12/auth-detail-20170811
> [auth_log]
> /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
> expands to /var/log/radius/radacct/192.168.241.12/auth-detail-20170811
> [auth_log]      expand: %t -> Fri Aug 11 12:48:34 2017
> ++[auth_log] = ok
> [suffix] Looking up realm "uthm.edu.my" for User-Name = "[hidden email]"
> [suffix] Found realm "~^(.+\.)?uthm\.edu\.my$"
> [suffix] Adding Stripped-User-Name = "test"
> [suffix] Adding Realm = "uthm.edu.my"
> [suffix] Authentication realm is LOCAL.
> ++[suffix] = ok
> [ldap] performing user authorization for test
> [ldap]  expand: %{Stripped-User-Name} -> test
> [ldap]  expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=test)
> [ldap]  expand: dc=uthm,dc=edu,dc=my -> dc=uthm,dc=edu,dc=my
>    [ldap] ldap_get_conn: Checking Id: 0
>    [ldap] ldap_get_conn: Got Id: 0
>    [ldap] performing search in dc=uthm,dc=edu,dc=my, with filter (uid=test)
> [ldap] checking if remote access for test is allowed by uid
> [ldap] looking for check items in directory...
>    [ldap] uid -> User-Name == "test"
>    [ldap] userPassword -> Password-With-Header ==
> "{SHA}m8NFSdVl2VBbKH3gzSCsd74dPyw="
> [ldap] looking for reply items in directory...
> [ldap] user test authorized to use remote access
>    [ldap] ldap_release_conn: Release Id: 0
> ++[ldap] = ok
> ++[files] = noop
> ++[mschap] = noop
> [pap] No clear-text password in the request.  Not performing PAP.
> ++[pap] = noop
> [eap] EAP packet type response id 2 length 178
> [eap] Continuing tunnel setup.
> ++[eap] = ok
> +} # group authorize = ok
> Found Auth-Type = EAP
> # Executing group from file /etc/raddb/sites-enabled/eduroam-inner-tunnel
> +group authenticate {
> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
>    TLS Length 168
> [peap] Length Included
> [peap] eaptls_verify returned 11
> [peap]     (other): before/accept initialization
> [peap]     TLS_accept: before/accept initialization
> [peap] <<< Unknown TLS version [length 00a3]
> [peap]     TLS_accept: SSLv3 read client hello A
> [peap] >>> Unknown TLS version [length 0039]
> [peap]     TLS_accept: SSLv3 write server hello A
> [peap] >>> Unknown TLS version [length 09a8]
> [peap]     TLS_accept: SSLv3 write certificate A
> [peap] >>> Unknown TLS version [length 014d]
> [peap]     TLS_accept: SSLv3 write key exchange A
> [peap] >>> Unknown TLS version [length 0004]
> [peap]     TLS_accept: SSLv3 write server done A
> [peap]     TLS_accept: SSLv3 flush data
> [peap]     TLS_accept: Need to read more data: SSLv3 read client
> certificate A
> [peap]     TLS_accept: Need to read more data: SSLv3 read client
> certificate A
> In SSL Handshake Phase
> In SSL Accept mode
> [peap] eaptls_process returned 13
> [peap] EAPTLS_HANDLED
> ++[eap] = handled
> +} # group authenticate = handled
> } # server eduroam-inner-tunnel
> Sending Access-Challenge of id 151 to 192.168.241.12 port 56951
>          EAP-Message =
> 0x0103040019c000000b461603030039020000350303598d3722b66051021af8c426626367198fc97f2723232f6c27daed0144df5f6600c03000000dff01000100000b00040300010216030309a80b0009a40009a100050530820501308203e9a0030201020212043ed440d5ecca3c0ac65f015b543248e449300d06092a864886f70d01010b0500304a310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074312330210603550403131a4c6574277320456e637279707420417574686f72697479205833301e170d3137303732373031333630305a170d3137313032353031333630305a301a3118301606035504
>          EAP-Message =
> 0x03130f6964702e7574686d2e6564752e6d7930820122300d06092a864886f70d01010105000382010f003082010a0282010100d23d855a6505d658f13890992c15d80251c49843e4d5bec8bfa049143a3496f2a18e04e2b397ce12be6b6af0aa25ac0b11c11602fcb355f2adf34dbfdd7158301070cd34317ddf09ecb2a4bd946d38769371c5d305cc5a0b95d812533561307ea748f676fc68fbbf6b2ae4736c74cab3399d9a3b3ec9a393c939967f0f3414010c18172663d9ab62f8beba8909cde4ea7dafbd21c13f304014ca457bcb32ff3c92ee1b5495fdffd587db664c8afa902ccac201dc89a3f3cb358b348eb606ed616f56c82dada466370f14
>          EAP-Message =
> 0xf8f54004db5d26f078fff6d3d064623a47337c0fccaff2b8005968d04175c0ecaeb6ff49e952dcf1b679290e7ca8b857baec65cdaabb0203010001a382020f3082020b300e0603551d0f0101ff0404030205a0301d0603551d250416301406082b0601050507030106082b06010505070302300c0603551d130101ff04023000301d0603551d0e04160414f5c39602b5276cfcccfb5394192bb8607a1c7c2a301f0603551d23041830168014a84a6a63047dddbae6d139b7a64565eff3a8eca1306f06082b0601050507010104633061302e06082b060105050730018622687474703a2f2f6f6373702e696e742d78332e6c657473656e63727970742e
>          EAP-Message =
> 0x6f7267302f06082b060105050730028623687474703a2f2f636572742e696e742d78332e6c657473656e63727970742e6f72672f301a0603551d1104133011820f6964702e7574686d2e6564752e6d793081fe0603551d200481f63081f33008060667810c0102013081e6060b2b0601040182df130101013081d6302606082b06010505070201161a687474703a2f2f6370732e6c657473656e63727970742e6f72673081ab06082b0601050507020230819e0c819b54686973204365727469666963617465206d6179206f6e6c792062652072656c6965642075706f6e2062792052656c79696e67205061727469657320616e64206f6e6c7920696e
>          EAP-Message = 0x206163636f7264616e636520
>          Message-Authenticator = 0x00000000000000000000000000000000
>          State = 0x8fae4f288ead56d7f54a19d8916d3466
> Finished request 9.
> Going to the next request
> Waking up in 4.9 seconds.
> rad_recv: Access-Request packet from host 192.168.241.12 port 56951,
> id=152, length=226
>          User-Name = "[hidden email]"
>          NAS-IP-Address = 192.168.241.12
>          NAS-Port = 0
>          NAS-Identifier = "eduroam"
>          NAS-Port-Type = Wireless-802.11
>          Calling-Station-Id = "606720CB37CC"
>          Called-Station-Id = "001A1E012EE8"
>          Service-Type = Login-User
>          Framed-MTU = 1100
>          EAP-Message = 0x020300061900
>          State = 0x8fae4f288ead56d7f54a19d8916d3466
>          Aruba-Essid-Name = "eduroam"
>          Aruba-Location-Id = "PTM-MIS"
>          Aruba-AP-Group = "MC-A05-Pusat_Teknologi_Maklumat"
>          Message-Authenticator = 0x169f17aff5bf1ec04b4c7b2e442b3ed9
> server eduroam-inner-tunnel {
> # Executing section authorize from file
> /etc/raddb/sites-enabled/eduroam-inner-tunnel
> +group authorize {
> [auth_log]      expand: %{Packet-Src-IP-Address} -> 192.168.241.12
> [auth_log]      expand:
> /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
> -> /var/log/radius/radacct/192.168.241.12/auth-detail-20170811
> [auth_log]
> /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
> expands to /var/log/radius/radacct/192.168.241.12/auth-detail-20170811
> [auth_log]      expand: %t -> Fri Aug 11 12:48:34 2017
> ++[auth_log] = ok
> [suffix] Looking up realm "uthm.edu.my" for User-Name = "[hidden email]"
> [suffix] Found realm "~^(.+\.)?uthm\.edu\.my$"
> [suffix] Adding Stripped-User-Name = "test"
> [suffix] Adding Realm = "uthm.edu.my"
> [suffix] Authentication realm is LOCAL.
> ++[suffix] = ok
> [ldap] performing user authorization for test
> [ldap]  expand: %{Stripped-User-Name} -> test
> [ldap]  expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=test)
> [ldap]  expand: dc=uthm,dc=edu,dc=my -> dc=uthm,dc=edu,dc=my
>    [ldap] ldap_get_conn: Checking Id: 0
>    [ldap] ldap_get_conn: Got Id: 0
>    [ldap] performing search in dc=uthm,dc=edu,dc=my, with filter (uid=test)
> [ldap] checking if remote access for test is allowed by uid
> [ldap] looking for check items in directory...
>    [ldap] uid -> User-Name == "test"
>    [ldap] userPassword -> Password-With-Header ==
> "{SHA}m8NFSdVl2VBbKH3gzSCsd74dPyw="
> [ldap] looking for reply items in directory...
> [ldap] user test authorized to use remote access
>    [ldap] ldap_release_conn: Release Id: 0
> ++[ldap] = ok
> ++[files] = noop
> ++[mschap] = noop
> [pap] No clear-text password in the request.  Not performing PAP.
> ++[pap] = noop
> [eap] EAP packet type response id 3 length 6
> [eap] Continuing tunnel setup.
> ++[eap] = ok
> +} # group authorize = ok
> Found Auth-Type = EAP
> # Executing group from file /etc/raddb/sites-enabled/eduroam-inner-tunnel
> +group authenticate {
> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
> [peap] Received TLS ACK
> [peap] ACK handshake fragment handler
> [peap] eaptls_verify returned 1
> [peap] eaptls_process returned 13
> [peap] EAPTLS_HANDLED
> ++[eap] = handled
> +} # group authenticate = handled
> } # server eduroam-inner-tunnel
> Sending Access-Challenge of id 152 to 192.168.241.12 port 56951
>          EAP-Message =
> 0x010403fc1940776974682074686520436572746966696361746520506f6c69637920666f756e642061742068747470733a2f2f6c657473656e63727970742e6f72672f7265706f7369746f72792f300d06092a864886f70d01010b050003820101006af6a364c1c07b19bfaf54a31b10c74de4e2c2113b30dcbdcb77a5b82f6cbdf369ede76ef835056ea2f6d2bf4fb1f9ad5ff3530e0047caed7a469747b9869a2997f574c94cf2d2bb09798f00e2f84483d7562d851cfdeaa034cb9cadddb6826a6323673edd921eb1c070c5dcc03f862de9fa868028a8b3eff046d08a15af03035b8785019f81b076ca6b85722d4ed4789c0291055c85fac2ad0a49
>          EAP-Message =
> 0x2e57a9f8bd5a07f22977812adc3b2a11d725c86a3aa0a93700b5c61830cbc6081f26520d3b9ce6339fab2a6f58fab00c2648142c337a3c4939feb309e711eb02d96e9e1a4cc468696c233e5429c4fc69a5e2055d14fba459a279cc8f13a96ae7f5d01c4a1f000496308204923082037aa00302010202100a0141420000015385736a0b85eca708300d06092a864886f70d01010b0500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3136303331373136343034365a170d3231303331373136343034365a304a310b3009
>          EAP-Message =
> 0x06035504061302555331163014060355040a130d4c6574277320456e6372797074312330210603550403131a4c6574277320456e637279707420417574686f7269747920583330820122300d06092a864886f70d01010105000382010f003082010a02820101009cd30cf05ae52e47b7725d3783b3686330ead735261925e1bdbe35f170922fb7b84b4105aba99e350858ecb12ac468870ba3e375e4e6f3a76271ba7981601fd7919a9ff3d0786771c8690e9591cffee699e9603c48cc7eca4d7712249d471b5aebb9ec1e37001c9cac7ba705eace4aebbd41e53698b9cbfd6d3c9668df232a42900c867467c87fa59ab8526114133f65e98287cbdbfa
>          EAP-Message =
> 0x0e56f68689f3853f9786afb0dc1aef6b0d95167dc42ba065b299043675806bac4af31b9049782fa2964f2a20252904c674c0d031cd8f31389516baa833b843f1b11fc3307fa27931133d2d36f8e3fcf2336ab93931c5afc48d0d1d641633aafa8429b6d40bc0d87dc3930203010001a382017d3082017930120603551d130101ff040830060101ff020100300e0603551d0f0101ff040403020186307f06082b0601050507010104733071303206082b060105050730018626687474703a2f2f697372672e747275737469642e6f6373702e6964656e74727573742e636f6d303b06082b06010505073002862f687474703a2f2f617070732e6964656e
>          EAP-Message = 0x74727573742e636f
>          Message-Authenticator = 0x00000000000000000000000000000000
>          State = 0x8fae4f288daa56d7f54a19d8916d3466
> Finished request 10.
> Going to the next request
> Waking up in 4.9 seconds.
> rad_recv: Access-Request packet from host 192.168.241.12 port 56951,
> id=153, length=226
>          User-Name = "[hidden email]"
>          NAS-IP-Address = 192.168.241.12
>          NAS-Port = 0
>          NAS-Identifier = "eduroam"
>          NAS-Port-Type = Wireless-802.11
>          Calling-Station-Id = "606720CB37CC"
>          Called-Station-Id = "001A1E012EE8"
>          Service-Type = Login-User
>          Framed-MTU = 1100
>          EAP-Message = 0x020400061900
>          State = 0x8fae4f288daa56d7f54a19d8916d3466
>          Aruba-Essid-Name = "eduroam"
>          Aruba-Location-Id = "PTM-MIS"
>          Aruba-AP-Group = "MC-A05-Pusat_Teknologi_Maklumat"
>          Message-Authenticator = 0xc60aac92364e2b6924ae3770ca74f5e0
> server eduroam-inner-tunnel {
> # Executing section authorize from file
> /etc/raddb/sites-enabled/eduroam-inner-tunnel
> +group authorize {
> [auth_log]      expand: %{Packet-Src-IP-Address} -> 192.168.241.12
> [auth_log]      expand:
> /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
> -> /var/log/radius/radacct/192.168.241.12/auth-detail-20170811
> [auth_log]
> /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
> expands to /var/log/radius/radacct/192.168.241.12/auth-detail-20170811
> [auth_log]      expand: %t -> Fri Aug 11 12:48:34 2017
> ++[auth_log] = ok
> [suffix] Looking up realm "uthm.edu.my" for User-Name = "[hidden email]"
> [suffix] Found realm "~^(.+\.)?uthm\.edu\.my$"
> [suffix] Adding Stripped-User-Name = "test"
> [suffix] Adding Realm = "uthm.edu.my"
> [suffix] Authentication realm is LOCAL.
> ++[suffix] = ok
> [ldap] performing user authorization for test
> [ldap]  expand: %{Stripped-User-Name} -> test
> [ldap]  expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=test)
> [ldap]  expand: dc=uthm,dc=edu,dc=my -> dc=uthm,dc=edu,dc=my
>    [ldap] ldap_get_conn: Checking Id: 0
>    [ldap] ldap_get_conn: Got Id: 0
>    [ldap] performing search in dc=uthm,dc=edu,dc=my, with filter (uid=test)
> [ldap] checking if remote access for test is allowed by uid
> [ldap] looking for check items in directory...
>    [ldap] uid -> User-Name == "test"
>    [ldap] userPassword -> Password-With-Header ==
> "{SHA}m8NFSdVl2VBbKH3gzSCsd74dPyw="
> [ldap] looking for reply items in directory...
> [ldap] user test authorized to use remote access
>    [ldap] ldap_release_conn: Release Id: 0
> ++[ldap] = ok
> ++[files] = noop
> ++[mschap] = noop
> [pap] No clear-text password in the request.  Not performing PAP.
> ++[pap] = noop
> [eap] EAP packet type response id 4 length 6
> [eap] Continuing tunnel setup.
> ++[eap] = ok
> +} # group authorize = ok
> Found Auth-Type = EAP
> # Executing group from file /etc/raddb/sites-enabled/eduroam-inner-tunnel
> +group authenticate {
> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
> [peap] Received TLS ACK
> [peap] ACK handshake fragment handler
> [peap] eaptls_verify returned 1
> [peap] eaptls_process returned 13
> [peap] EAPTLS_HANDLED
> ++[eap] = handled
> +} # group authenticate = handled
> } # server eduroam-inner-tunnel
> Sending Access-Challenge of id 153 to 192.168.241.12 port 56951
>          EAP-Message =
> 0x0105036019006d2f726f6f74732f647374726f6f74636178332e703763301f0603551d23041830168014c4a7b1a47b2c71fadbe14b9075ffc4156085891030540603551d20044d304b3008060667810c010201303f060b2b0601040182df130101013030302e06082b060105050702011622687474703a2f2f6370732e726f6f742d78312e6c657473656e63727970742e6f7267303c0603551d1f043530333031a02fa02d862b687474703a2f2f63726c2e6964656e74727573742e636f6d2f445354524f4f544341583343524c2e63726c301d0603551d0e04160414a84a6a63047dddbae6d139b7a64565eff3a8eca1300d06092a864886f70d0101
>          EAP-Message =
> 0x0b05000382010100dd33d711f3635838dd1815fb0955be7656b97048a56947277bc2240892f15a1f4a1229372474511c6268b8cd957067e5f7a4bc4e2851cd9be8ae879dead8ba5aa1019adcf0dd6a1d6ad83e57239ea61e04629affd705cab71f3fc00a48bc94b0b66562e0c154e5a32aad20c4e9e6bbdcc8f6b5c332a398cc77a8e67965072bcb28fe3a165281ce520c2e5f83e8d50633fb776cce40ea329e1f925c41c1746c5b5d0a5f33cc4d9fac38f02f7b2c629dd9a3916f251b2f90b119463df67e1ba67a87b9a37a6d18fa25a5918715e0f2162f58b0062f2c6826c64b98cdda9f0cf97f90ed434a12444e6f737a28eaa4aa6e7b4c7d87dde0
>          EAP-Message =
> 0xc90244a787afc3345bb442160303014d0c0001490300174104937ef4214267c66e54b943286f2aaee0d7136583436503bc9771b29543c715226c45d5d7a14e14877be87ae18304b19c725acb27d5f7e67dd6a95146c87bd69204010100801b8d8ce4a7e05deb44da62e7fdefc579ea4fa2d6ea86438b76661a461e2edf2dda7254e76c90ebd2c425149a7f4c202d80c553f6ac268a6726c01ff4defadb7a06049b147774e50009e8ea4e75c7277ca1ab7dd549a2f99eaadab70143e49b1de3ae104e73f307aca89d03f0165ec72ae32586aa3322fd193c34f8e254cb1035404691253be279552f8b22e7e645ccf06f48ddd89274421ac224636daf1fce
>          EAP-Message =
> 0x6c8b5405eb5f25c413af4115fcaaaee24c89899d0a5de9676776b0c57c6d7e673a0439528bc4b55ba9f5572cedfbd3fc8405ea36f11d2661abc315739ccabafe8c19e498555e91a06ca95eac01dd688f2dd07779e92f3f84172551df1bdf2e7d16030300040e000000
>          Message-Authenticator = 0x00000000000000000000000000000000
>          State = 0x8fae4f288cab56d7f54a19d8916d3466
> Finished request 11.
> Going to the next request
> Waking up in 4.9 seconds.
> rad_recv: Access-Request packet from host 192.168.241.12 port 56951,
> id=154, length=356
>          User-Name = "[hidden email]"
>          NAS-IP-Address = 192.168.241.12
>          NAS-Port = 0
>          NAS-Identifier = "eduroam"
>          NAS-Port-Type = Wireless-802.11
>          Calling-Station-Id = "606720CB37CC"
>          Called-Station-Id = "001A1E012EE8"
>          Service-Type = Login-User
>          Framed-MTU = 1100
>          EAP-Message =
> 0x0205008819800000007e1603030046100000424104c54e810e0876a2f48de285e28044b9d5705e0502717c3dc8017dc66f925db3a936b10c757bfdd0c306034d301be3d9f000b3d8e396baa95c8b466988a54e689b140303000101160303002800000000000000006ac72ce7125c46232cff9613def48589606506c06bf5ba73c81ef1a541f67972
>          State = 0x8fae4f288cab56d7f54a19d8916d3466
>          Aruba-Essid-Name = "eduroam"
>          Aruba-Location-Id = "PTM-MIS"
>          Aruba-AP-Group = "MC-A05-Pusat_Teknologi_Maklumat"
>          Message-Authenticator = 0x9a6c65b38d5d36756f9d367c70d9c188
> server eduroam-inner-tunnel {
> # Executing section authorize from file
> /etc/raddb/sites-enabled/eduroam-inner-tunnel
> +group authorize {
> [auth_log]      expand: %{Packet-Src-IP-Address} -> 192.168.241.12
> [auth_log]      expand:
> /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
> -> /var/log/radius/radacct/192.168.241.12/auth-detail-20170811
> [auth_log]
> /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
> expands to /var/log/radius/radacct/192.168.241.12/auth-detail-20170811
> [auth_log]      expand: %t -> Fri Aug 11 12:48:34 2017
> ++[auth_log] = ok
> [suffix] Looking up realm "uthm.edu.my" for User-Name = "[hidden email]"
> [suffix] Found realm "~^(.+\.)?uthm\.edu\.my$"
> [suffix] Adding Stripped-User-Name = "test"
> [suffix] Adding Realm = "uthm.edu.my"
> [suffix] Authentication realm is LOCAL.
> ++[suffix] = ok
> [ldap] performing user authorization for test
> [ldap]  expand: %{Stripped-User-Name} -> test
> [ldap]  expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=test)
> [ldap]  expand: dc=uthm,dc=edu,dc=my -> dc=uthm,dc=edu,dc=my
>    [ldap] ldap_get_conn: Checking Id: 0
>    [ldap] ldap_get_conn: Got Id: 0
>    [ldap] performing search in dc=uthm,dc=edu,dc=my, with filter (uid=test)
> [ldap] checking if remote access for test is allowed by uid
> [ldap] looking for check items in directory...
>    [ldap] uid -> User-Name == "test"
>    [ldap] userPassword -> Password-With-Header ==
> "{SHA}m8NFSdVl2VBbKH3gzSCsd74dPyw="
> [ldap] looking for reply items in directory...
> [ldap] user test authorized to use remote access
>    [ldap] ldap_release_conn: Release Id: 0
> ++[ldap] = ok
> ++[files] = noop
> ++[mschap] = noop
> [pap] No clear-text password in the request.  Not performing PAP.
> ++[pap] = noop
> [eap] EAP packet type response id 5 length 136
> [eap] Continuing tunnel setup.
> ++[eap] = ok
> +} # group authorize = ok
> Found Auth-Type = EAP
> # Executing group from file /etc/raddb/sites-enabled/eduroam-inner-tunnel
> +group authenticate {
> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
>    TLS Length 126
> [peap] Length Included
> [peap] eaptls_verify returned 11
> [peap] <<< Unknown TLS version [length 0046]
> [peap]     TLS_accept: SSLv3 read client key exchange A
> [peap] <<< Unknown TLS version [length 0001]
> [peap] <<< Unknown TLS version [length 0010]
> [peap]     TLS_accept: SSLv3 read finished A
> [peap] >>> Unknown TLS version [length 0001]
> [peap]     TLS_accept: SSLv3 write change cipher spec A
> [peap] >>> Unknown TLS version [length 0010]
> [peap]     TLS_accept: SSLv3 write finished A
> [peap]     TLS_accept: SSLv3 flush data
> [peap]     (other): SSL negotiation finished successfully
> SSL Connection Established
> [peap] eaptls_process returned 13
> [peap] EAPTLS_HANDLED
> ++[eap] = handled
> +} # group authenticate = handled
> } # server eduroam-inner-tunnel
> Sending Access-Challenge of id 154 to 192.168.241.12 port 56951
>          EAP-Message =
> 0x01060039190014030300010116030300281c8a45d0b7de86498defbc89a27764b06a43196af0bf4a2db7824809a50bd2d3e34b5b203a2345cd
>          Message-Authenticator = 0x00000000000000000000000000000000
>          State = 0x8fae4f288ba856d7f54a19d8916d3466
> Finished request 12.
> Going to the next request
> Waking up in 4.9 seconds.
> rad_recv: Access-Request packet from host 192.168.241.12 port 56951,
> id=155, length=226
>          User-Name = "[hidden email]"
>          NAS-IP-Address = 192.168.241.12
>          NAS-Port = 0
>          NAS-Identifier = "eduroam"
>          NAS-Port-Type = Wireless-802.11
>          Calling-Station-Id = "606720CB37CC"
>          Called-Station-Id = "001A1E012EE8"
>          Service-Type = Login-User
>          Framed-MTU = 1100
>          EAP-Message = 0x020600061900
>          State = 0x8fae4f288ba856d7f54a19d8916d3466
>          Aruba-Essid-Name = "eduroam"
>          Aruba-Location-Id = "PTM-MIS"
>          Aruba-AP-Group = "MC-A05-Pusat_Teknologi_Maklumat"
>          Message-Authenticator = 0xb3457d7a24957b9fa3781dc6b0c24295
> server eduroam-inner-tunnel {
> # Executing section authorize from file
> /etc/raddb/sites-enabled/eduroam-inner-tunnel
> +group authorize {
> [auth_log]      expand: %{Packet-Src-IP-Address} -> 192.168.241.12
> [auth_log]      expand:
> /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
> -> /var/log/radius/radacct/192.168.241.12/auth-detail-20170811
> [auth_log]
> /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
> expands to /var/log/radius/radacct/192.168.241.12/auth-detail-20170811
> [auth_log]      expand: %t -> Fri Aug 11 12:48:36 2017
> ++[auth_log] = ok
> [suffix] Looking up realm "uthm.edu.my" for User-Name = "[hidden email]"
> [suffix] Found realm "~^(.+\.)?uthm\.edu\.my$"
> [suffix] Adding Stripped-User-Name = "test"
> [suffix] Adding Realm = "uthm.edu.my"
> [suffix] Authentication realm is LOCAL.
> ++[suffix] = ok
> [ldap] performing user authorization for test
> [ldap]  expand: %{Stripped-User-Name} -> test
> [ldap]  expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=test)
> [ldap]  expand: dc=uthm,dc=edu,dc=my -> dc=uthm,dc=edu,dc=my
>    [ldap] ldap_get_conn: Checking Id: 0
>    [ldap] ldap_get_conn: Got Id: 0
>    [ldap] performing search in dc=uthm,dc=edu,dc=my, with filter (uid=test)
> [ldap] checking if remote access for test is allowed by uid
> [ldap] looking for check items in directory...
>    [ldap] uid -> User-Name == "test"
>    [ldap] userPassword -> Password-With-Header ==
> "{SHA}m8NFSdVl2VBbKH3gzSCsd74dPyw="
> [ldap] looking for reply items in directory...
> [ldap] user test authorized to use remote access
>    [ldap] ldap_release_conn: Release Id: 0
> ++[ldap] = ok
> ++[files] = noop
> ++[mschap] = noop
> [pap] No clear-text password in the request.  Not performing PAP.
> ++[pap] = noop
> [eap] EAP packet type response id 6 length 6
> [eap] Continuing tunnel setup.
> ++[eap] = ok
> +} # group authorize = ok
> Found Auth-Type = EAP
> # Executing group from file /etc/raddb/sites-enabled/eduroam-inner-tunnel
> +group authenticate {
> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
> [peap] Received TLS ACK
> [peap] ACK handshake is finished
> [peap] eaptls_verify returned 3
> [peap] eaptls_process returned 3
> [peap] EAPTLS_SUCCESS
> [peap] Session established.  Decoding tunneled attributes.
> [peap] Peap state TUNNEL ESTABLISHED
> ++[eap] = handled
> +} # group authenticate = handled
> } # server eduroam-inner-tunnel
> Sending Access-Challenge of id 155 to 192.168.241.12 port 56951
>          EAP-Message =
> 0x010700281900170303001d1c8a45d0b7de864ad470a8ed8a39384d931984faa55ad2ebc731ac4bbb
>          Message-Authenticator = 0x00000000000000000000000000000000
>          State = 0x8fae4f288aa956d7f54a19d8916d3466
> Finished request 13.
> Going to the next request
> Waking up in 2.6 seconds.
> rad_recv: Access-Request packet from host 192.168.241.12 port 56951,
> id=156, length=272
>          User-Name = "[hidden email]"
>          NAS-IP-Address = 192.168.241.12
>          NAS-Port = 0
>          NAS-Identifier = "eduroam"
>          NAS-Port-Type = Wireless-802.11
>          Calling-Station-Id = "606720CB37CC"
>          Called-Station-Id = "001A1E012EE8"
>          Service-Type = Login-User
>          Framed-MTU = 1100
>          EAP-Message =
> 0x0207003419001703030029000000000000000134f54fb6fe56b12faf31a04562eb50ddcfa3354f7bbfd1545aa0130c45e0dd385c
>          State = 0x8fae4f288aa956d7f54a19d8916d3466
>          Aruba-Essid-Name = "eduroam"
>          Aruba-Location-Id = "PTM-MIS"
>          Aruba-AP-Group = "MC-A05-Pusat_Teknologi_Maklumat"
>          Message-Authenticator = 0xa7c3a3db99bf62cb53cf74ae99a4acd5
> server eduroam-inner-tunnel {
> # Executing section authorize from file
> /etc/raddb/sites-enabled/eduroam-inner-tunnel
> +group authorize {
> [auth_log]      expand: %{Packet-Src-IP-Address} -> 192.168.241.12
> [auth_log]      expand:
> /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
> -> /var/log/radius/radacct/192.168.241.12/auth-detail-20170811
> [auth_log]
> /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
> expands to /var/log/radius/radacct/192.168.241.12/auth-detail-20170811
> [auth_log]      expand: %t -> Fri Aug 11 12:48:36 2017
> ++[auth_log] = ok
> [suffix] Looking up realm "uthm.edu.my" for User-Name = "[hidden email]"
> [suffix] Found realm "~^(.+\.)?uthm\.edu\.my$"
> [suffix] Adding Stripped-User-Name = "test"
> [suffix] Adding Realm = "uthm.edu.my"
> [suffix] Authentication realm is LOCAL.
> ++[suffix] = ok
> [ldap] performing user authorization for test
> [ldap]  expand: %{Stripped-User-Name} -> test
> [ldap]  expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=test)
> [ldap]  expand: dc=uthm,dc=edu,dc=my -> dc=uthm,dc=edu,dc=my
>    [ldap] ldap_get_conn: Checking Id: 0
>    [ldap] ldap_get_conn: Got Id: 0
>    [ldap] performing search in dc=uthm,dc=edu,dc=my, with filter (uid=test)
> [ldap] checking if remote access for test is allowed by uid
> [ldap] looking for check items in directory...
>    [ldap] uid -> User-Name == "test"
>    [ldap] userPassword -> Password-With-Header ==
> "{SHA}m8NFSdVl2VBbKH3gzSCsd74dPyw="
> [ldap] looking for reply items in directory...
> [ldap] user test authorized to use remote access
>    [ldap] ldap_release_conn: Release Id: 0
> ++[ldap] = ok
> ++[files] = noop
> ++[mschap] = noop
> [pap] No clear-text password in the request.  Not performing PAP.
> ++[pap] = noop
> [eap] EAP packet type response id 7 length 52
> [eap] Continuing tunnel setup.
> ++[eap] = ok
> +} # group authorize = ok
> Found Auth-Type = EAP
> # Executing group from file /etc/raddb/sites-enabled/eduroam-inner-tunnel
> +group authenticate {
> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
> [peap] eaptls_verify returned 7
> [peap] Done initial handshake
> [peap] eaptls_process returned 7
> [peap] EAPTLS_OK
> [peap] Session established.  Decoding tunneled attributes.
> [peap] Peap state WAITING FOR INNER IDENTITY
> [peap] Identity - [hidden email]
> [peap] Got inner identity '[hidden email]'
> [peap] Setting default EAP type for tunneled EAP session.
> [peap] Got tunneled request
>          EAP-Message = 0x020700150174657374407574686d2e6564752e6d79
> server eduroam-inner-tunnel {
> [peap] Setting User-Name to [hidden email]
> Sending tunneled request
>          EAP-Message = 0x020700150174657374407574686d2e6564752e6d79
>          FreeRADIUS-Proxied-To = 127.0.0.1
>          User-Name = "[hidden email]"
>          NAS-IP-Address = 192.168.241.12
>          NAS-Port = 0
>          NAS-Identifier = "eduroam"
>          NAS-Port-Type = Wireless-802.11
>          Calling-Station-Id = "606720CB37CC"
>          Called-Station-Id = "001A1E012EE8"
>          Service-Type = Login-User
>          Framed-MTU = 1100
>          Aruba-Essid-Name = "eduroam"
>          Aruba-Location-Id = "PTM-MIS"
>          Aruba-AP-Group = "MC-A05-Pusat_Teknologi_Maklumat"
> server eduroam-inner-tunnel {
> # Executing section authorize from file
> /etc/raddb/sites-enabled/eduroam-inner-tunnel
> +group authorize {
> [auth_log]      expand: %{Packet-Src-IP-Address} -> 192.168.241.12
> [auth_log]      expand:
> /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
> -> /var/log/radius/radacct/192.168.241.12/auth-detail-20170811
> [auth_log]
> /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
> expands to /var/log/radius/radacct/192.168.241.12/auth-detail-20170811
> [auth_log]      expand: %t -> Fri Aug 11 12:48:36 2017
> ++[auth_log] = ok
> [suffix] Looking up realm "uthm.edu.my" for User-Name = "[hidden email]"
> [suffix] Found realm "~^(.+\.)?uthm\.edu\.my$"
> [suffix] Adding Stripped-User-Name = "test"
> [suffix] Adding Realm = "uthm.edu.my"
> [suffix] Authentication realm is LOCAL.
> ++[suffix] = ok
> [ldap] performing user authorization for test
> [ldap]  expand: %{Stripped-User-Name} -> test
> [ldap]  expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=test)
> [ldap]  expand: dc=uthm,dc=edu,dc=my -> dc=uthm,dc=edu,dc=my
>    [ldap] ldap_get_conn: Checking Id: 0
>    [ldap] ldap_get_conn: Got Id: 0
>    [ldap] performing search in dc=uthm,dc=edu,dc=my, with filter (uid=test)
> [ldap] checking if remote access for test is allowed by uid
> [ldap] looking for check items in directory...
>    [ldap] uid -> User-Name == "test"
>    [ldap] userPassword -> Password-With-Header ==
> "{SHA}m8NFSdVl2VBbKH3gzSCsd74dPyw="
> [ldap] looking for reply items in directory...
> [ldap] user test authorized to use remote access
>    [ldap] ldap_release_conn: Release Id: 0
> ++[ldap] = ok
> ++[files] = noop
> ++[mschap] = noop
> [pap] No clear-text password in the request.  Not performing PAP.
> ++[pap] = noop
> [eap] EAP packet type response id 7 length 21
> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] = updated
> +} # group authorize = updated
> Found Auth-Type = EAP
> # Executing group from file /etc/raddb/sites-enabled/eduroam-inner-tunnel
> +group authenticate {
> [eap] EAP Identity
> [eap] processing type mschapv2
> rlm_eap_mschapv2: Issuing Challenge
> ++[eap] = handled
> +} # group authenticate = handled
> } # server eduroam-inner-tunnel
> [peap] Got tunneled reply code 11
>          EAP-Message =
> 0x0108002a1a0108002510343a9d3341344d17be103ba1b8102a4d74657374407574686d2e6564752e6d79
>          Message-Authenticator = 0x00000000000000000000000000000000
>          State = 0xcbeddcf3cbe5c6059f24a1ca23970697
> [peap] Got tunneled reply RADIUS code Access-Challenge
>          EAP-Message =
> 0x0108002a1a0108002510343a9d3341344d17be103ba1b8102a4d74657374407574686d2e6564752e6d79
>          Message-Authenticator = 0x00000000000000000000000000000000
>          State = 0xcbeddcf3cbe5c6059f24a1ca23970697
> [peap] Got tunneled Access-Challenge
> ++[eap] = handled
> +} # group authenticate = handled
> } # server eduroam-inner-tunnel
> Sending Access-Challenge of id 156 to 192.168.241.12 port 56951
>          EAP-Message =
> 0x010800491900170303003e1c8a45d0b7de864b2d1e68270fa233de3ac15f3ba93a9d2e2df074591a16e288b38d1ec3175acf72ef0f30a6f19ee6e5a4e9b3ccb86e49568d7c2cb0af87
>          Message-Authenticator = 0x00000000000000000000000000000000
>          State = 0x8fae4f2889a656d7f54a19d8916d3466
> Finished request 14.
> Going to the next request
> Waking up in 2.6 seconds.
> rad_recv: Access-Request packet from host 192.168.241.12 port 56951,
> id=157, length=326
>          User-Name = "[hidden email]"
>          NAS-IP-Address = 192.168.241.12
>          NAS-Port = 0
>          NAS-Identifier = "eduroam"
>          NAS-Port-Type = Wireless-802.11
>          Calling-Station-Id = "606720CB37CC"
>          Called-Station-Id = "001A1E012EE8"
>          Service-Type = Login-User
>          Framed-MTU = 1100
>          EAP-Message =
> 0x0208006a1900170303005f0000000000000002e601a6aa39b3f001761524212d3ad0f41d4ed51d41f2ccd5e98cec19669d823871d2c63f9d0e24a20b54572e2f27420eee0f333e8bc450f328c4a5a29778e395986cd10574041407466476fa397de3d2e27c8e2408f5b2
>          State = 0x8fae4f2889a656d7f54a19d8916d3466
>          Aruba-Essid-Name = "eduroam"
>          Aruba-Location-Id = "PTM-MIS"
>          Aruba-AP-Group = "MC-A05-Pusat_Teknologi_Maklumat"
>          Message-Authenticator = 0x1a31e183513b430559a36db139e98115
> server eduroam-inner-tunnel {
> # Executing section authorize from file
> /etc/raddb/sites-enabled/eduroam-inner-tunnel
> +group authorize {
> [auth_log]      expand: %{Packet-Src-IP-Address} -> 192.168.241.12
> [auth_log]      expand:
> /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
> -> /var/log/radius/radacct/192.168.241.12/auth-detail-20170811
> [auth_log]
> /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
> expands to /var/log/radius/radacct/192.168.241.12/auth-detail-20170811
> [auth_log]      expand: %t -> Fri Aug 11 12:48:36 2017
> ++[auth_log] = ok
> [suffix] Looking up realm "uthm.edu.my" for User-Name = "[hidden email]"
> [suffix] Found realm "~^(.+\.)?uthm\.edu\.my$"
> [suffix] Adding Stripped-User-Name = "test"
> [suffix] Adding Realm = "uthm.edu.my"
> [suffix] Authentication realm is LOCAL.
> ++[suffix] = ok
> [ldap] performing user authorization for test
> [ldap]  expand: %{Stripped-User-Name} -> test
> [ldap]  expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=test)
> [ldap]  expand: dc=uthm,dc=edu,dc=my -> dc=uthm,dc=edu,dc=my
>    [ldap] ldap_get_conn: Checking Id: 0
>    [ldap] ldap_get_conn: Got Id: 0
>    [ldap] performing search in dc=uthm,dc=edu,dc=my, with filter (uid=test)
> [ldap] checking if remote access for test is allowed by uid
> [ldap] looking for check items in directory...
>    [ldap] uid -> User-Name == "test"
>    [ldap] userPassword -> Password-With-Header ==
> "{SHA}m8NFSdVl2VBbKH3gzSCsd74dPyw="
> [ldap] looking for reply items in directory...
> [ldap] user test authorized to use remote access
>    [ldap] ldap_release_conn: Release Id: 0
> ++[ldap] = ok
> ++[files] = noop
> ++[mschap] = noop
> [pap] No clear-text password in the request.  Not performing PAP.
> ++[pap] = noop
> [eap] EAP packet type response id 8 length 106
> [eap] Continuing tunnel setup.
> ++[eap] = ok
> +} # group authorize = ok
> Found Auth-Type = EAP
> # Executing group from file /etc/raddb/sites-enabled/eduroam-inner-tunnel
> +group authenticate {
> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
> [peap] eaptls_verify returned 7
> [peap] Done initial handshake
> [peap] eaptls_process returned 7
> [peap] EAPTLS_OK
> [peap] Session established.  Decoding tunneled attributes.
> [peap] Peap state phase2
> [peap] EAP type mschapv2
> [peap] Got tunneled request
>          EAP-Message =
> 0x0208004b1a02080046315a9c485813afb0d85fa3ff490bc740b30000000000000000710dff1dfc34e780f32401e4a4772847f532a4ce5e8b43500074657374407574686d2e6564752e6d79
> server eduroam-inner-tunnel {
> [peap] Setting User-Name to [hidden email]
> Sending tunneled request
>          EAP-Message =
> 0x0208004b1a02080046315a9c485813afb0d85fa3ff490bc740b30000000000000000710dff1dfc34e780f32401e4a4772847f532a4ce5e8b43500074657374407574686d2e6564752e6d79
>          FreeRADIUS-Proxied-To = 127.0.0.1
>          User-Name = "[hidden email]"
>          State = 0xcbeddcf3cbe5c6059f24a1ca23970697
>          NAS-IP-Address = 192.168.241.12
>          NAS-Port = 0
>          NAS-Identifier = "eduroam"
>          NAS-Port-Type = Wireless-802.11
>          Calling-Station-Id = "606720CB37CC"
>          Called-Station-Id = "001A1E012EE8"
>          Service-Type = Login-User
>          Framed-MTU = 1100
>          Aruba-Essid-Name = "eduroam"
>          Aruba-Location-Id = "PTM-MIS"
>          Aruba-AP-Group = "MC-A05-Pusat_Teknologi_Maklumat"
> server eduroam-inner-tunnel {
> # Executing section authorize from file
> /etc/raddb/sites-enabled/eduroam-inner-tunnel
> +group authorize {
> [auth_log]      expand: %{Packet-Src-IP-Address} -> 192.168.241.12
> [auth_log]      expand:
> /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
> -> /var/log/radius/radacct/192.168.241.12/auth-detail-20170811
> [auth_log]
> /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
> expands to /var/log/radius/radacct/192.168.241.12/auth-detail-20170811
> [auth_log]      expand: %t -> Fri Aug 11 12:48:36 2017
> ++[auth_log] = ok
> [suffix] Looking up realm "uthm.edu.my" for User-Name = "[hidden email]"
> [suffix] Found realm "~^(.+\.)?uthm\.edu\.my$"
> [suffix] Adding Stripped-User-Name = "test"
> [suffix] Adding Realm = "uthm.edu.my"
> [suffix] Authentication realm is LOCAL.
> ++[suffix] = ok
> [ldap] performing user authorization for test
> [ldap]  expand: %{Stripped-User-Name} -> test
> [ldap]  expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=test)
> [ldap]  expand: dc=uthm,dc=edu,dc=my -> dc=uthm,dc=edu,dc=my
>    [ldap] ldap_get_conn: Checking Id: 0
>    [ldap] ldap_get_conn: Got Id: 0
>    [ldap] performing search in dc=uthm,dc=edu,dc=my, with filter (uid=test)
> [ldap] checking if remote access for test is allowed by uid
> [ldap] looking for check items in directory...
>    [ldap] uid -> User-Name == "test"
>    [ldap] userPassword -> Password-With-Header ==
> "{SHA}m8NFSdVl2VBbKH3gzSCsd74dPyw="
> [ldap] looking for reply items in directory...
> [ldap] user test authorized to use remote access
>    [ldap] ldap_release_conn: Release Id: 0
> ++[ldap] = ok
> ++[files] = noop
> ++[mschap] = noop
> [pap] No clear-text password in the request.  Not performing PAP.
> ++[pap] = noop
> [eap] EAP packet type response id 8 length 75
> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] = updated
> +} # group authorize = updated
> Found Auth-Type = EAP
> # Executing group from file /etc/raddb/sites-enabled/eduroam-inner-tunnel
> +group authenticate {
> [eap] Request found, released from the list
> [eap] EAP/mschapv2
> [eap] processing type mschapv2
> [mschapv2] # Executing group from file
> /etc/raddb/sites-enabled/eduroam-inner-tunnel
> [mschapv2] +group MS-CHAP {
> [mschap] No Cleartext-Password configured.  Cannot create LM-Password.
> [mschap] No Cleartext-Password configured.  Cannot create NT-Password.
> [mschap] Creating challenge hash with username: [hidden email]
> [mschap] Client is using MS-CHAPv2 for [hidden email], we need NT-Password
> [mschap] FAILED: No NT/LM-Password.  Cannot perform authentication.
> [mschap] FAILED: MS-CHAP2-Response is incorrect
> ++[mschap] = reject
> +} # group MS-CHAP = reject
> [eap] Freeing handler
> ++[eap] = reject
> +} # group authenticate = reject
> Failed to authenticate the user.
> Login incorrect: [[hidden email]] (from client radsec port 0 cli
> 606720CB37CC via TLS tunnel)
> Using Post-Auth-Type REJECT
> # Executing group from file /etc/raddb/sites-enabled/eduroam-inner-tunnel
> +group REJECT {
> [reply_log]     expand: %{Packet-Src-IP-Address} -> 192.168.241.12
> [reply_log]     expand:
> /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d
> -> /var/log/radius/radacct/192.168.241.12/reply-detail-20170811
> [reply_log]
> /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d
> expands to /var/log/radius/radacct/192.168.241.12/reply-detail-20170811
> [reply_log]     expand: %t -> Fri Aug 11 12:48:36 2017
> ++[reply_log] = ok
> +} # group REJECT = ok
> } # server eduroam-inner-tunnel
> [peap] Got tunneled reply code 3
>          MS-CHAP-Error = "\010E=691 R=1"
>          EAP-Message = 0x04080004
>          Message-Authenticator = 0x00000000000000000000000000000000
> [peap] Got tunneled reply RADIUS code Access-Reject
>          MS-CHAP-Error = "\010E=691 R=1"
>          EAP-Message = 0x04080004
>          Message-Authenticator = 0x00000000000000000000000000000000
> [peap] Tunneled authentication was rejected.
> [peap] FAILURE
> ++[eap] = handled
> +} # group authenticate = handled
> } # server eduroam-inner-tunnel
> Sending Access-Challenge of id 157 to 192.168.241.12 port 56951
>          EAP-Message =
> 0x0109002e190017030300231c8a45d0b7de864c86cfe8658e8f5a7692bff076e34cac34a4f898a86fb7d7bd87bd0d
>          Message-Authenticator = 0x00000000000000000000000000000000
>          State = 0x8fae4f2888a756d7f54a19d8916d3466
> Finished request 15.
> Going to the next request
> Waking up in 2.6 seconds.
> rad_recv: Access-Request packet from host 192.168.241.12 port 56951,
> id=158, length=266
>          User-Name = "[hidden email]"
>          NAS-IP-Address = 192.168.241.12
>          NAS-Port = 0
>          NAS-Identifier = "eduroam"
>          NAS-Port-Type = Wireless-802.11
>          Calling-Station-Id = "606720CB37CC"
>          Called-Station-Id = "001A1E012EE8"
>          Service-Type = Login-User
>          Framed-MTU = 1100
>          EAP-Message =
> 0x0209002e19001703030023000000000000000334b2a2f72bfaff9cb368e59ee145ac3b61bb33f10ff54368601eda
>          State = 0x8fae4f2888a756d7f54a19d8916d3466
>          Aruba-Essid-Name = "eduroam"
>          Aruba-Location-Id = "PTM-MIS"
>          Aruba-AP-Group = "MC-A05-Pusat_Teknologi_Maklumat"
>          Message-Authenticator = 0x13d985f1b0164cab9128cf4e07b3a9e0
> server eduroam-inner-tunnel {
> # Executing section authorize from file
> /etc/raddb/sites-enabled/eduroam-inner-tunnel
> +group authorize {
> [auth_log]      expand: %{Packet-Src-IP-Address} -> 192.168.241.12
> [auth_log]      expand:
> /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
> -> /var/log/radius/radacct/192.168.241.12/auth-detail-20170811
> [auth_log]
> /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
> expands to /var/log/radius/radacct/192.168.241.12/auth-detail-20170811
> [auth_log]      expand: %t -> Fri Aug 11 12:48:36 2017
> ++[auth_log] = ok
> [suffix] Looking up realm "uthm.edu.my" for User-Name = "[hidden email]"
> [suffix] Found realm "~^(.+\.)?uthm\.edu\.my$"
> [suffix] Adding Stripped-User-Name = "test"
> [suffix] Adding Realm = "uthm.edu.my"
> [suffix] Authentication realm is LOCAL.
> ++[suffix] = ok
> [ldap] performing user authorization for test
> [ldap]  expand: %{Stripped-User-Name} -> test
> [ldap]  expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=test)
> [ldap]  expand: dc=uthm,dc=edu,dc=my -> dc=uthm,dc=edu,dc=my
>    [ldap] ldap_get_conn: Checking Id: 0
>    [ldap] ldap_get_conn: Got Id: 0
>    [ldap] performing search in dc=uthm,dc=edu,dc=my, with filter (uid=test)
> [ldap] checking if remote access for test is allowed by uid
> [ldap] looking for check items in directory...
>    [ldap] uid -> User-Name == "test"
>    [ldap] userPassword -> Password-With-Header ==
> "{SHA}m8NFSdVl2VBbKH3gzSCsd74dPyw="
> [ldap] looking for reply items in directory...
> [ldap] user test authorized to use remote access
>    [ldap] ldap_release_conn: Release Id: 0
> ++[ldap] = ok
> ++[files] = noop
> ++[mschap] = noop
> [pap] No clear-text password in the request.  Not performing PAP.
> ++[pap] = noop
> [eap] EAP packet type response id 9 length 46
> [eap] Continuing tunnel setup.
> ++[eap] = ok
> +} # group authorize = ok
> Found Auth-Type = EAP
> # Executing group from file /etc/raddb/sites-enabled/eduroam-inner-tunnel
> +group authenticate {
> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
> [peap] eaptls_verify returned 7
> [peap] Done initial handshake
> [peap] eaptls_process returned 7
> [peap] EAPTLS_OK
> [peap] Session established.  Decoding tunneled attributes.
> [peap] Peap state send tlv failure
> [peap] Received EAP-TLV response.
> [peap]  The users session was previously rejected: returning reject (again.)
> [peap]  *** This means you need to read the PREVIOUS messages in the debug
> output
> [peap]  *** to find out the reason why the user was rejected.
> [peap]  *** Look for "reject" or "fail".  Those earlier messages will tell
> you.
> [peap]  *** what went wrong, and how to fix the problem.
> [eap] Handler failed in EAP/peap
> [eap] Failed in EAP select
> ++[eap] = invalid
> +} # group authenticate = invalid
> Failed to authenticate the user.
> Login incorrect: [[hidden email]] (from client radsec port 0 cli
> 606720CB37CC)
> } # server eduroam-inner-tunnel
> Using Post-Auth-Type REJECT
> # Executing group from file /etc/raddb/sites-enabled/eduroam-inner-tunnel
> +group REJECT {
> [reply_log]     expand: %{Packet-Src-IP-Address} -> 192.168.241.12
> [reply_log]     expand:
> /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d
> -> /var/log/radius/radacct/192.168.241.12/reply-detail-20170811
> [reply_log]
> /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d
> expands to /var/log/radius/radacct/192.168.241.12/reply-detail-20170811
> [reply_log]     expand: %t -> Fri Aug 11 12:48:36 2017
> ++[reply_log] = ok
> +} # group REJECT = ok
> Delaying reject of request 16 for 1 seconds
> Going to the next request
> Waking up in 0.9 seconds.
> Sending delayed reject for request 16
> Sending Access-Reject of id 158 to 192.168.241.12 port 56951
>          EAP-Message = 0x04090004
>          Message-Authenticator = 0x00000000000000000000000000000000
> Waking up in 1.6 seconds.
> Cleaning up request 7 ID 150 with timestamp +220
> Cleaning up request 9 ID 151 with timestamp +220
> Cleaning up request 10 ID 152 with timestamp +220
> Cleaning up request 11 ID 153 with timestamp +220
> Cleaning up request 12 ID 154 with timestamp +220
> Waking up in 2.2 seconds.
> Cleaning up request 13 ID 155 with timestamp +222
> Cleaning up request 14 ID 156 with timestamp +222
> Cleaning up request 15 ID 157 with timestamp +222
> Waking up in 1.0 seconds.
> Cleaning up request 16 ID 158 with timestamp +222
> Ready to process requests.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: radius and ldap authentication.

Alan DeKok-2
In reply to this post by Mohd Akhbar
On Aug 11, 2017, at 6:53 AM, Mohd Akhbar <[hidden email]> wrote:
>
> I want to connect radius with my ldap (389 Directory) and my user password
> in SHA. Actually taking over the task from colleague. Please give some
> advice. Thank you.

  http://deployingradius.com/documents/protocols/compatibility.html

  You can't use SHA passwords with PEAP.  It's impossible.

  Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Loading...