G
Gast123
Hallo Leute,
ich möchte für einen WiFi-Access point einen RADIUS Server mit freeradius aufsetzen.
Ich bin dabei nach diesem Tutorial vorgegangen:
http://wiki.freeradius.org/guide/HOWTO
Das Verbinden per Konsole klappt wie angegeben.
Ich habe den Access Point ind die clients.conf eingetragen:
Und den Access Point für den RADIUS Server konfiguriert.
Dann habe ich einen Benutzer (neumannr) angelegt:
Das Testen mit radtest funktionierte prima.
Leider passiert beim Versuch, mich mit dem WLAN zu verbinden folgendes:
Mache ich da was falsch, oder habe ich etwas übersehen.
MfG
Schard
ich möchte für einen WiFi-Access point einen RADIUS Server mit freeradius aufsetzen.
Ich bin dabei nach diesem Tutorial vorgegangen:
http://wiki.freeradius.org/guide/HOWTO
Das Verbinden per Konsole klappt wie angegeben.
Ich habe den Access Point ind die clients.conf eingetragen:
Code:
# -*- text -*-
##
## clients.conf -- client configuration directives
##
## $Id$
#######################################################################
#
# Define RADIUS clients (usually a NAS, Access Point, etc.).
#
# Defines a RADIUS client.
#
# '127.0.0.1' is another name for 'localhost'. It is enabled by default,
# to allow testing of the server after an initial installation. If you
# are not going to be permitting RADIUS queries from localhost, we suggest
# that you delete, or comment out, this entry.
#
#
#
# Each client has a "short name" that is used to distinguish it from
# other clients.
#
# In version 1.x, the string after the word "client" was the IP
# address of the client. In 2.0, the IP address is configured via
# the "ipaddr" or "ipv6addr" fields. For compatibility, the 1.x
# format is still accepted.
#
client localhost {
# Allowed values are:
# dotted quad (1.2.3.4)
# hostname (radius.example.com)
ipaddr = 127.0.0.1
# OR, you can use an IPv6 address, but not both
# at the same time.
# ipv6addr = :: # any. ::1 == localhost
#
# A note on DNS: We STRONGLY recommend using IP addresses
# rather than host names. Using host names means that the
# server will do DNS lookups when it starts, making it
# dependent on DNS. i.e. If anything goes wrong with DNS,
# the server won't start!
#
# The server also looks up the IP address from DNS once, and
# only once, when it starts. If the DNS record is later
# updated, the server WILL NOT see that update.
#
# One client definition can be applied to an entire network.
# e.g. 127/8 should be defined with "ipaddr = 127.0.0.0" and
# "netmask = 8"
#
# If not specified, the default netmask is 32 (i.e. /32)
#
# We do NOT recommend using anything other than 32. There
# are usually other, better ways to achieve the same goal.
# Using netmasks of other than 32 can cause security issues.
#
# You can specify overlapping networks (127/8 and 127.0/16)
# In that case, the smallest possible network will be used
# as the "best match" for the client.
#
# Clients can also be defined dynamically at run time, based
# on any criteria. e.g. SQL lookups, keying off of NAS-Identifier,
# etc.
# See raddb/sites-available/dynamic-clients for details.
#
# netmask = 32
#
# The shared secret use to "encrypt" and "sign" packets between
# the NAS and FreeRADIUS. You MUST change this secret from the
# default, otherwise it's not a secret any more!
#
# The secret can be any string, up to 8k characters in length.
#
# Control codes can be entered vi octal encoding,
# e.g. "\101\102" == "AB"
# Quotation marks can be entered by escaping them,
# e.g. "foo\"bar"
#
# A note on security: The security of the RADIUS protocol
# depends COMPLETELY on this secret! We recommend using a
# shared secret that is composed of:
#
# upper case letters
# lower case letters
# numbers
#
# And is at LEAST 8 characters long, preferably 16 characters in
# length. The secret MUST be random, and should not be words,
# phrase, or anything else that is recognizable.
#
# The default secret below is only for testing, and should
# not be used in any real environment.
#
secret = testing123
#
# Old-style clients do not send a Message-Authenticator
# in an Access-Request. RFC 5080 suggests that all clients
# SHOULD include it in an Access-Request. The configuration
# item below allows the server to require it. If a client
# is required to include a Message-Authenticator and it does
# not, then the packet will be silently discarded.
#
# allowed values: yes, no
require_message_authenticator = no
#
# The short name is used as an alias for the fully qualified
# domain name, or the IP address.
#
# It is accepted for compatibility with 1.x, but it is no
# longer necessary in 2.0
#
# shortname = localhost
#
# the following three fields are optional, but may be used by
# checkrad.pl for simultaneous use checks
#
#
# The nastype tells 'checkrad.pl' which NAS-specific method to
# use to query the NAS for simultaneous use.
#
# Permitted NAS types are:
#
# cisco
# computone
# livingston
# max40xx
# multitech
# netserver
# pathras
# patton
# portslave
# tc
# usrhiper
# other # for all other types
#
nastype = other # localhost isn't usually a NAS...
#
# The following two configurations are for future use.
# The 'naspasswd' file is currently used to store the NAS
# login name and password, which is used by checkrad.pl
# when querying the NAS for simultaneous use.
#
# login = !root
# password = someadminpas
#
# As of 2.0, clients can also be tied to a virtual server.
# This is done by setting the "virtual_server" configuration
# item, as in the example below.
#
# virtual_server = home1
#
# A pointer to the "home_server_pool" OR a "home_server"
# section that contains the CoA configuration for this
# client. For an example of a coa home server or pool,
# see raddb/sites-available/originate-coa
# coa_server = coa
}
# IPv6 Client
#client ::1 {
# secret = testing123
# shortname = localhost
#}
#
# All IPv6 Site-local clients
#client fe80::/16 {
# secret = testing123
# shortname = localhost
#}
#client some.host.org {
# secret = testing123
# shortname = localhost
#}
#
# You can now specify one secret for a network of clients.
# When a client request comes in, the BEST match is chosen.
# i.e. The entry from the smallest possible network.
#
#client 192.168.0.0/24 {
# secret = testing123-1
# shortname = private-network-1
#}
#
#client 192.168.0.0/16 {
# secret = testing123-2
# shortname = private-network-2
#}
client dir655 {
# secret and password are mapped through the "secrets" file.
secret = CSH-RadiusPW
shortname = dir655
# the following three fields are optional, but may be used by
# checkrad.pl for simultaneous usage checks
# nastype = livingston
# login = !root
# password = someadminpas
}
client thinkpad {
secret = CSH-RadiusPW
shortname = thinkpad
}
#######################################################################
#
# Per-socket client lists. The configuration entries are exactly
# the same as above, but they are nested inside of a section.
#
# You can have as many per-socket client lists as you have "listen"
# sections, or you can re-use a list among multiple "listen" sections.
#
# Un-comment this section, and edit a "listen" section to add:
# "clients = per_socket_clients". That IP address/port combination
# will then accept ONLY the clients listed in this section.
#
#clients per_socket_clients {
# client 192.168.3.4 {
# secret = testing123
# }
#}
Dann habe ich einen Benutzer (neumannr) angelegt:
Code:
#
# Please read the documentation file ../doc/processing_users_file,
# or 'man 5 users' (after installing the server) for more information.
#
# This file contains authentication security and configuration
# information for each user. Accounting requests are NOT processed
# through this file. Instead, see 'acct_users', in this directory.
#
# The first field is the user's name and can be up to
# 253 characters in length. This is followed (on the same line) with
# the list of authentication requirements for that user. This can
# include password, comm server name, comm server port number, protocol
# type (perhaps set by the "hints" file), and huntgroup name (set by
# the "huntgroups" file).
#
# If you are not sure why a particular reply is being sent by the
# server, then run the server in debugging mode (radiusd -X), and
# you will see which entries in this file are matched.
#
# When an authentication request is received from the comm server,
# these values are tested. Only the first match is used unless the
# "Fall-Through" variable is set to "Yes".
#
# A special user named "DEFAULT" matches on all usernames.
# You can have several DEFAULT entries. All entries are processed
# in the order they appear in this file. The first entry that
# matches the login-request will stop processing unless you use
# the Fall-Through variable.
#
# If you use the database support to turn this file into a .db or .dbm
# file, the DEFAULT entries _have_ to be at the end of this file and
# you can't have multiple entries for one username.
#
# Indented (with the tab character) lines following the first
# line indicate the configuration values to be passed back to
# the comm server to allow the initiation of a user session.
# This can include things like the PPP configuration values
# or the host to log the user onto.
#
# You can include another `users' file with `$INCLUDE users.other'
#
#
# For a list of RADIUS attributes, and links to their definitions,
# see:
#
# http://www.freeradius.org/rfc/attributes.html
#
#
# Deny access for a specific user. Note that this entry MUST
# be before any other 'Auth-Type' attribute which results in the user
# being authenticated.
#
# Note that there is NO 'Fall-Through' attribute, so the user will not
# be given any additional resources.
#
#lameuser Auth-Type := Reject
# Reply-Message = "Your account has been disabled."
#
# Deny access for a group of users.
#
# Note that there is NO 'Fall-Through' attribute, so the user will not
# be given any additional resources.
#
#DEFAULT Group == "disabled", Auth-Type := Reject
# Reply-Message = "Your account has been disabled."
#
#
# This is a complete entry for "steve". Note that there is no Fall-Through
# entry so that no DEFAULT entry will be used, and the user will NOT
# get any attributes in addition to the ones listed here.
#
neumannr Cleartext-Password := "testing"
#steve Cleartext-Password := "testing"
# Service-Type = Framed-User,
# Framed-Protocol = PPP,
# Framed-IP-Address = 172.16.3.33,
# Framed-IP-Netmask = 255.255.255.0,
# Framed-Routing = Broadcast-Listen,
# Framed-Filter-Id = "std.ppp",
# Framed-MTU = 1500,
# Framed-Compression = Van-Jacobsen-TCP-IP
#
# This is an entry for a user with a space in their name.
# Note the double quotes surrounding the name.
#
#"John Doe" Cleartext-Password := "hello"
# Reply-Message = "Hello, %{User-Name}"
#
# Dial user back and telnet to the default host for that port
#
#Deg Cleartext-Password := "ge55ged"
# Service-Type = Callback-Login-User,
# Login-IP-Host = 0.0.0.0,
# Callback-Number = "9,5551212",
# Login-Service = Telnet,
# Login-TCP-Port = Telnet
#
# Another complete entry. After the user "dialbk" has logged in, the
# connection will be broken and the user will be dialed back after which
# he will get a connection to the host "timeshare1".
#
#dialbk Cleartext-Password := "callme"
# Service-Type = Callback-Login-User,
# Login-IP-Host = timeshare1,
# Login-Service = PortMaster,
# Callback-Number = "9,1-800-555-1212"
#
# user "swilson" will only get a static IP number if he logs in with
# a framed protocol on a terminal server in Alphen (see the huntgroups file).
#
# Note that by setting "Fall-Through", other attributes will be added from
# the following DEFAULT entries
#
#swilson Service-Type == Framed-User, Huntgroup-Name == "alphen"
# Framed-IP-Address = 192.168.1.65,
# Fall-Through = Yes
#
# If the user logs in as 'username.shell', then authenticate them
# using the default method, give them shell access, and stop processing
# the rest of the file.
#
#DEFAULT Suffix == ".shell"
# Service-Type = Login-User,
# Login-Service = Telnet,
# Login-IP-Host = your.shell.machine
#
# The rest of this file contains the several DEFAULT entries.
# DEFAULT entries match with all login names.
# Note that DEFAULT entries can also Fall-Through (see first entry).
# A name-value pair from a DEFAULT entry will _NEVER_ override
# an already existing name-value pair.
#
#
# Set up different IP address pools for the terminal servers.
# Note that the "+" behind the IP address means that this is the "base"
# IP address. The Port-Id (S0, S1 etc) will be added to it.
#
#DEFAULT Service-Type == Framed-User, Huntgroup-Name == "alphen"
# Framed-IP-Address = 192.168.1.32+,
# Fall-Through = Yes
#DEFAULT Service-Type == Framed-User, Huntgroup-Name == "delft"
# Framed-IP-Address = 192.168.2.32+,
# Fall-Through = Yes
#
# Sample defaults for all framed connections.
#
#DEFAULT Service-Type == Framed-User
# Framed-IP-Address = 255.255.255.254,
# Framed-MTU = 576,
# Service-Type = Framed-User,
# Fall-Through = Yes
#
# Default for PPP: dynamic IP address, PPP mode, VJ-compression.
# NOTE: we do not use Hint = "PPP", since PPP might also be auto-detected
# by the terminal server in which case there may not be a "P" suffix.
# The terminal server sends "Framed-Protocol = PPP" for auto PPP.
#
DEFAULT Framed-Protocol == PPP
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP
#
# Default for CSLIP: dynamic IP address, SLIP mode, VJ-compression.
#
DEFAULT Hint == "CSLIP"
Framed-Protocol = SLIP,
Framed-Compression = Van-Jacobson-TCP-IP
#
# Default for SLIP: dynamic IP address, SLIP mode.
#
DEFAULT Hint == "SLIP"
Framed-Protocol = SLIP
#
# Last default: rlogin to our main server.
#
#DEFAULT
# Service-Type = Login-User,
# Login-Service = Rlogin,
# Login-IP-Host = shellbox.ispdomain.com
# #
# # Last default: shell on the local terminal server.
# #
# DEFAULT
# Service-Type = Administrative-User
# On no match, the user is denied access.
Leider passiert beim Versuch, mich mit dem WLAN zu verbinden folgendes:
Code:
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.178.3 port 4097, id=20, length=75
User-Name = "neumannr"
NAS-IP-Address = 192.168.178.3
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0212000d016e65756d616e6e72
Message-Authenticator = 0xbe4e8498b1305bc0c9e599042b8c98de
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "neumannr", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 18 length 13
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry neumannr at line 76
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 20 to 192.168.178.3 port 4097
EAP-Message = 0x0113001604104c38534b252c3ddf3a967331284453d7
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x566a0b4156790fe6dc3e4dc407c5d04f
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.178.3 port 4097, id=21, length=86
User-Name = "neumannr"
NAS-IP-Address = 192.168.178.3
NAS-Port-Type = Wireless-802.11
State = 0x566a0b4156790fe6dc3e4dc407c5d04f
EAP-Message = 0x021300060319
Message-Authenticator = 0x1acdb2f6c137ea94f7105f3b97674208
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "neumannr", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 19 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry neumannr at line 76
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/peap
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 21 to 192.168.178.3 port 4097
EAP-Message = 0x011400061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x566a0b41577e12e6dc3e4dc407c5d04f
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.178.3 port 4097, id=22, length=202
User-Name = "neumannr"
NAS-IP-Address = 192.168.178.3
NAS-Port-Type = Wireless-802.11
State = 0x566a0b41577e12e6dc3e4dc407c5d04f
EAP-Message = 0x0214007a198000000070160301006b01000067030151058b7cda730bbe539a79b90f1eb4329b95a7f11051447e052e8ebcaa6d49a8000018002f00350005000ac013c014c009c00a003200380013000401000026ff010001000000000d000b0000086e65756d616e6e72000a0006000400170018000b00020100
Message-Authenticator = 0x35d9916ca9320b88fffda598bcf5dbd8
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "neumannr", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 20 length 122
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 112
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 006b], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 0031], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 085e], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 22 to 192.168.178.3 port 4097
EAP-Message = 0x0115040019c0000008a216030100310200002d030151058b7b1f314397d412be94576744824b9844ba144df3fef8c0332a055428b600002f000005ff01000100160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c65204365727469666963617465204175
EAP-Message = 0x74686f72697479301e170d3133303132373138323534345a170d3133303332383138323534345a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100c7c0b7db8ff137fd2a657db85256dd6adc680406ded04e8a334e040c1566c7df1aba7d39c5c13346f45dc395a2f0a7eeb7366a0e13ede5
EAP-Message = 0x6f98437e2a5709edf0145151df5634ecc18f70580535e9c54d2968c4f95e581065d878786ffd3c31f2d0fc2158498fe8331a0f5e6212bd207b878becfd0a0af13cf90f529f568d8959b49df56ab41e6289424316458cd1024a961b9c6dd447bc63a5cadb60cc1b4c56ccebe2b1ba938d85c3141c6d6c287bff61a2eca88914fad4936f3d66d91370de2871c1e030c877c798778c5e057d06dda3de5dba4962e00bf86834c8d06238414ee98d89937c68bcb783bc9345910503b5fe06f65bb54c0f1fc9e5b127149ff70203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010105050003820101009b94
EAP-Message = 0x0f6bbd692a4b3921f0f52a43f60b3ea2bbb603d336b59fa07b966cdb2b6cc896565c12f0ecede20da26f36eefeaa662c9110db75a5d1bf90d4c20265394600d506f0109906965871fe16ae1a133c97a6bdfc2c5e67ca6dc1a67ffff20c3ed2e4c198a15dd2b53b4f12b2bc942fc8c724d48a1891b261b9583be98f7b7d7d649f293c131ebf7c277353b8bc264cce1a9ba7f540a7b79263120c6ae6569e10f6eb8c15f381d7dd870c4e90e9e98f298ff7c380ac51aa1f83fbed18b676b79096fb79f7bc67be2fc20167038cb3f67925e79a1cbb9bd497acd2b16e1aa5d1d9502972d1aa07af3ebd3d440962809fb686df4c762d2aa9c44309123a628dda
EAP-Message = 0x740004ab308204a73082038f
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x566a0b41547f12e6dc3e4dc407c5d04f
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.178.3 port 4097, id=23, length=86
User-Name = "neumannr"
NAS-IP-Address = 192.168.178.3
NAS-Port-Type = Wireless-802.11
State = 0x566a0b41547f12e6dc3e4dc407c5d04f
EAP-Message = 0x021500061900
Message-Authenticator = 0x31e6efbf4ff8433dd71c5ff2b94e267e
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "neumannr", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 21 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 23 to 192.168.178.3 port 4097
EAP-Message = 0x011603fc1940a003020102020900e792485d9d919b72300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3133303132373138323534345a170d3133303332383138323534345a308193310b3009060355040613024652310f300d0603550408130652616469757331
EAP-Message = 0x12301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100df1b25c1349f4920b36a93e10324b57845368c176dcc9db53fb8d55d95cc0efce7a3d51f072db517f450288ff1caa0b248ab499dbfb938c785afc7ddd3f415d32fab58b5d29c77366a1f3ff0bac7dd8cf2ce879d8a93ccd467a7ed49809c663de9c42a02a4937347
EAP-Message = 0xa1e9a23ea63fecf365dd3b368378a9d4aedb9f294928951850300b010b825ae940730da32126170da928f1cc967985a5702a7f228557e7dd28ff4a139312ae3ed27ad4f9825175b7bc5510498660a2dce4a1a414d70a4d19d45bd6892ba022f5e9eafc0d85156c47b685bb38c3fe213da5f1b0f01e4af97102bc6cd0875df49699af26ee8c90613ed32e8ef4d4950004461d4d1d27dda5df0203010001a381fb3081f8301d0603551d0e04160414e46140509ee19bfa7d5ba94c21d5a18d520d41733081c80603551d230481c03081bd8014e46140509ee19bfa7d5ba94c21d5a18d520d4173a18199a48196308193310b300906035504061302465231
EAP-Message = 0x0f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900e792485d9d919b72300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100c9edf55fbcc14e434565b36bb8fd410526829bef277dabcc2843a8dfbda0e43993be01539bd252fc26f91d33c84ba58eeab86216c0222c8bc406f0fb6e96190647ccf34b42503394df3ef2
EAP-Message = 0x2223ae0afe0dea18
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x566a0b41557c12e6dc3e4dc407c5d04f
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.178.3 port 4097, id=24, length=86
User-Name = "neumannr"
NAS-IP-Address = 192.168.178.3
NAS-Port-Type = Wireless-802.11
State = 0x566a0b41557c12e6dc3e4dc407c5d04f
EAP-Message = 0x021600061900
Message-Authenticator = 0xf524ca03daa6bbb0be1d01a4f451fa17
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "neumannr", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 22 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 24 to 192.168.178.3 port 4097
EAP-Message = 0x011700bc1900817c1e3af8bfb4d040c95b2605a8d0f0e39747517535b55e96bf38c3a65864c80feafbee76ec737796c3a0d9cf6a0792a771b3e66a7f674bbd7071653ebac8e2a1a5fd16814b3f317f1d11ea18119872a31088b326fe16f94000be34f9c5b14147fef5b761059572045853fc62e1a6144b83d7aedcba36b7d02b850e47106e3e2bfce96919be48562ff75489ba9f25ba9b4bf780a539b37f332a4eed65685f5e1a2aca88c5f3256671be9b818816030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x566a0b41527d12e6dc3e4dc407c5d04f
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.178.3 port 4097, id=25, length=97
User-Name = "neumannr"
NAS-IP-Address = 192.168.178.3
NAS-Port-Type = Wireless-802.11
State = 0x566a0b41527d12e6dc3e4dc407c5d04f
EAP-Message = 0x0217001119800000000715030100020230
Message-Authenticator = 0x9697f9833e3b2c1b0f84221679a042d5
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "neumannr", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 23 length 17
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 7
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Alert [length 0002], fatal unknown_ca
TLS Alert read:fatal:unknown CA
TLS_accept: failed in SSLv3 read client certificate A
rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
SSL: SSL_read failed inside of TLS (-1), TLS session fails.
TLS receive handshake failed during operation
[peap] eaptls_process returned 4
[peap] EAPTLS_OTHERS
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> neumannr
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 5 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 5
Sending Access-Reject of id 25 to 192.168.178.3 port 4097
EAP-Message = 0x04170004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.8 seconds.
Cleaning up request 0 ID 20 with timestamp +20
Cleaning up request 1 ID 21 with timestamp +20
Cleaning up request 2 ID 22 with timestamp +20
Cleaning up request 3 ID 23 with timestamp +20
Cleaning up request 4 ID 24 with timestamp +20
Waking up in 1.0 seconds.
Cleaning up request 5 ID 25 with timestamp +21
Ready to process requests.
MfG
Schard