This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

  • TI Thinks Resolved

CC3100MOD: WPA-Enterprise : PEAP0/1 with MSCHAPv2 (no certificates!)

Intellectual 350 points

Replies: 12

Views: 179

Part Number: CC3100MOD

We try to get PEAP0/1_MSCHAPv2 working with the CC3100MOD and FreeRadius as server.

We do NOT have programmed any certificates, not the ca nor the client/key as this should not be necessary. We disable "server authentification" in the cc3100mod.

The connection is not successful, see the attachments below.

Could you please help us identify the issue?

Thank you

int32_t connect(int32_t mode)
{
  // 0 - Disable the server authentication | 1 - Enable (this is the default)
  uint8_t pValues = 0;
  log_internal("Enable/Disable Server authentification (%d), ret=%d\n",
      (int)pValues,
      (int)sl_WlanSet((_u16)SL_WLAN_CFG_GENERAL_PARAM_ID, (_u16)19, (_u16)1 ,(_u8 *)&pValues)
  );

  char const dummyssid[32] = "ophtest-wpa2ent-up";
  const uint8_t dummymac[6] = {0,0,0,0,0,0};


  SlSecParams_t dummysecparams = {
      SL_SEC_TYPE_WPA_ENT,
      (signed char *)"testing", (uint8_t)strlen("testing"),
  };
  SlSecParamsExt_t dummysecparamsext = {
      (signed char *)"test01", (uint8_t)strlen("test01"),
      nullptr, 0,
      0, // cert index not supported
      SL_ENT_EAP_METHOD_PEAP0_MSCHAPv2
  };

  int16_t ret = -1;

  // disable auto connect with programmed profiles
  ret = sl_WlanPolicySet(SL_POLICY_CONNECTION ,
      SL_CONNECTION_POLICY(0,0,0,0,0), 0, 0);

  *_tim_breakup_fin = false;
  _tim_breakup->start();

  ret = sl_WlanConnect(
      (const _i8*)dummyssid,  /*pName*/
      strlen(dummyssid),      /*NameLen*/
      dummymac,               /*pMacAddr*/
      &dummysecparams,        /*pSecParams*/
      &dummysecparamsext     /*pSecExtParams*/);

  while( (!IS_CONNECTED(_sl_state)) || (!IS_IP_ACQUIRED(_sl_state)) )
  {
    // nothing to do .. sl spawn thread will take care of it, just wait until the connection has been established
    if(*_tim_breakup_fin)
    {
      break;
    }
  }

  if(*_tim_breakup_fin)
  {
    ret = FAIL; // couldn't connect
  }
  else
  {
    _tim_breakup->stop();
    ret = SUCCESS;
  }

  *_tim_breakup_fin = false;

  return ret;
}

(52) Received Access-Request Id 246 from 192.168.1.20:32778 to 192.168.1.10:1812 length 163
(52)   User-Name = "test01"
(52)   NAS-IP-Address = 192.168.1.20
(52)   NAS-Port = 0
(52)   Called-Station-Id = "70-69-5A-FD-23-05:ophtest-wpa2ent-up"
(52)   Calling-Station-Id = "78-04-73-D4-B4-24"
(52)   Framed-MTU = 1400
(52)   NAS-Port-Type = Wireless-802.11
(52)   Connect-Info = "CONNECT 0Mbps 802.11g"
(52)   EAP-Message = 0x0200000b01746573743031
(52)   Message-Authenticator = 0x4ceab2578c8f02a075a7f11f6320a748
(52) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(52)   authorize {
(52)     policy filter_username {
(52)       if (&User-Name) {
(52)       if (&User-Name)  -> TRUE
(52)       if (&User-Name)  {
(52)         if (&User-Name =~ / /) {
(52)         if (&User-Name =~ / /)  -> FALSE
(52)         if (&User-Name =~ /@[^@]*@/ ) {
(52)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(52)         if (&User-Name =~ /\.\./ ) {
(52)         if (&User-Name =~ /\.\./ )  -> FALSE
(52)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(52)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(52)         if (&User-Name =~ /\.$/)  {
(52)         if (&User-Name =~ /\.$/)   -> FALSE
(52)         if (&User-Name =~ /@\./)  {
(52)         if (&User-Name =~ /@\./)   -> FALSE
(52)       } # if (&User-Name)  = notfound
(52)     } # policy filter_username = notfound
(52)     [preprocess] = ok
(52)     [chap] = noop
(52)     [mschap] = noop
(52)     [digest] = noop
(52) suffix: Checking for suffix after "@"
(52) suffix: No '@' in User-Name = "test01", looking up realm NULL
(52) suffix: No such realm "NULL"
(52)     [suffix] = noop
(52) eap: Peer sent EAP Response (code 2) ID 0 length 11
(52) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(52)     [eap] = ok
(52)   } # authorize = ok
(52) Found Auth-Type = eap
(52) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(52)   authenticate {
(52) eap: Peer sent packet with method EAP Identity (1)
(52) eap: Calling submodule eap_md5 to process data
(52) eap_md5: Issuing MD5 Challenge
(52) eap: Sending EAP Request (code 1) ID 1 length 22
(52) eap: EAP session adding &reply:State = 0x633491436335957d
(52)     [eap] = handled
(52)   } # authenticate = handled
(52) Using Post-Auth-Type Challenge
(52) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(52)   Challenge { ... } # empty sub-section is ignored
(52) Sent Access-Challenge Id 246 from 192.168.1.10:1812 to 192.168.1.20:32778 length 0
(52)   EAP-Message = 0x010100160410ba5f459eda3617acd2e624d807a8723c
(52)   Message-Authenticator = 0x00000000000000000000000000000000
(52)   State = 0x633491436335957dbc3411b176659974
(52) Finished request
Waking up in 4.9 seconds.
(53) Received Access-Request Id 247 from 192.168.1.20:32778 to 192.168.1.10:1812 length 176
(53)   User-Name = "test01"
(53)   NAS-IP-Address = 192.168.1.20
(53)   NAS-Port = 0
(53)   Called-Station-Id = "70-69-5A-FD-23-05:ophtest-wpa2ent-up"
(53)   Calling-Station-Id = "78-04-73-D4-B4-24"
(53)   Framed-MTU = 1400
(53)   NAS-Port-Type = Wireless-802.11
(53)   Connect-Info = "CONNECT 0Mbps 802.11g"
(53)   EAP-Message = 0x020100060319
(53)   State = 0x633491436335957dbc3411b176659974
(53)   Message-Authenticator = 0x9cfee8f9a78b498db004da9449e91e98
(53) session-state: No cached attributes
(53) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(53)   authorize {
(53)     policy filter_username {
(53)       if (&User-Name) {
(53)       if (&User-Name)  -> TRUE
(53)       if (&User-Name)  {
(53)         if (&User-Name =~ / /) {
(53)         if (&User-Name =~ / /)  -> FALSE
(53)         if (&User-Name =~ /@[^@]*@/ ) {
(53)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(53)         if (&User-Name =~ /\.\./ ) {
(53)         if (&User-Name =~ /\.\./ )  -> FALSE
(53)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(53)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(53)         if (&User-Name =~ /\.$/)  {
(53)         if (&User-Name =~ /\.$/)   -> FALSE
(53)         if (&User-Name =~ /@\./)  {
(53)         if (&User-Name =~ /@\./)   -> FALSE
(53)       } # if (&User-Name)  = notfound
(53)     } # policy filter_username = notfound
(53)     [preprocess] = ok
(53)     [chap] = noop
(53)     [mschap] = noop
(53)     [digest] = noop
(53) suffix: Checking for suffix after "@"
(53) suffix: No '@' in User-Name = "test01", looking up realm NULL
(53) suffix: No such realm "NULL"
(53)     [suffix] = noop
(53) eap: Peer sent EAP Response (code 2) ID 1 length 6
(53) eap: No EAP Start, assuming it's an on-going EAP conversation
(53)     [eap] = updated
(53) files: users: Matched entry test01 at line 1
(53)     [files] = ok
(53)     [expiration] = noop
(53)     [logintime] = noop
(53) pap: WARNING: Auth-Type already set.  Not setting to PAP
(53)     [pap] = noop
(53)   } # authorize = updated
(53) Found Auth-Type = eap
(53) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(53)   authenticate {
(53) eap: Expiring EAP session with state 0x633491436335957d
(53) eap: Finished EAP session with state 0x633491436335957d
(53) eap: Previous EAP request found for state 0x633491436335957d, released from the list
(53) eap: Peer sent packet with method EAP NAK (3)
(53) eap: Found mutually acceptable type PEAP (25)
(53) eap: Calling submodule eap_peap to process data
(53) eap_peap: Initiating new TLS session
(53) eap_peap: [eaptls start] = request
(53) eap: Sending EAP Request (code 1) ID 2 length 6
(53) eap: EAP session adding &reply:State = 0x633491436236887d
(53)     [eap] = handled
(53)   } # authenticate = handled
(53) Using Post-Auth-Type Challenge
(53) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(53)   Challenge { ... } # empty sub-section is ignored
(53) Sent Access-Challenge Id 247 from 192.168.1.10:1812 to 192.168.1.20:32778 length 0
(53)   EAP-Message = 0x010200061920
(53)   Message-Authenticator = 0x00000000000000000000000000000000
(53)   State = 0x633491436236887dbc3411b176659974
(53) Finished request
Waking up in 4.9 seconds.
(54) Received Access-Request Id 248 from 192.168.1.20:32778 to 192.168.1.10:1812 length 176
(54)   User-Name = "test01"
(54)   NAS-IP-Address = 192.168.1.20
(54)   NAS-Port = 0
(54)   Called-Station-Id = "70-69-5A-FD-23-05:ophtest-wpa2ent-up"
(54)   Calling-Station-Id = "78-04-73-D4-B4-24"
(54)   Framed-MTU = 1400
(54)   NAS-Port-Type = Wireless-802.11
(54)   Connect-Info = "CONNECT 0Mbps 802.11g"
(54)   EAP-Message = 0x020200060300
(54)   State = 0x633491436236887dbc3411b176659974
(54)   Message-Authenticator = 0x90af88c3ea0d47d73d2b5e1764683fd8
(54) session-state: No cached attributes
(54) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(54)   authorize {
(54)     policy filter_username {
(54)       if (&User-Name) {
(54)       if (&User-Name)  -> TRUE
(54)       if (&User-Name)  {
(54)         if (&User-Name =~ / /) {
(54)         if (&User-Name =~ / /)  -> FALSE
(54)         if (&User-Name =~ /@[^@]*@/ ) {
(54)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(54)         if (&User-Name =~ /\.\./ ) {
(54)         if (&User-Name =~ /\.\./ )  -> FALSE
(54)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(54)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(54)         if (&User-Name =~ /\.$/)  {
(54)         if (&User-Name =~ /\.$/)   -> FALSE
(54)         if (&User-Name =~ /@\./)  {
(54)         if (&User-Name =~ /@\./)   -> FALSE
(54)       } # if (&User-Name)  = notfound
(54)     } # policy filter_username = notfound
(54)     [preprocess] = ok
(54)     [chap] = noop
(54)     [mschap] = noop
(54)     [digest] = noop
(54) suffix: Checking for suffix after "@"
(54) suffix: No '@' in User-Name = "test01", looking up realm NULL
(54) suffix: No such realm "NULL"
(54)     [suffix] = noop
(54) eap: Peer sent EAP Response (code 2) ID 2 length 6
(54) eap: No EAP Start, assuming it's an on-going EAP conversation
(54)     [eap] = updated
(54) files: users: Matched entry test01 at line 1
(54)     [files] = ok
(54)     [expiration] = noop
(54)     [logintime] = noop
(54) pap: WARNING: Auth-Type already set.  Not setting to PAP
(54)     [pap] = noop
(54)   } # authorize = updated
(54) Found Auth-Type = eap
(54) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(54)   authenticate {
(54) eap: Expiring EAP session with state 0x633491436236887d
(54) eap: Finished EAP session with state 0x633491436236887d
(54) eap: Previous EAP request found for state 0x633491436236887d, released from the list
(54) eap: Peer sent packet with method EAP NAK (3)
(54) eap: Peer NAK'd indicating it is not willing to continue 
(54) eap: Sending EAP Failure (code 4) ID 2 length 4
(54) eap: Failed in EAP select
(54)     [eap] = invalid
(54)   } # authenticate = invalid
(54) Failed to authenticate the user
(54) Using Post-Auth-Type Reject
(54) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(54)   Post-Auth-Type REJECT {
(54) attr_filter.access_reject: EXPAND %{User-Name}
(54) attr_filter.access_reject:    --> test01
(54) attr_filter.access_reject: Matched entry DEFAULT at line 11
(54)     [attr_filter.access_reject] = updated
(54)     [eap] = noop
(54)     policy remove_reply_message_if_eap {
(54)       if (&reply:EAP-Message && &reply:Reply-Message) {
(54)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(54)       else {
(54)         [noop] = noop
(54)       } # else = noop
(54)     } # policy remove_reply_message_if_eap = noop
(54)   } # Post-Auth-Type REJECT = updated
(54) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(54) Sending delayed response
(54) Sent Access-Reject Id 248 from 192.168.1.10:1812 to 192.168.1.20:32778 length 44
(54)   EAP-Message = 0x04020004
(54)   Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
(55) Received Access-Request Id 249 from 192.168.1.20:32778 to 192.168.1.10:1812 length 163
(55)   User-Name = "test01"
(55)   NAS-IP-Address = 192.168.1.20
(55)   NAS-Port = 0
(55)   Called-Station-Id = "70-69-5A-FD-23-05:ophtest-wpa2ent-up"
(55)   Calling-Station-Id = "78-04-73-D4-B4-24"
(55)   Framed-MTU = 1400
(55)   NAS-Port-Type = Wireless-802.11
(55)   Connect-Info = "CONNECT 0Mbps 802.11g"
(55)   EAP-Message = 0x0200000b01746573743031
(55)   Message-Authenticator = 0xef10fa68009844fdf7211b785d7c251b
(55) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(55)   authorize {
(55)     policy filter_username {
(55)       if (&User-Name) {
(55)       if (&User-Name)  -> TRUE
(55)       if (&User-Name)  {
(55)         if (&User-Name =~ / /) {
(55)         if (&User-Name =~ / /)  -> FALSE
(55)         if (&User-Name =~ /@[^@]*@/ ) {
(55)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(55)         if (&User-Name =~ /\.\./ ) {
(55)         if (&User-Name =~ /\.\./ )  -> FALSE
(55)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(55)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(55)         if (&User-Name =~ /\.$/)  {
(55)         if (&User-Name =~ /\.$/)   -> FALSE
(55)         if (&User-Name =~ /@\./)  {
(55)         if (&User-Name =~ /@\./)   -> FALSE
(55)       } # if (&User-Name)  = notfound
(55)     } # policy filter_username = notfound
(55)     [preprocess] = ok
(55)     [chap] = noop
(55)     [mschap] = noop
(55)     [digest] = noop
(55) suffix: Checking for suffix after "@"
(55) suffix: No '@' in User-Name = "test01", looking up realm NULL
(55) suffix: No such realm "NULL"
(55)     [suffix] = noop
(55) eap: Peer sent EAP Response (code 2) ID 0 length 11
(55) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(55)     [eap] = ok
(55)   } # authorize = ok
(55) Found Auth-Type = eap
(55) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(55)   authenticate {
(55) eap: Peer sent packet with method EAP Identity (1)
(55) eap: Calling submodule eap_md5 to process data
(55) eap_md5: Issuing MD5 Challenge
(55) eap: Sending EAP Request (code 1) ID 1 length 22
(55) eap: EAP session adding &reply:State = 0x63735e5863725ae6
(55)     [eap] = handled
(55)   } # authenticate = handled
(55) Using Post-Auth-Type Challenge
(55) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(55)   Challenge { ... } # empty sub-section is ignored
(55) Sent Access-Challenge Id 249 from 192.168.1.10:1812 to 192.168.1.20:32778 length 0
(55)   EAP-Message = 0x01010016041068b48875b03f069d5553d10b064ac816
(55)   Message-Authenticator = 0x00000000000000000000000000000000
(55)   State = 0x63735e5863725ae6e05a1d3b154eb421
(55) Finished request
Waking up in 1.6 seconds.
(56) Received Access-Request Id 250 from 192.168.1.20:32778 to 192.168.1.10:1812 length 176
(56)   User-Name = "test01"
(56)   NAS-IP-Address = 192.168.1.20
(56)   NAS-Port = 0
(56)   Called-Station-Id = "70-69-5A-FD-23-05:ophtest-wpa2ent-up"
(56)   Calling-Station-Id = "78-04-73-D4-B4-24"
(56)   Framed-MTU = 1400
(56)   NAS-Port-Type = Wireless-802.11
(56)   Connect-Info = "CONNECT 0Mbps 802.11g"
(56)   EAP-Message = 0x020100060319
(56)   State = 0x63735e5863725ae6e05a1d3b154eb421
(56)   Message-Authenticator = 0xfc3751df489663d525ecfaa82e691525
(56) session-state: No cached attributes
(56) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(56)   authorize {
(56)     policy filter_username {
(56)       if (&User-Name) {
(56)       if (&User-Name)  -> TRUE
(56)       if (&User-Name)  {
(56)         if (&User-Name =~ / /) {
(56)         if (&User-Name =~ / /)  -> FALSE
(56)         if (&User-Name =~ /@[^@]*@/ ) {
(56)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(56)         if (&User-Name =~ /\.\./ ) {
(56)         if (&User-Name =~ /\.\./ )  -> FALSE
(56)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(56)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(56)         if (&User-Name =~ /\.$/)  {
(56)         if (&User-Name =~ /\.$/)   -> FALSE
(56)         if (&User-Name =~ /@\./)  {
(56)         if (&User-Name =~ /@\./)   -> FALSE
(56)       } # if (&User-Name)  = notfound
(56)     } # policy filter_username = notfound
(56)     [preprocess] = ok
(56)     [chap] = noop
(56)     [mschap] = noop
(56)     [digest] = noop
(56) suffix: Checking for suffix after "@"
(56) suffix: No '@' in User-Name = "test01", looking up realm NULL
(56) suffix: No such realm "NULL"
(56)     [suffix] = noop
(56) eap: Peer sent EAP Response (code 2) ID 1 length 6
(56) eap: No EAP Start, assuming it's an on-going EAP conversation
(56)     [eap] = updated
(56) files: users: Matched entry test01 at line 1
(56)     [files] = ok
(56)     [expiration] = noop
(56)     [logintime] = noop
(56) pap: WARNING: Auth-Type already set.  Not setting to PAP
(56)     [pap] = noop
(56)   } # authorize = updated
(56) Found Auth-Type = eap
(56) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(56)   authenticate {
(56) eap: Expiring EAP session with state 0x63735e5863725ae6
(56) eap: Finished EAP session with state 0x63735e5863725ae6
(56) eap: Previous EAP request found for state 0x63735e5863725ae6, released from the list
(56) eap: Peer sent packet with method EAP NAK (3)
(56) eap: Found mutually acceptable type PEAP (25)
(56) eap: Calling submodule eap_peap to process data
(56) eap_peap: Initiating new TLS session
(56) eap_peap: [eaptls start] = request
(56) eap: Sending EAP Request (code 1) ID 2 length 6
(56) eap: EAP session adding &reply:State = 0x63735e58627147e6
(56)     [eap] = handled
(56)   } # authenticate = handled
(56) Using Post-Auth-Type Challenge
(56) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(56)   Challenge { ... } # empty sub-section is ignored
(56) Sent Access-Challenge Id 250 from 192.168.1.10:1812 to 192.168.1.20:32778 length 0
(56)   EAP-Message = 0x010200061920
(56)   Message-Authenticator = 0x00000000000000000000000000000000
(56)   State = 0x63735e58627147e6e05a1d3b154eb421
(56) Finished request
Waking up in 1.6 seconds.
(57) Received Access-Request Id 251 from 192.168.1.20:32778 to 192.168.1.10:1812 length 176
(57)   User-Name = "test01"
(57)   NAS-IP-Address = 192.168.1.20
(57)   NAS-Port = 0
(57)   Called-Station-Id = "70-69-5A-FD-23-05:ophtest-wpa2ent-up"
(57)   Calling-Station-Id = "78-04-73-D4-B4-24"
(57)   Framed-MTU = 1400
(57)   NAS-Port-Type = Wireless-802.11
(57)   Connect-Info = "CONNECT 0Mbps 802.11g"
(57)   EAP-Message = 0x020200060300
(57)   State = 0x63735e58627147e6e05a1d3b154eb421
(57)   Message-Authenticator = 0xc33ab970a8a9c1c0e5a1e367b874a105
(57) session-state: No cached attributes
(57) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(57)   authorize {
(57)     policy filter_username {
(57)       if (&User-Name) {
(57)       if (&User-Name)  -> TRUE
(57)       if (&User-Name)  {
(57)         if (&User-Name =~ / /) {
(57)         if (&User-Name =~ / /)  -> FALSE
(57)         if (&User-Name =~ /@[^@]*@/ ) {
(57)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(57)         if (&User-Name =~ /\.\./ ) {
(57)         if (&User-Name =~ /\.\./ )  -> FALSE
(57)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(57)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(57)         if (&User-Name =~ /\.$/)  {
(57)         if (&User-Name =~ /\.$/)   -> FALSE
(57)         if (&User-Name =~ /@\./)  {
(57)         if (&User-Name =~ /@\./)   -> FALSE
(57)       } # if (&User-Name)  = notfound
(57)     } # policy filter_username = notfound
(57)     [preprocess] = ok
(57)     [chap] = noop
(57)     [mschap] = noop
(57)     [digest] = noop
(57) suffix: Checking for suffix after "@"
(57) suffix: No '@' in User-Name = "test01", looking up realm NULL
(57) suffix: No such realm "NULL"
(57)     [suffix] = noop
(57) eap: Peer sent EAP Response (code 2) ID 2 length 6
(57) eap: No EAP Start, assuming it's an on-going EAP conversation
(57)     [eap] = updated
(57) files: users: Matched entry test01 at line 1
(57)     [files] = ok
(57)     [expiration] = noop
(57)     [logintime] = noop
(57) pap: WARNING: Auth-Type already set.  Not setting to PAP
(57)     [pap] = noop
(57)   } # authorize = updated
(57) Found Auth-Type = eap
(57) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(57)   authenticate {
(57) eap: Expiring EAP session with state 0x63735e58627147e6
(57) eap: Finished EAP session with state 0x63735e58627147e6
(57) eap: Previous EAP request found for state 0x63735e58627147e6, released from the list
(57) eap: Peer sent packet with method EAP NAK (3)
(57) eap: Peer NAK'd indicating it is not willing to continue 
(57) eap: Sending EAP Failure (code 4) ID 2 length 4
(57) eap: Failed in EAP select
(57)     [eap] = invalid
(57)   } # authenticate = invalid
(57) Failed to authenticate the user
(57) Using Post-Auth-Type Reject
(57) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(57)   Post-Auth-Type REJECT {
(57) attr_filter.access_reject: EXPAND %{User-Name}
(57) attr_filter.access_reject:    --> test01
(57) attr_filter.access_reject: Matched entry DEFAULT at line 11
(57)     [attr_filter.access_reject] = updated
(57)     [eap] = noop
(57)     policy remove_reply_message_if_eap {
(57)       if (&reply:EAP-Message && &reply:Reply-Message) {
(57)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(57)       else {
(57)         [noop] = noop
(57)       } # else = noop
(57)     } # policy remove_reply_message_if_eap = noop
(57)   } # Post-Auth-Type REJECT = updated
(57) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(57) Sending delayed response
(57) Sent Access-Reject Id 251 from 192.168.1.10:1812 to 192.168.1.20:32778 length 44
(57)   EAP-Message = 0x04020004
(57)   Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 0.6 seconds.
(52) Cleaning up request packet ID 246 with timestamp +2298
(53) Cleaning up request packet ID 247 with timestamp +2298
(54) Cleaning up request packet ID 248 with timestamp +2298
Waking up in 3.3 seconds.
(58) Received Access-Request Id 252 from 192.168.1.20:32778 to 192.168.1.10:1812 length 163
(58)   User-Name = "test01"
(58)   NAS-IP-Address = 192.168.1.20
(58)   NAS-Port = 0
(58)   Called-Station-Id = "70-69-5A-FD-23-05:ophtest-wpa2ent-up"
(58)   Calling-Station-Id = "78-04-73-D4-B4-24"
(58)   Framed-MTU = 1400
(58)   NAS-Port-Type = Wireless-802.11
(58)   Connect-Info = "CONNECT 0Mbps 802.11g"
(58)   EAP-Message = 0x0200000b01746573743031
(58)   Message-Authenticator = 0x8087e4271b0fdcde223342ef9dd07a2d
(58) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(58)   authorize {
(58)     policy filter_username {
(58)       if (&User-Name) {
(58)       if (&User-Name)  -> TRUE
(58)       if (&User-Name)  {
(58)         if (&User-Name =~ / /) {
(58)         if (&User-Name =~ / /)  -> FALSE
(58)         if (&User-Name =~ /@[^@]*@/ ) {
(58)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(58)         if (&User-Name =~ /\.\./ ) {
(58)         if (&User-Name =~ /\.\./ )  -> FALSE
(58)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(58)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(58)         if (&User-Name =~ /\.$/)  {
(58)         if (&User-Name =~ /\.$/)   -> FALSE
(58)         if (&User-Name =~ /@\./)  {
(58)         if (&User-Name =~ /@\./)   -> FALSE
(58)       } # if (&User-Name)  = notfound
(58)     } # policy filter_username = notfound
(58)     [preprocess] = ok
(58)     [chap] = noop
(58)     [mschap] = noop
(58)     [digest] = noop
(58) suffix: Checking for suffix after "@"
(58) suffix: No '@' in User-Name = "test01", looking up realm NULL
(58) suffix: No such realm "NULL"
(58)     [suffix] = noop
(58) eap: Peer sent EAP Response (code 2) ID 0 length 11
(58) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(58)     [eap] = ok
(58)   } # authorize = ok
(58) Found Auth-Type = eap
(58) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(58)   authenticate {
(58) eap: Peer sent packet with method EAP Identity (1)
(58) eap: Calling submodule eap_md5 to process data
(58) eap_md5: Issuing MD5 Challenge
(58) eap: Sending EAP Request (code 1) ID 1 length 22
(58) eap: EAP session adding &reply:State = 0x2495222a249426c6
(58)     [eap] = handled
(58)   } # authenticate = handled
(58) Using Post-Auth-Type Challenge
(58) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(58)   Challenge { ... } # empty sub-section is ignored
(58) Sent Access-Challenge Id 252 from 192.168.1.10:1812 to 192.168.1.20:32778 length 0
(58)   EAP-Message = 0x01010016041039f1f2b9147a22c98fa2c02d2638cf8c
(58)   Message-Authenticator = 0x00000000000000000000000000000000
(58)   State = 0x2495222a249426c65548f2a1339b6a08
(58) Finished request
Waking up in 1.3 seconds.
(59) Received Access-Request Id 253 from 192.168.1.20:32778 to 192.168.1.10:1812 length 176
(59)   User-Name = "test01"
(59)   NAS-IP-Address = 192.168.1.20
(59)   NAS-Port = 0
(59)   Called-Station-Id = "70-69-5A-FD-23-05:ophtest-wpa2ent-up"
(59)   Calling-Station-Id = "78-04-73-D4-B4-24"
(59)   Framed-MTU = 1400
(59)   NAS-Port-Type = Wireless-802.11
(59)   Connect-Info = "CONNECT 0Mbps 802.11g"
(59)   EAP-Message = 0x020100060319
(59)   State = 0x2495222a249426c65548f2a1339b6a08
(59)   Message-Authenticator = 0x14fc2eea705ed936b8612c6f0d377d37
(59) session-state: No cached attributes
(59) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(59)   authorize {
(59)     policy filter_username {
(59)       if (&User-Name) {
(59)       if (&User-Name)  -> TRUE
(59)       if (&User-Name)  {
(59)         if (&User-Name =~ / /) {
(59)         if (&User-Name =~ / /)  -> FALSE
(59)         if (&User-Name =~ /@[^@]*@/ ) {
(59)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(59)         if (&User-Name =~ /\.\./ ) {
(59)         if (&User-Name =~ /\.\./ )  -> FALSE
(59)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(59)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(59)         if (&User-Name =~ /\.$/)  {
(59)         if (&User-Name =~ /\.$/)   -> FALSE
(59)         if (&User-Name =~ /@\./)  {
(59)         if (&User-Name =~ /@\./)   -> FALSE
(59)       } # if (&User-Name)  = notfound
(59)     } # policy filter_username = notfound
(59)     [preprocess] = ok
(59)     [chap] = noop
(59)     [mschap] = noop
(59)     [digest] = noop
(59) suffix: Checking for suffix after "@"
(59) suffix: No '@' in User-Name = "test01", looking up realm NULL
(59) suffix: No such realm "NULL"
(59)     [suffix] = noop
(59) eap: Peer sent EAP Response (code 2) ID 1 length 6
(59) eap: No EAP Start, assuming it's an on-going EAP conversation
(59)     [eap] = updated
(59) files: users: Matched entry test01 at line 1
(59)     [files] = ok
(59)     [expiration] = noop
(59)     [logintime] = noop
(59) pap: WARNING: Auth-Type already set.  Not setting to PAP
(59)     [pap] = noop
(59)   } # authorize = updated
(59) Found Auth-Type = eap
(59) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(59)   authenticate {
(59) eap: Expiring EAP session with state 0x2495222a249426c6
(59) eap: Finished EAP session with state 0x2495222a249426c6
(59) eap: Previous EAP request found for state 0x2495222a249426c6, released from the list
(59) eap: Peer sent packet with method EAP NAK (3)
(59) eap: Found mutually acceptable type PEAP (25)
(59) eap: Calling submodule eap_peap to process data
(59) eap_peap: Initiating new TLS session
(59) eap_peap: [eaptls start] = request
(59) eap: Sending EAP Request (code 1) ID 2 length 6
(59) eap: EAP session adding &reply:State = 0x2495222a25973bc6
(59)     [eap] = handled
(59)   } # authenticate = handled
(59) Using Post-Auth-Type Challenge
(59) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(59)   Challenge { ... } # empty sub-section is ignored
(59) Sent Access-Challenge Id 253 from 192.168.1.10:1812 to 192.168.1.20:32778 length 0
(59)   EAP-Message = 0x010200061920
(59)   Message-Authenticator = 0x00000000000000000000000000000000
(59)   State = 0x2495222a25973bc65548f2a1339b6a08
(59) Finished request
Waking up in 1.3 seconds.
(60) Received Access-Request Id 254 from 192.168.1.20:32778 to 192.168.1.10:1812 length 176
(60)   User-Name = "test01"
(60)   NAS-IP-Address = 192.168.1.20
(60)   NAS-Port = 0
(60)   Called-Station-Id = "70-69-5A-FD-23-05:ophtest-wpa2ent-up"
(60)   Calling-Station-Id = "78-04-73-D4-B4-24"
(60)   Framed-MTU = 1400
(60)   NAS-Port-Type = Wireless-802.11
(60)   Connect-Info = "CONNECT 0Mbps 802.11g"
(60)   EAP-Message = 0x020200060300
(60)   State = 0x2495222a25973bc65548f2a1339b6a08
(60)   Message-Authenticator = 0xb644cab894ae217a6849d0600c69190c
(60) session-state: No cached attributes
(60) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(60)   authorize {
(60)     policy filter_username {
(60)       if (&User-Name) {
(60)       if (&User-Name)  -> TRUE
(60)       if (&User-Name)  {
(60)         if (&User-Name =~ / /) {
(60)         if (&User-Name =~ / /)  -> FALSE
(60)         if (&User-Name =~ /@[^@]*@/ ) {
(60)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(60)         if (&User-Name =~ /\.\./ ) {
(60)         if (&User-Name =~ /\.\./ )  -> FALSE
(60)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(60)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(60)         if (&User-Name =~ /\.$/)  {
(60)         if (&User-Name =~ /\.$/)   -> FALSE
(60)         if (&User-Name =~ /@\./)  {
(60)         if (&User-Name =~ /@\./)   -> FALSE
(60)       } # if (&User-Name)  = notfound
(60)     } # policy filter_username = notfound
(60)     [preprocess] = ok
(60)     [chap] = noop
(60)     [mschap] = noop
(60)     [digest] = noop
(60) suffix: Checking for suffix after "@"
(60) suffix: No '@' in User-Name = "test01", looking up realm NULL
(60) suffix: No such realm "NULL"
(60)     [suffix] = noop
(60) eap: Peer sent EAP Response (code 2) ID 2 length 6
(60) eap: No EAP Start, assuming it's an on-going EAP conversation
(60)     [eap] = updated
(60) files: users: Matched entry test01 at line 1
(60)     [files] = ok
(60)     [expiration] = noop
(60)     [logintime] = noop
(60) pap: WARNING: Auth-Type already set.  Not setting to PAP
(60)     [pap] = noop
(60)   } # authorize = updated
(60) Found Auth-Type = eap
(60) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(60)   authenticate {
(60) eap: Expiring EAP session with state 0x2495222a25973bc6
(60) eap: Finished EAP session with state 0x2495222a25973bc6
(60) eap: Previous EAP request found for state 0x2495222a25973bc6, released from the list
(60) eap: Peer sent packet with method EAP NAK (3)
(60) eap: Peer NAK'd indicating it is not willing to continue 
(60) eap: Sending EAP Failure (code 4) ID 2 length 4
(60) eap: Failed in EAP select
(60)     [eap] = invalid
(60)   } # authenticate = invalid
(60) Failed to authenticate the user
(60) Using Post-Auth-Type Reject
(60) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(60)   Post-Auth-Type REJECT {
(60) attr_filter.access_reject: EXPAND %{User-Name}
(60) attr_filter.access_reject:    --> test01
(60) attr_filter.access_reject: Matched entry DEFAULT at line 11
(60)     [attr_filter.access_reject] = updated
(60)     [eap] = noop
(60)     policy remove_reply_message_if_eap {
(60)       if (&reply:EAP-Message && &reply:Reply-Message) {
(60)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(60)       else {
(60)         [noop] = noop
(60)       } # else = noop
(60)     } # policy remove_reply_message_if_eap = noop
(60)   } # Post-Auth-Type REJECT = updated
(60) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(60) Sending delayed response
(60) Sent Access-Reject Id 254 from 192.168.1.10:1812 to 192.168.1.20:32778 length 44
(60)   EAP-Message = 0x04020004
(60)   Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 0.3 seconds.
(55) Cleaning up request packet ID 249 with timestamp +2302
(56) Cleaning up request packet ID 250 with timestamp +2302
(57) Cleaning up request packet ID 251 with timestamp +2302
Waking up in 3.6 seconds.
(61) Received Access-Request Id 255 from 192.168.1.20:32778 to 192.168.1.10:1812 length 163
(61)   User-Name = "test01"
(61)   NAS-IP-Address = 192.168.1.20
(61)   NAS-Port = 0
(61)   Called-Station-Id = "70-69-5A-FD-23-05:ophtest-wpa2ent-up"
(61)   Calling-Station-Id = "78-04-73-D4-B4-24"
(61)   Framed-MTU = 1400
(61)   NAS-Port-Type = Wireless-802.11
(61)   Connect-Info = "CONNECT 0Mbps 802.11g"
(61)   EAP-Message = 0x0200000b01746573743031
(61)   Message-Authenticator = 0x49e167e9cb3b5ff509d8d3e5b61c1b2a
(61) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(61)   authorize {
(61)     policy filter_username {
(61)       if (&User-Name) {
(61)       if (&User-Name)  -> TRUE
(61)       if (&User-Name)  {
(61)         if (&User-Name =~ / /) {
(61)         if (&User-Name =~ / /)  -> FALSE
(61)         if (&User-Name =~ /@[^@]*@/ ) {
(61)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(61)         if (&User-Name =~ /\.\./ ) {
(61)         if (&User-Name =~ /\.\./ )  -> FALSE
(61)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(61)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(61)         if (&User-Name =~ /\.$/)  {
(61)         if (&User-Name =~ /\.$/)   -> FALSE
(61)         if (&User-Name =~ /@\./)  {
(61)         if (&User-Name =~ /@\./)   -> FALSE
(61)       } # if (&User-Name)  = notfound
(61)     } # policy filter_username = notfound
(61)     [preprocess] = ok
(61)     [chap] = noop
(61)     [mschap] = noop
(61)     [digest] = noop
(61) suffix: Checking for suffix after "@"
(61) suffix: No '@' in User-Name = "test01", looking up realm NULL
(61) suffix: No such realm "NULL"
(61)     [suffix] = noop
(61) eap: Peer sent EAP Response (code 2) ID 0 length 11
(61) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(61)     [eap] = ok
(61)   } # authorize = ok
(61) Found Auth-Type = eap
(61) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(61)   authenticate {
(61) eap: Peer sent packet with method EAP Identity (1)
(61) eap: Calling submodule eap_md5 to process data
(61) eap_md5: Issuing MD5 Challenge
(61) eap: Sending EAP Request (code 1) ID 1 length 22
(61) eap: EAP session adding &reply:State = 0x01ee96a501ef923e
(61)     [eap] = handled
(61)   } # authenticate = handled
(61) Using Post-Auth-Type Challenge
(61) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(61)   Challenge { ... } # empty sub-section is ignored
(61) Sent Access-Challenge Id 255 from 192.168.1.10:1812 to 192.168.1.20:32778 length 0
(61)   EAP-Message = 0x010100160410b9a93abf296e702820def3851ae1fe1e
(61)   Message-Authenticator = 0x00000000000000000000000000000000
(61)   State = 0x01ee96a501ef923e357b999b078feb76
(61) Finished request
Waking up in 1.6 seconds.
(62) Received Access-Request Id 0 from 192.168.1.20:32778 to 192.168.1.10:1812 length 176
(62)   User-Name = "test01"
(62)   NAS-IP-Address = 192.168.1.20
(62)   NAS-Port = 0
(62)   Called-Station-Id = "70-69-5A-FD-23-05:ophtest-wpa2ent-up"
(62)   Calling-Station-Id = "78-04-73-D4-B4-24"
(62)   Framed-MTU = 1400
(62)   NAS-Port-Type = Wireless-802.11
(62)   Connect-Info = "CONNECT 0Mbps 802.11g"
(62)   EAP-Message = 0x020100060319
(62)   State = 0x01ee96a501ef923e357b999b078feb76
(62)   Message-Authenticator = 0xa17bce3f4ec7c654391d269bedd78571
(62) session-state: No cached attributes
(62) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(62)   authorize {
(62)     policy filter_username {
(62)       if (&User-Name) {
(62)       if (&User-Name)  -> TRUE
(62)       if (&User-Name)  {
(62)         if (&User-Name =~ / /) {
(62)         if (&User-Name =~ / /)  -> FALSE
(62)         if (&User-Name =~ /@[^@]*@/ ) {
(62)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(62)         if (&User-Name =~ /\.\./ ) {
(62)         if (&User-Name =~ /\.\./ )  -> FALSE
(62)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(62)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(62)         if (&User-Name =~ /\.$/)  {
(62)         if (&User-Name =~ /\.$/)   -> FALSE
(62)         if (&User-Name =~ /@\./)  {
(62)         if (&User-Name =~ /@\./)   -> FALSE
(62)       } # if (&User-Name)  = notfound
(62)     } # policy filter_username = notfound
(62)     [preprocess] = ok
(62)     [chap] = noop
(62)     [mschap] = noop
(62)     [digest] = noop
(62) suffix: Checking for suffix after "@"
(62) suffix: No '@' in User-Name = "test01", looking up realm NULL
(62) suffix: No such realm "NULL"
(62)     [suffix] = noop
(62) eap: Peer sent EAP Response (code 2) ID 1 length 6
(62) eap: No EAP Start, assuming it's an on-going EAP conversation
(62)     [eap] = updated
(62) files: users: Matched entry test01 at line 1
(62)     [files] = ok
(62)     [expiration] = noop
(62)     [logintime] = noop
(62) pap: WARNING: Auth-Type already set.  Not setting to PAP
(62)     [pap] = noop
(62)   } # authorize = updated
(62) Found Auth-Type = eap
(62) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(62)   authenticate {
(62) eap: Expiring EAP session with state 0x01ee96a501ef923e
(62) eap: Finished EAP session with state 0x01ee96a501ef923e
(62) eap: Previous EAP request found for state 0x01ee96a501ef923e, released from the list
(62) eap: Peer sent packet with method EAP NAK (3)
(62) eap: Found mutually acceptable type PEAP (25)
(62) eap: Calling submodule eap_peap to process data
(62) eap_peap: Initiating new TLS session
(62) eap_peap: [eaptls start] = request
(62) eap: Sending EAP Request (code 1) ID 2 length 6
(62) eap: EAP session adding &reply:State = 0x01ee96a500ec8f3e
(62)     [eap] = handled
(62)   } # authenticate = handled
(62) Using Post-Auth-Type Challenge
(62) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(62)   Challenge { ... } # empty sub-section is ignored
(62) Sent Access-Challenge Id 0 from 192.168.1.10:1812 to 192.168.1.20:32778 length 0
(62)   EAP-Message = 0x010200061920
(62)   Message-Authenticator = 0x00000000000000000000000000000000
(62)   State = 0x01ee96a500ec8f3e357b999b078feb76
(62) Finished request
Waking up in 1.6 seconds.
(63) Received Access-Request Id 1 from 192.168.1.20:32778 to 192.168.1.10:1812 length 176
(63)   User-Name = "test01"
(63)   NAS-IP-Address = 192.168.1.20
(63)   NAS-Port = 0
(63)   Called-Station-Id = "70-69-5A-FD-23-05:ophtest-wpa2ent-up"
(63)   Calling-Station-Id = "78-04-73-D4-B4-24"
(63)   Framed-MTU = 1400
(63)   NAS-Port-Type = Wireless-802.11
(63)   Connect-Info = "CONNECT 0Mbps 802.11g"
(63)   EAP-Message = 0x020200060300
(63)   State = 0x01ee96a500ec8f3e357b999b078feb76
(63)   Message-Authenticator = 0x66bdf6161c0e88e2980aab79ee0ac5a8
(63) session-state: No cached attributes
(63) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(63)   authorize {
(63)     policy filter_username {
(63)       if (&User-Name) {
(63)       if (&User-Name)  -> TRUE
(63)       if (&User-Name)  {
(63)         if (&User-Name =~ / /) {
(63)         if (&User-Name =~ / /)  -> FALSE
(63)         if (&User-Name =~ /@[^@]*@/ ) {
(63)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(63)         if (&User-Name =~ /\.\./ ) {
(63)         if (&User-Name =~ /\.\./ )  -> FALSE
(63)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(63)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(63)         if (&User-Name =~ /\.$/)  {
(63)         if (&User-Name =~ /\.$/)   -> FALSE
(63)         if (&User-Name =~ /@\./)  {
(63)         if (&User-Name =~ /@\./)   -> FALSE
(63)       } # if (&User-Name)  = notfound
(63)     } # policy filter_username = notfound
(63)     [preprocess] = ok
(63)     [chap] = noop
(63)     [mschap] = noop
(63)     [digest] = noop
(63) suffix: Checking for suffix after "@"
(63) suffix: No '@' in User-Name = "test01", looking up realm NULL
(63) suffix: No such realm "NULL"
(63)     [suffix] = noop
(63) eap: Peer sent EAP Response (code 2) ID 2 length 6
(63) eap: No EAP Start, assuming it's an on-going EAP conversation
(63)     [eap] = updated
(63) files: users: Matched entry test01 at line 1
(63)     [files] = ok
(63)     [expiration] = noop
(63)     [logintime] = noop
(63) pap: WARNING: Auth-Type already set.  Not setting to PAP
(63)     [pap] = noop
(63)   } # authorize = updated
(63) Found Auth-Type = eap
(63) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(63)   authenticate {
(63) eap: Expiring EAP session with state 0x01ee96a500ec8f3e
(63) eap: Finished EAP session with state 0x01ee96a500ec8f3e
(63) eap: Previous EAP request found for state 0x01ee96a500ec8f3e, released from the list
(63) eap: Peer sent packet with method EAP NAK (3)
(63) eap: Peer NAK'd indicating it is not willing to continue 
(63) eap: Sending EAP Failure (code 4) ID 2 length 4
(63) eap: Failed in EAP select
(63)     [eap] = invalid
(63)   } # authenticate = invalid
(63) Failed to authenticate the user
(63) Using Post-Auth-Type Reject
(63) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(63)   Post-Auth-Type REJECT {
(63) attr_filter.access_reject: EXPAND %{User-Name}
(63) attr_filter.access_reject:    --> test01
(63) attr_filter.access_reject: Matched entry DEFAULT at line 11
(63)     [attr_filter.access_reject] = updated
(63)     [eap] = noop
(63)     policy remove_reply_message_if_eap {
(63)       if (&reply:EAP-Message && &reply:Reply-Message) {
(63)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(63)       else {
(63)         [noop] = noop
(63)       } # else = noop
(63)     } # policy remove_reply_message_if_eap = noop
(63)   } # Post-Auth-Type REJECT = updated
(63) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(63) Sending delayed response
(63) Sent Access-Reject Id 1 from 192.168.1.10:1812 to 192.168.1.20:32778 length 44
(63)   EAP-Message = 0x04020004
(63)   Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 0.5 seconds.
(58) Cleaning up request packet ID 252 with timestamp +2305
(59) Cleaning up request packet ID 253 with timestamp +2305
(60) Cleaning up request packet ID 254 with timestamp +2305
Waking up in 3.3 seconds.
(61) Cleaning up request packet ID 255 with timestamp +2309
(62) Cleaning up request packet ID 0 with timestamp +2309
(63) Cleaning up request packet ID 1 with timestamp +2309
Ready to process requests

  • Hi,
    In your code, you disable server auth using the following code:
    log_internal("Enable/Disable Server authentification (%d), ret=%d\n",
          (int)pValues,
          (int)sl_WlanSet((_u16)SL_WLAN_CFG_GENERAL_PARAM_ID, (_u16)19, (_u16)1 ,(_u8 *)&pValues);
    but the value of SL_WLAN_GENERAL_PARAM_DISABLE_ENT_SERVER_AUTH is 32.
    Br,
    Kobi
  • In reply to Kobi Leibovitch:

    Please ignore the previous response since I just saw you are using CC3100 (so 19 is the right value).

    Please provide the NWP logs of the connection (see https://processors.wiki.ti.com/index.php/CC3100_&_CC3200_Capture_NWP_Logs).

    Br,

    Kobi

  • In reply to Kobi Leibovitch:

    Hi kobi.

    i do not have the pinmux.c file, nor a function called PinMuxConfig().

    we use an other MCU as "master" and the cc3100mod is only running on the default firmware by TI for wifi networking.
    does this chip by default flush NWP uart info over pin 62?

    PS: i forgot to mention: the radius server is working ok with windows10, ubuntu20.04 and android. just the cc3100mod wont connect.

  • In reply to cc3100moduser:

    you should call the following in your application to get the logs onpin 62:

    // If your application already have UART0 configured, no need for this line

    MAP_PRCMPeripheralClkEnable(PRCM_UARTA0, PRCM_RUN_MODE_CLK);

    // Mux Pin62 to mode 1 to output NWP logs

    MAP_PinTypeUART(PIN_62, PIN_MODE_1); 

  • In reply to Kobi Leibovitch:

    Kobi

    This matter is quite urgent to us, would it be possible to have a call?

    I think you misunderstand me here. I do not use TI-OS or similar, all i have is the CC3100-SDK/Simplelink!
    Please see the tree below

    .
    ├── include
    │   ├── device.h
    │   ├── fs.h
    │   ├── netapp.h
    │   ├── netcfg.h
    │   ├── simplelink.h
    │   ├── socket.h
    │   ├── trace.h
    │   ├── wlan.h
    │   └── wlan_rx_filters.h
    ├── README.txt
    ├── source
    │   ├── device.c
    │   ├── driver.c
    │   ├── driver.h
    │   ├── flowcont.c
    │   ├── flowcont.h
    │   ├── fs.c
    │   ├── netapp.c
    │   ├── netcfg.c
    │   ├── nonos.c
    │   ├── nonos.h
    │   ├── objInclusion.h
    │   ├── protocol.h
    │   ├── socket.c
    │   ├── spawn.c
    │   ├── spawn.h
    │   └── wlan.c
    └── template_user.h
    

  • In reply to cc3100moduser:

    Kobi

    We are one step further, and we went ahead and programmed the ca.pem (even if this technically should not be required!).
    Now they start talking to each other, although now the issue is that the cc3100mod requests TLS v1.3, where freeradius is only able to handle 1.0 - 1.2.

    Is there a solution to change the tls version in the case of wpa-enterprise to v1.2?
    i dont see any options to change this based on the simplelink API.

    a quick respond is highly appreciated.

    thanks

  • In reply to cc3100moduser:

    This is not possible. The CC3100 only supports TLS1.0 (you might saw the SSL major=3, minor=1 which corresponds to the following definition).

    SSLv3_MAJOR     = 3,        /* SSLv3 and TLSv1+  major version number */

    SSLv3_MINOR     = 0,        /* TLSv1   minor version number */

    TLSv1_MINOR     = 1,        /* TLSv1   minor version number */

    TLSv1_1_MINOR   = 2,        /* TLSv1_1 minor version number */

    TLSv1_2_MINOR   = 3,        /* TLSv1_2 minor version number */

    I've just confirmed that indeed the CC3100 require setting a (dummy) root ca even when server authentication is disabled.

    Please send us the update failure log.

    Br,

    Kobi

  • In reply to Kobi Leibovitch:

    Latest Log output (update):

    What i was talking about was those 2 lines:

    (5) eap_peap: <<< recv TLS 1.3  [length 0033]
    (5) eap_peap: >>> send TLS 1.0 Alert [length 0002], fatal protocol_version
    Therefore i think we misinterpreted the output, we assumed receive 1.3 means that the device requests that.

    Ready to process requests
    (0) Received Access-Request Id 198 from 192.168.1.20:32778 to 192.168.1.10:1812 length 163
    (0)   User-Name = "test01"
    (0)   NAS-IP-Address = 192.168.1.20
    (0)   NAS-Port = 0
    (0)   Called-Station-Id = "70-69-5A-FD-23-05:ophtest-wpa2ent-up"
    (0)   Calling-Station-Id = "78-04-73-D4-B4-24"
    (0)   Framed-MTU = 1400
    (0)   NAS-Port-Type = Wireless-802.11
    (0)   Connect-Info = "CONNECT 0Mbps 802.11g"
    (0)   EAP-Message = 0x0200000b01746573743031
    (0)   Message-Authenticator = 0x55881a5d4d7a4f5ae978e381e99aedd9
    (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
    (0)   authorize {
    (0)     policy filter_username {
    (0)       if (&User-Name) {
    (0)       if (&User-Name)  -> TRUE
    (0)       if (&User-Name)  {
    (0)         if (&User-Name =~ / /) {
    (0)         if (&User-Name =~ / /)  -> FALSE
    (0)         if (&User-Name =~ /@[^@]*@/ ) {
    (0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
    (0)         if (&User-Name =~ /\.\./ ) {
    (0)         if (&User-Name =~ /\.\./ )  -> FALSE
    (0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
    (0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
    (0)         if (&User-Name =~ /\.$/)  {
    (0)         if (&User-Name =~ /\.$/)   -> FALSE
    (0)         if (&User-Name =~ /@\./)  {
    (0)         if (&User-Name =~ /@\./)   -> FALSE
    (0)       } # if (&User-Name)  = notfound
    (0)     } # policy filter_username = notfound
    (0)     [preprocess] = ok
    (0)     [chap] = noop
    (0)     [mschap] = noop
    (0)     [digest] = noop
    (0) suffix: Checking for suffix after "@"
    (0) suffix: No '@' in User-Name = "test01", looking up realm NULL
    (0) suffix: No such realm "NULL"
    (0)     [suffix] = noop
    (0) eap: Peer sent EAP Response (code 2) ID 0 length 11
    (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
    (0)     [eap] = ok
    (0)   } # authorize = ok
    (0) Found Auth-Type = eap
    (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
    (0)   authenticate {
    (0) eap: Peer sent packet with method EAP Identity (1)
    (0) eap: Calling submodule eap_peap to process data
    (0) eap_peap: Initiating new TLS session
    (0) eap_peap: [eaptls start] = request
    (0) eap: Sending EAP Request (code 1) ID 1 length 6
    (0) eap: EAP session adding &reply:State = 0x161a12b5161b0bd7
    (0)     [eap] = handled
    (0)   } # authenticate = handled
    (0) Using Post-Auth-Type Challenge
    (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
    (0)   Challenge { ... } # empty sub-section is ignored
    (0) Sent Access-Challenge Id 198 from 192.168.1.10:1812 to 192.168.1.20:32778 length 0
    (0)   EAP-Message = 0x010100061920
    (0)   Message-Authenticator = 0x00000000000000000000000000000000
    (0)   State = 0x161a12b5161b0bd7c9da019a103d54e7
    (0) Finished request
    Waking up in 4.9 seconds.
    (1) Received Access-Request Id 199 from 192.168.1.20:32778 to 192.168.1.10:1812 length 236
    (1)   User-Name = "test01"
    (1)   NAS-IP-Address = 192.168.1.20
    (1)   NAS-Port = 0
    (1)   Called-Station-Id = "70-69-5A-FD-23-05:ophtest-wpa2ent-up"
    (1)   Calling-Station-Id = "78-04-73-D4-B4-24"
    (1)   Framed-MTU = 1400
    (1)   NAS-Port-Type = Wireless-802.11
    (1)   Connect-Info = "CONNECT 0Mbps 802.11g"
    (1)   EAP-Message = 0x0201004219800000003816030100330100002f0301000000014010d17cae12af45afd69f3e105f1f5ddbdc3ff0e4a1cdf301910bc6000008002f000a000500040100
    (1)   State = 0x161a12b5161b0bd7c9da019a103d54e7
    (1)   Message-Authenticator = 0x26f38418cff831b2deaa6181c016e886
    (1) session-state: No cached attributes
    (1) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
    (1)   authorize {
    (1)     policy filter_username {
    (1)       if (&User-Name) {
    (1)       if (&User-Name)  -> TRUE
    (1)       if (&User-Name)  {
    (1)         if (&User-Name =~ / /) {
    (1)         if (&User-Name =~ / /)  -> FALSE
    (1)         if (&User-Name =~ /@[^@]*@/ ) {
    (1)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
    (1)         if (&User-Name =~ /\.\./ ) {
    (1)         if (&User-Name =~ /\.\./ )  -> FALSE
    (1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
    (1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
    (1)         if (&User-Name =~ /\.$/)  {
    (1)         if (&User-Name =~ /\.$/)   -> FALSE
    (1)         if (&User-Name =~ /@\./)  {
    (1)         if (&User-Name =~ /@\./)   -> FALSE
    (1)       } # if (&User-Name)  = notfound
    (1)     } # policy filter_username = notfound
    (1)     [preprocess] = ok
    (1)     [chap] = noop
    (1)     [mschap] = noop
    (1)     [digest] = noop
    (1) suffix: Checking for suffix after "@"
    (1) suffix: No '@' in User-Name = "test01", looking up realm NULL
    (1) suffix: No such realm "NULL"
    (1)     [suffix] = noop
    (1) eap: Peer sent EAP Response (code 2) ID 1 length 66
    (1) eap: Continuing tunnel setup
    (1)     [eap] = ok
    (1)   } # authorize = ok
    (1) Found Auth-Type = eap
    (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
    (1)   authenticate {
    (1) eap: Expiring EAP session with state 0x161a12b5161b0bd7
    (1) eap: Finished EAP session with state 0x161a12b5161b0bd7
    (1) eap: Previous EAP request found for state 0x161a12b5161b0bd7, released from the list
    (1) eap: Peer sent packet with method EAP PEAP (25)
    (1) eap: Calling submodule eap_peap to process data
    (1) eap_peap: Continuing EAP-TLS
    (1) eap_peap: Peer indicated complete TLS record size will be 56 bytes
    (1) eap_peap: Got complete TLS record (56 bytes)
    (1) eap_peap: [eaptls verify] = length included
    (1) eap_peap: (other): before SSL initialization
    (1) eap_peap: TLS_accept: before SSL initialization
    (1) eap_peap: TLS_accept: before SSL initialization
    (1) eap_peap: <<< recv TLS 1.3  [length 0033] 
    (1) eap_peap: >>> send TLS 1.0 Alert [length 0002], fatal protocol_version 
    (1) eap_peap: ERROR: TLS Alert write:fatal:protocol version
    tls: TLS_accept: Error in error
    (1) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read): error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol
    (1) eap_peap: ERROR: System call (I/O) error (-1)
    (1) eap_peap: ERROR: TLS receive handshake failed during operation
    (1) eap_peap: ERROR: [eaptls process] = fail
    (1) eap: ERROR: Failed continuing EAP PEAP (25) session.  EAP sub-module failed
    (1) eap: Sending EAP Failure (code 4) ID 1 length 4
    (1) eap: Failed in EAP select
    (1)     [eap] = invalid
    (1)   } # authenticate = invalid
    (1) Failed to authenticate the user
    (1) Using Post-Auth-Type Reject
    (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
    (1)   Post-Auth-Type REJECT {
    (1) attr_filter.access_reject: EXPAND %{User-Name}
    (1) attr_filter.access_reject:    --> test01
    (1) attr_filter.access_reject: Matched entry DEFAULT at line 11
    (1)     [attr_filter.access_reject] = updated
    (1)     [eap] = noop
    (1)     policy remove_reply_message_if_eap {
    (1)       if (&reply:EAP-Message && &reply:Reply-Message) {
    (1)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
    (1)       else {
    (1)         [noop] = noop
    (1)       } # else = noop
    (1)     } # policy remove_reply_message_if_eap = noop
    (1)   } # Post-Auth-Type REJECT = updated
    (1) Delaying response for 1.000000 seconds
    Waking up in 0.3 seconds.
    Waking up in 0.6 seconds.
    (1) Sending delayed response
    (1) Sent Access-Reject Id 199 from 192.168.1.10:1812 to 192.168.1.20:32778 length 44
    (1)   EAP-Message = 0x04010004
    (1)   Message-Authenticator = 0x00000000000000000000000000000000
    Waking up in 3.9 seconds.
    (2) Received Access-Request Id 200 from 192.168.1.20:32778 to 192.168.1.10:1812 length 163
    (2)   User-Name = "test01"
    (2)   NAS-IP-Address = 192.168.1.20
    (2)   NAS-Port = 0
    (2)   Called-Station-Id = "70-69-5A-FD-23-05:ophtest-wpa2ent-up"
    (2)   Calling-Station-Id = "78-04-73-D4-B4-24"
    (2)   Framed-MTU = 1400
    (2)   NAS-Port-Type = Wireless-802.11
    (2)   Connect-Info = "CONNECT 0Mbps 802.11g"
    (2)   EAP-Message = 0x0200000b01746573743031
    (2)   Message-Authenticator = 0x1a963b49dd6076cf2f4fa1fba1c43999
    (2) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
    (2)   authorize {
    (2)     policy filter_username {
    (2)       if (&User-Name) {
    (2)       if (&User-Name)  -> TRUE
    (2)       if (&User-Name)  {
    (2)         if (&User-Name =~ / /) {
    (2)         if (&User-Name =~ / /)  -> FALSE
    (2)         if (&User-Name =~ /@[^@]*@/ ) {
    (2)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
    (2)         if (&User-Name =~ /\.\./ ) {
    (2)         if (&User-Name =~ /\.\./ )  -> FALSE
    (2)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
    (2)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
    (2)         if (&User-Name =~ /\.$/)  {
    (2)         if (&User-Name =~ /\.$/)   -> FALSE
    (2)         if (&User-Name =~ /@\./)  {
    (2)         if (&User-Name =~ /@\./)   -> FALSE
    (2)       } # if (&User-Name)  = notfound
    (2)     } # policy filter_username = notfound
    (2)     [preprocess] = ok
    (2)     [chap] = noop
    (2)     [mschap] = noop
    (2)     [digest] = noop
    (2) suffix: Checking for suffix after "@"
    (2) suffix: No '@' in User-Name = "test01", looking up realm NULL
    (2) suffix: No such realm "NULL"
    (2)     [suffix] = noop
    (2) eap: Peer sent EAP Response (code 2) ID 0 length 11
    (2) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
    (2)     [eap] = ok
    (2)   } # authorize = ok
    (2) Found Auth-Type = eap
    (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
    (2)   authenticate {
    (2) eap: Peer sent packet with method EAP Identity (1)
    (2) eap: Calling submodule eap_peap to process data
    (2) eap_peap: Initiating new TLS session
    (2) eap_peap: [eaptls start] = request
    (2) eap: Sending EAP Request (code 1) ID 1 length 6
    (2) eap: EAP session adding &reply:State = 0x89fdc3af89fcda40
    (2)     [eap] = handled
    (2)   } # authenticate = handled
    (2) Using Post-Auth-Type Challenge
    (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
    (2)   Challenge { ... } # empty sub-section is ignored
    (2) Sent Access-Challenge Id 200 from 192.168.1.10:1812 to 192.168.1.20:32778 length 0
    (2)   EAP-Message = 0x010100061920
    (2)   Message-Authenticator = 0x00000000000000000000000000000000
    (2)   State = 0x89fdc3af89fcda40b23ee30ca259c112
    (2) Finished request
    Waking up in 1.6 seconds.
    (3) Received Access-Request Id 201 from 192.168.1.20:32778 to 192.168.1.10:1812 length 236
    (3)   User-Name = "test01"
    (3)   NAS-IP-Address = 192.168.1.20
    (3)   NAS-Port = 0
    (3)   Called-Station-Id = "70-69-5A-FD-23-05:ophtest-wpa2ent-up"
    (3)   Calling-Station-Id = "78-04-73-D4-B4-24"
    (3)   Framed-MTU = 1400
    (3)   NAS-Port-Type = Wireless-802.11
    (3)   Connect-Info = "CONNECT 0Mbps 802.11g"
    (3)   EAP-Message = 0x0201004219800000003816030100330100002f03010000000494488b30d62b3686dcfadb39339d4029f0b44718cdc3eae9520144a2000008002f000a000500040100
    (3)   State = 0x89fdc3af89fcda40b23ee30ca259c112
    (3)   Message-Authenticator = 0xfa32b7718a9b4395c854ecfddae223e8
    (3) session-state: No cached attributes
    (3) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
    (3)   authorize {
    (3)     policy filter_username {
    (3)       if (&User-Name) {
    (3)       if (&User-Name)  -> TRUE
    (3)       if (&User-Name)  {
    (3)         if (&User-Name =~ / /) {
    (3)         if (&User-Name =~ / /)  -> FALSE
    (3)         if (&User-Name =~ /@[^@]*@/ ) {
    (3)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
    (3)         if (&User-Name =~ /\.\./ ) {
    (3)         if (&User-Name =~ /\.\./ )  -> FALSE
    (3)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
    (3)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
    (3)         if (&User-Name =~ /\.$/)  {
    (3)         if (&User-Name =~ /\.$/)   -> FALSE
    (3)         if (&User-Name =~ /@\./)  {
    (3)         if (&User-Name =~ /@\./)   -> FALSE
    (3)       } # if (&User-Name)  = notfound
    (3)     } # policy filter_username = notfound
    (3)     [preprocess] = ok
    (3)     [chap] = noop
    (3)     [mschap] = noop
    (3)     [digest] = noop
    (3) suffix: Checking for suffix after "@"
    (3) suffix: No '@' in User-Name = "test01", looking up realm NULL
    (3) suffix: No such realm "NULL"
    (3)     [suffix] = noop
    (3) eap: Peer sent EAP Response (code 2) ID 1 length 66
    (3) eap: Continuing tunnel setup
    (3)     [eap] = ok
    (3)   } # authorize = ok
    (3) Found Auth-Type = eap
    (3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
    (3)   authenticate {
    (3) eap: Expiring EAP session with state 0x89fdc3af89fcda40
    (3) eap: Finished EAP session with state 0x89fdc3af89fcda40
    (3) eap: Previous EAP request found for state 0x89fdc3af89fcda40, released from the list
    (3) eap: Peer sent packet with method EAP PEAP (25)
    (3) eap: Calling submodule eap_peap to process data
    (3) eap_peap: Continuing EAP-TLS
    (3) eap_peap: Peer indicated complete TLS record size will be 56 bytes
    (3) eap_peap: Got complete TLS record (56 bytes)
    (3) eap_peap: [eaptls verify] = length included
    (3) eap_peap: (other): before SSL initialization
    (3) eap_peap: TLS_accept: before SSL initialization
    (3) eap_peap: TLS_accept: before SSL initialization
    (3) eap_peap: <<< recv TLS 1.3  [length 0033] 
    (3) eap_peap: >>> send TLS 1.0 Alert [length 0002], fatal protocol_version 
    (3) eap_peap: ERROR: TLS Alert write:fatal:protocol version
    tls: TLS_accept: Error in error
    (3) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read): error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol
    (3) eap_peap: ERROR: System call (I/O) error (-1)
    (3) eap_peap: ERROR: TLS receive handshake failed during operation
    (3) eap_peap: ERROR: [eaptls process] = fail
    (3) eap: ERROR: Failed continuing EAP PEAP (25) session.  EAP sub-module failed
    (3) eap: Sending EAP Failure (code 4) ID 1 length 4
    (3) eap: Failed in EAP select
    (3)     [eap] = invalid
    (3)   } # authenticate = invalid
    (3) Failed to authenticate the user
    (3) Using Post-Auth-Type Reject
    (3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
    (3)   Post-Auth-Type REJECT {
    (3) attr_filter.access_reject: EXPAND %{User-Name}
    (3) attr_filter.access_reject:    --> test01
    (3) attr_filter.access_reject: Matched entry DEFAULT at line 11
    (3)     [attr_filter.access_reject] = updated
    (3)     [eap] = noop
    (3)     policy remove_reply_message_if_eap {
    (3)       if (&reply:EAP-Message && &reply:Reply-Message) {
    (3)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
    (3)       else {
    (3)         [noop] = noop
    (3)       } # else = noop
    (3)     } # policy remove_reply_message_if_eap = noop
    (3)   } # Post-Auth-Type REJECT = updated
    (3) Delaying response for 1.000000 seconds
    Waking up in 0.3 seconds.
    Waking up in 0.6 seconds.
    (3) Sending delayed response
    (3) Sent Access-Reject Id 201 from 192.168.1.10:1812 to 192.168.1.20:32778 length 44
    (3)   EAP-Message = 0x04010004
    (3)   Message-Authenticator = 0x00000000000000000000000000000000
    Waking up in 0.6 seconds.
    (0) Cleaning up request packet ID 198 with timestamp +15
    (1) Cleaning up request packet ID 199 with timestamp +15
    Waking up in 3.3 seconds.
    (4) Received Access-Request Id 202 from 192.168.1.20:32778 to 192.168.1.10:1812 length 163
    (4)   User-Name = "test01"
    (4)   NAS-IP-Address = 192.168.1.20
    (4)   NAS-Port = 0
    (4)   Called-Station-Id = "70-69-5A-FD-23-05:ophtest-wpa2ent-up"
    (4)   Calling-Station-Id = "78-04-73-D4-B4-24"
    (4)   Framed-MTU = 1400
    (4)   NAS-Port-Type = Wireless-802.11
    (4)   Connect-Info = "CONNECT 0Mbps 802.11g"
    (4)   EAP-Message = 0x0200000b01746573743031
    (4)   Message-Authenticator = 0x2b5a35810bd8e3382293264ae6164524
    (4) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
    (4)   authorize {
    (4)     policy filter_username {
    (4)       if (&User-Name) {
    (4)       if (&User-Name)  -> TRUE
    (4)       if (&User-Name)  {
    (4)         if (&User-Name =~ / /) {
    (4)         if (&User-Name =~ / /)  -> FALSE
    (4)         if (&User-Name =~ /@[^@]*@/ ) {
    (4)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
    (4)         if (&User-Name =~ /\.\./ ) {
    (4)         if (&User-Name =~ /\.\./ )  -> FALSE
    (4)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
    (4)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
    (4)         if (&User-Name =~ /\.$/)  {
    (4)         if (&User-Name =~ /\.$/)   -> FALSE
    (4)         if (&User-Name =~ /@\./)  {
    (4)         if (&User-Name =~ /@\./)   -> FALSE
    (4)       } # if (&User-Name)  = notfound
    (4)     } # policy filter_username = notfound
    (4)     [preprocess] = ok
    (4)     [chap] = noop
    (4)     [mschap] = noop
    (4)     [digest] = noop
    (4) suffix: Checking for suffix after "@"
    (4) suffix: No '@' in User-Name = "test01", looking up realm NULL
    (4) suffix: No such realm "NULL"
    (4)     [suffix] = noop
    (4) eap: Peer sent EAP Response (code 2) ID 0 length 11
    (4) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
    (4)     [eap] = ok
    (4)   } # authorize = ok
    (4) Found Auth-Type = eap
    (4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
    (4)   authenticate {
    (4) eap: Peer sent packet with method EAP Identity (1)
    (4) eap: Calling submodule eap_peap to process data
    (4) eap_peap: Initiating new TLS session
    (4) eap_peap: [eaptls start] = request
    (4) eap: Sending EAP Request (code 1) ID 1 length 6
    (4) eap: EAP session adding &reply:State = 0xa6c51194a6c4089d
    (4)     [eap] = handled
    (4)   } # authenticate = handled
    (4) Using Post-Auth-Type Challenge
    (4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
    (4)   Challenge { ... } # empty sub-section is ignored
    (4) Sent Access-Challenge Id 202 from 192.168.1.10:1812 to 192.168.1.20:32778 length 0
    (4)   EAP-Message = 0x010100061920
    (4)   Message-Authenticator = 0x00000000000000000000000000000000
    (4)   State = 0xa6c51194a6c4089df601ed7b8992dfa9
    (4) Finished request
    Waking up in 1.3 seconds.
    (5) Received Access-Request Id 203 from 192.168.1.20:32778 to 192.168.1.10:1812 length 236
    (5)   User-Name = "test01"
    (5)   NAS-IP-Address = 192.168.1.20
    (5)   NAS-Port = 0
    (5)   Called-Station-Id = "70-69-5A-FD-23-05:ophtest-wpa2ent-up"
    (5)   Calling-Station-Id = "78-04-73-D4-B4-24"
    (5)   Framed-MTU = 1400
    (5)   NAS-Port-Type = Wireless-802.11
    (5)   Connect-Info = "CONNECT 0Mbps 802.11g"
    (5)   EAP-Message = 0x0201004219800000003816030100330100002f0301000000084c90a9be82b3c82da0554b8c04a74adab6ef3b4b7caffd7205883462000008002f000a000500040100
    (5)   State = 0xa6c51194a6c4089df601ed7b8992dfa9
    (5)   Message-Authenticator = 0x11a7aaacd38a9021661cce832730437b
    (5) session-state: No cached attributes
    (5) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
    (5)   authorize {
    (5)     policy filter_username {
    (5)       if (&User-Name) {
    (5)       if (&User-Name)  -> TRUE
    (5)       if (&User-Name)  {
    (5)         if (&User-Name =~ / /) {
    (5)         if (&User-Name =~ / /)  -> FALSE
    (5)         if (&User-Name =~ /@[^@]*@/ ) {
    (5)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
    (5)         if (&User-Name =~ /\.\./ ) {
    (5)         if (&User-Name =~ /\.\./ )  -> FALSE
    (5)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
    (5)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
    (5)         if (&User-Name =~ /\.$/)  {
    (5)         if (&User-Name =~ /\.$/)   -> FALSE
    (5)         if (&User-Name =~ /@\./)  {
    (5)         if (&User-Name =~ /@\./)   -> FALSE
    (5)       } # if (&User-Name)  = notfound
    (5)     } # policy filter_username = notfound
    (5)     [preprocess] = ok
    (5)     [chap] = noop
    (5)     [mschap] = noop
    (5)     [digest] = noop
    (5) suffix: Checking for suffix after "@"
    (5) suffix: No '@' in User-Name = "test01", looking up realm NULL
    (5) suffix: No such realm "NULL"
    (5)     [suffix] = noop
    (5) eap: Peer sent EAP Response (code 2) ID 1 length 66
    (5) eap: Continuing tunnel setup
    (5)     [eap] = ok
    (5)   } # authorize = ok
    (5) Found Auth-Type = eap
    (5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
    (5)   authenticate {
    (5) eap: Expiring EAP session with state 0xa6c51194a6c4089d
    (5) eap: Finished EAP session with state 0xa6c51194a6c4089d
    (5) eap: Previous EAP request found for state 0xa6c51194a6c4089d, released from the list
    (5) eap: Peer sent packet with method EAP PEAP (25)
    (5) eap: Calling submodule eap_peap to process data
    (5) eap_peap: Continuing EAP-TLS
    (5) eap_peap: Peer indicated complete TLS record size will be 56 bytes
    (5) eap_peap: Got complete TLS record (56 bytes)
    (5) eap_peap: [eaptls verify] = length included
    (5) eap_peap: (other): before SSL initialization
    (5) eap_peap: TLS_accept: before SSL initialization
    (5) eap_peap: TLS_accept: before SSL initialization
    (5) eap_peap: <<< recv TLS 1.3  [length 0033] 
    (5) eap_peap: >>> send TLS 1.0 Alert [length 0002], fatal protocol_version 
    (5) eap_peap: ERROR: TLS Alert write:fatal:protocol version
    tls: TLS_accept: Error in error
    (5) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read): error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol
    (5) eap_peap: ERROR: System call (I/O) error (-1)
    (5) eap_peap: ERROR: TLS receive handshake failed during operation
    (5) eap_peap: ERROR: [eaptls process] = fail
    (5) eap: ERROR: Failed continuing EAP PEAP (25) session.  EAP sub-module failed
    (5) eap: Sending EAP Failure (code 4) ID 1 length 4
    (5) eap: Failed in EAP select
    (5)     [eap] = invalid
    (5)   } # authenticate = invalid
    (5) Failed to authenticate the user
    (5) Using Post-Auth-Type Reject
    (5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
    (5)   Post-Auth-Type REJECT {
    (5) attr_filter.access_reject: EXPAND %{User-Name}
    (5) attr_filter.access_reject:    --> test01
    (5) attr_filter.access_reject: Matched entry DEFAULT at line 11
    (5)     [attr_filter.access_reject] = updated
    (5)     [eap] = noop
    (5)     policy remove_reply_message_if_eap {
    (5)       if (&reply:EAP-Message && &reply:Reply-Message) {
    (5)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
    (5)       else {
    (5)         [noop] = noop
    (5)       } # else = noop
    (5)     } # policy remove_reply_message_if_eap = noop
    (5)   } # Post-Auth-Type REJECT = updated
    (5) Delaying response for 1.000000 seconds
    Waking up in 0.3 seconds.
    Waking up in 0.6 seconds.
    (5) Sending delayed response
    (5) Sent Access-Reject Id 203 from 192.168.1.10:1812 to 192.168.1.20:32778 length 44
    (5)   EAP-Message = 0x04010004
    (5)   Message-Authenticator = 0x00000000000000000000000000000000
    Waking up in 0.3 seconds.
    (2) Cleaning up request packet ID 200 with timestamp +19
    (3) Cleaning up request packet ID 201 with timestamp +19
    Waking up in 3.6 seconds.
    (6) Received Access-Request Id 204 from 192.168.1.20:32778 to 192.168.1.10:1812 length 163
    (6)   User-Name = "test01"
    (6)   NAS-IP-Address = 192.168.1.20
    (6)   NAS-Port = 0
    (6)   Called-Station-Id = "70-69-5A-FD-23-05:ophtest-wpa2ent-up"
    (6)   Calling-Station-Id = "78-04-73-D4-B4-24"
    (6)   Framed-MTU = 1400
    (6)   NAS-Port-Type = Wireless-802.11
    (6)   Connect-Info = "CONNECT 0Mbps 802.11g"
    (6)   EAP-Message = 0x0200000b01746573743031
    (6)   Message-Authenticator = 0x4511afa40d628e02cf7a7d0e4f7f2f40
    (6) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
    (6)   authorize {
    (6)     policy filter_username {
    (6)       if (&User-Name) {
    (6)       if (&User-Name)  -> TRUE
    (6)       if (&User-Name)  {
    (6)         if (&User-Name =~ / /) {
    (6)         if (&User-Name =~ / /)  -> FALSE
    (6)         if (&User-Name =~ /@[^@]*@/ ) {
    (6)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
    (6)         if (&User-Name =~ /\.\./ ) {
    (6)         if (&User-Name =~ /\.\./ )  -> FALSE
    (6)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
    (6)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
    (6)         if (&User-Name =~ /\.$/)  {
    (6)         if (&User-Name =~ /\.$/)   -> FALSE
    (6)         if (&User-Name =~ /@\./)  {
    (6)         if (&User-Name =~ /@\./)   -> FALSE
    (6)       } # if (&User-Name)  = notfound
    (6)     } # policy filter_username = notfound
    (6)     [preprocess] = ok
    (6)     [chap] = noop
    (6)     [mschap] = noop
    (6)     [digest] = noop
    (6) suffix: Checking for suffix after "@"
    (6) suffix: No '@' in User-Name = "test01", looking up realm NULL
    (6) suffix: No such realm "NULL"
    (6)     [suffix] = noop
    (6) eap: Peer sent EAP Response (code 2) ID 0 length 11
    (6) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
    (6)     [eap] = ok
    (6)   } # authorize = ok
    (6) Found Auth-Type = eap
    (6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
    (6)   authenticate {
    (6) eap: Peer sent packet with method EAP Identity (1)
    (6) eap: Calling submodule eap_peap to process data
    (6) eap_peap: Initiating new TLS session
    (6) eap_peap: [eaptls start] = request
    (6) eap: Sending EAP Request (code 1) ID 1 length 6
    (6) eap: EAP session adding &reply:State = 0x269f5c65269e4518
    (6)     [eap] = handled
    (6)   } # authenticate = handled
    (6) Using Post-Auth-Type Challenge
    (6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
    (6)   Challenge { ... } # empty sub-section is ignored
    (6) Sent Access-Challenge Id 204 from 192.168.1.10:1812 to 192.168.1.20:32778 length 0
    (6)   EAP-Message = 0x010100061920
    (6)   Message-Authenticator = 0x00000000000000000000000000000000
    (6)   State = 0x269f5c65269e4518e878d3f81e810786
    (6) Finished request
    Waking up in 1.0 seconds.
    (7) Received Access-Request Id 205 from 192.168.1.20:32778 to 192.168.1.10:1812 length 236
    (7)   User-Name = "test01"
    (7)   NAS-IP-Address = 192.168.1.20
    (7)   NAS-Port = 0
    (7)   Called-Station-Id = "70-69-5A-FD-23-05:ophtest-wpa2ent-up"
    (7)   Calling-Station-Id = "78-04-73-D4-B4-24"
    (7)   Framed-MTU = 1400
    (7)   NAS-Port-Type = Wireless-802.11
    (7)   Connect-Info = "CONNECT 0Mbps 802.11g"
    (7)   EAP-Message = 0x0201004219800000003816030100330100002f03010000000cd758439f10df46d18cd2f8515b28b05300539ac42b115855ab9d2222000008002f000a000500040100
    (7)   State = 0x269f5c65269e4518e878d3f81e810786
    (7)   Message-Authenticator = 0xfe7e43bec0523c3f3b53d01e8a003367
    (7) session-state: No cached attributes
    (7) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
    (7)   authorize {
    (7)     policy filter_username {
    (7)       if (&User-Name) {
    (7)       if (&User-Name)  -> TRUE
    (7)       if (&User-Name)  {
    (7)         if (&User-Name =~ / /) {
    (7)         if (&User-Name =~ / /)  -> FALSE
    (7)         if (&User-Name =~ /@[^@]*@/ ) {
    (7)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
    (7)         if (&User-Name =~ /\.\./ ) {
    (7)         if (&User-Name =~ /\.\./ )  -> FALSE
    (7)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
    (7)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
    (7)         if (&User-Name =~ /\.$/)  {
    (7)         if (&User-Name =~ /\.$/)   -> FALSE
    (7)         if (&User-Name =~ /@\./)  {
    (7)         if (&User-Name =~ /@\./)   -> FALSE
    (7)       } # if (&User-Name)  = notfound
    (7)     } # policy filter_username = notfound
    (7)     [preprocess] = ok
    (7)     [chap] = noop
    (7)     [mschap] = noop
    (7)     [digest] = noop
    (7) suffix: Checking for suffix after "@"
    (7) suffix: No '@' in User-Name = "test01", looking up realm NULL
    (7) suffix: No such realm "NULL"
    (7)     [suffix] = noop
    (7) eap: Peer sent EAP Response (code 2) ID 1 length 66
    (7) eap: Continuing tunnel setup
    (7)     [eap] = ok
    (7)   } # authorize = ok
    (7) Found Auth-Type = eap
    (7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
    (7)   authenticate {
    (7) eap: Expiring EAP session with state 0x269f5c65269e4518
    (7) eap: Finished EAP session with state 0x269f5c65269e4518
    (7) eap: Previous EAP request found for state 0x269f5c65269e4518, released from the list
    (7) eap: Peer sent packet with method EAP PEAP (25)
    (7) eap: Calling submodule eap_peap to process data
    (7) eap_peap: Continuing EAP-TLS
    (7) eap_peap: Peer indicated complete TLS record size will be 56 bytes
    (7) eap_peap: Got complete TLS record (56 bytes)
    (7) eap_peap: [eaptls verify] = length included
    (7) eap_peap: (other): before SSL initialization
    (7) eap_peap: TLS_accept: before SSL initialization
    (7) eap_peap: TLS_accept: before SSL initialization
    (7) eap_peap: <<< recv TLS 1.3  [length 0033] 
    (7) eap_peap: >>> send TLS 1.0 Alert [length 0002], fatal protocol_version 
    (7) eap_peap: ERROR: TLS Alert write:fatal:protocol version
    tls: TLS_accept: Error in error
    (7) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read): error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol
    (7) eap_peap: ERROR: System call (I/O) error (-1)
    (7) eap_peap: ERROR: TLS receive handshake failed during operation
    (7) eap_peap: ERROR: [eaptls process] = fail
    (7) eap: ERROR: Failed continuing EAP PEAP (25) session.  EAP sub-module failed
    (7) eap: Sending EAP Failure (code 4) ID 1 length 4
    (7) eap: Failed in EAP select
    (7)     [eap] = invalid
    (7)   } # authenticate = invalid
    (7) Failed to authenticate the user
    (7) Using Post-Auth-Type Reject
    (7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
    (7)   Post-Auth-Type REJECT {
    (7) attr_filter.access_reject: EXPAND %{User-Name}
    (7) attr_filter.access_reject:    --> test01
    (7) attr_filter.access_reject: Matched entry DEFAULT at line 11
    (7)     [attr_filter.access_reject] = updated
    (7)     [eap] = noop
    (7)     policy remove_reply_message_if_eap {
    (7)       if (&reply:EAP-Message && &reply:Reply-Message) {
    (7)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
    (7)       else {
    (7)         [noop] = noop
    (7)       } # else = noop
    (7)     } # policy remove_reply_message_if_eap = noop
    (7)   } # Post-Auth-Type REJECT = updated
    (7) Delaying response for 1.000000 seconds
    Waking up in 0.3 seconds.
    Waking up in 0.6 seconds.
    (7) Sending delayed response
    (7) Sent Access-Reject Id 205 from 192.168.1.10:1812 to 192.168.1.20:32778 length 44
    (7)   EAP-Message = 0x04010004
    (7)   Message-Authenticator = 0x00000000000000000000000000000000
    (4) Cleaning up request packet ID 202 with timestamp +22
    (5) Cleaning up request packet ID 203 with timestamp +22
    Waking up in 3.9 seconds.
    (6) Cleaning up request packet ID 204 with timestamp +26
    (7) Cleaning up request packet ID 205 with timestamp +26
    Ready to process requests
    (8) Received Access-Request Id 206 from 192.168.1.20:32778 to 192.168.1.10:1812 length 163
    (8)   User-Name = "test01"
    (8)   NAS-IP-Address = 192.168.1.20
    (8)   NAS-Port = 0
    (8)   Called-Station-Id = "70-69-5A-FD-23-05:ophtest-wpa2ent-up"
    (8)   Calling-Station-Id = "78-04-73-D4-B4-24"
    (8)   Framed-MTU = 1400
    (8)   NAS-Port-Type = Wireless-802.11
    (8)   Connect-Info = "CONNECT 0Mbps 802.11g"
    (8)   EAP-Message = 0x0200000b01746573743031
    (8)   Message-Authenticator = 0x62e39961c85789ea51409ba10bf90bf9
    (8) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
    (8)   authorize {
    (8)     policy filter_username {
    (8)       if (&User-Name) {
    (8)       if (&User-Name)  -> TRUE
    (8)       if (&User-Name)  {
    (8)         if (&User-Name =~ / /) {
    (8)         if (&User-Name =~ / /)  -> FALSE
    (8)         if (&User-Name =~ /@[^@]*@/ ) {
    (8)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
    (8)         if (&User-Name =~ /\.\./ ) {
    (8)         if (&User-Name =~ /\.\./ )  -> FALSE
    (8)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
    (8)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
    (8)         if (&User-Name =~ /\.$/)  {
    (8)         if (&User-Name =~ /\.$/)   -> FALSE
    (8)         if (&User-Name =~ /@\./)  {
    (8)         if (&User-Name =~ /@\./)   -> FALSE
    (8)       } # if (&User-Name)  = notfound
    (8)     } # policy filter_username = notfound
    (8)     [preprocess] = ok
    (8)     [chap] = noop
    (8)     [mschap] = noop
    (8)     [digest] = noop
    (8) suffix: Checking for suffix after "@"
    (8) suffix: No '@' in User-Name = "test01", looking up realm NULL
    (8) suffix: No such realm "NULL"
    (8)     [suffix] = noop
    (8) eap: Peer sent EAP Response (code 2) ID 0 length 11
    (8) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
    (8)     [eap] = ok
    (8)   } # authorize = ok
    (8) Found Auth-Type = eap
    (8) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
    (8)   authenticate {
    (8) eap: Peer sent packet with method EAP Identity (1)
    (8) eap: Calling submodule eap_peap to process data
    (8) eap_peap: Initiating new TLS session
    (8) eap_peap: [eaptls start] = request
    (8) eap: Sending EAP Request (code 1) ID 1 length 6
    (8) eap: EAP session adding &reply:State = 0xb4a617adb4a70e51
    (8)     [eap] = handled
    (8)   } # authenticate = handled
    (8) Using Post-Auth-Type Challenge
    (8) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
    (8)   Challenge { ... } # empty sub-section is ignored
    (8) Sent Access-Challenge Id 206 from 192.168.1.10:1812 to 192.168.1.20:32778 length 0
    (8)   EAP-Message = 0x010100061920
    (8)   Message-Authenticator = 0x00000000000000000000000000000000
    (8)   State = 0xb4a617adb4a70e5128ccb6ce85892f8b
    (8) Finished request
    Waking up in 4.9 seconds.
    (8) Cleaning up request packet ID 206 with timestamp +183
    Ready to process requests

  • In reply to cc3100moduser:

    Further Question:

    What will happen, if initially the device (CC3100MOD) has incorrect time information?
    We work with SNTP, to periodically correct time info, this when using WPA2-AES (Personal).

    With WPA-Enterprise, we dont have access to a time info until we authentificate with the radius server, but to do so, i suspect it wont work with accurate time info.

    Is there a solution for this?

  • In reply to cc3100moduser:

    The user can set the time manually (see sl_DeivceSet(SL_DEVICE_GENERAL,SL_DEVICE_GENERAL_DATE_TIME...).You can also use some kind of provisioning method to inject the time to the device.

    Currently it looks like the freeRadius wrongly parses our EAP message.

    Can you send a log of a successful connection, so we try to look for the differences.

    Br,

    Kobi

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.