Other Parts Discussed in Thread: CC3100, CC3120
We try to get PEAP0/1_MSCHAPv2 working with the CC3100MOD and FreeRadius as server.
We do NOT have programmed any certificates, not the ca nor the client/key as this should not be necessary. We disable "server authentification" in the cc3100mod.
The connection is not successful, see the attachments below.
Could you please help us identify the issue?
Thank you
int32_t connect(int32_t mode) { // 0 - Disable the server authentication | 1 - Enable (this is the default) uint8_t pValues = 0; log_internal("Enable/Disable Server authentification (%d), ret=%d\n", (int)pValues, (int)sl_WlanSet((_u16)SL_WLAN_CFG_GENERAL_PARAM_ID, (_u16)19, (_u16)1 ,(_u8 *)&pValues) ); char const dummyssid[32] = "ophtest-wpa2ent-up"; const uint8_t dummymac[6] = {0,0,0,0,0,0}; SlSecParams_t dummysecparams = { SL_SEC_TYPE_WPA_ENT, (signed char *)"testing", (uint8_t)strlen("testing"), }; SlSecParamsExt_t dummysecparamsext = { (signed char *)"test01", (uint8_t)strlen("test01"), nullptr, 0, 0, // cert index not supported SL_ENT_EAP_METHOD_PEAP0_MSCHAPv2 }; int16_t ret = -1; // disable auto connect with programmed profiles ret = sl_WlanPolicySet(SL_POLICY_CONNECTION , SL_CONNECTION_POLICY(0,0,0,0,0), 0, 0); *_tim_breakup_fin = false; _tim_breakup->start(); ret = sl_WlanConnect( (const _i8*)dummyssid, /*pName*/ strlen(dummyssid), /*NameLen*/ dummymac, /*pMacAddr*/ &dummysecparams, /*pSecParams*/ &dummysecparamsext /*pSecExtParams*/); while( (!IS_CONNECTED(_sl_state)) || (!IS_IP_ACQUIRED(_sl_state)) ) { // nothing to do .. sl spawn thread will take care of it, just wait until the connection has been established if(*_tim_breakup_fin) { break; } } if(*_tim_breakup_fin) { ret = FAIL; // couldn't connect } else { _tim_breakup->stop(); ret = SUCCESS; } *_tim_breakup_fin = false; return ret; }
(52) Received Access-Request Id 246 from 192.168.1.20:32778 to 192.168.1.10:1812 length 163 (52) User-Name = "test01" (52) NAS-IP-Address = 192.168.1.20 (52) NAS-Port = 0 (52) Called-Station-Id = "70-69-5A-FD-23-05:ophtest-wpa2ent-up" (52) Calling-Station-Id = "78-04-73-D4-B4-24" (52) Framed-MTU = 1400 (52) NAS-Port-Type = Wireless-802.11 (52) Connect-Info = "CONNECT 0Mbps 802.11g" (52) EAP-Message = 0x0200000b01746573743031 (52) Message-Authenticator = 0x4ceab2578c8f02a075a7f11f6320a748 (52) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (52) authorize { (52) policy filter_username { (52) if (&User-Name) { (52) if (&User-Name) -> TRUE (52) if (&User-Name) { (52) if (&User-Name =~ / /) { (52) if (&User-Name =~ / /) -> FALSE (52) if (&User-Name =~ /@[^@]*@/ ) { (52) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (52) if (&User-Name =~ /\.\./ ) { (52) if (&User-Name =~ /\.\./ ) -> FALSE (52) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (52) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (52) if (&User-Name =~ /\.$/) { (52) if (&User-Name =~ /\.$/) -> FALSE (52) if (&User-Name =~ /@\./) { (52) if (&User-Name =~ /@\./) -> FALSE (52) } # if (&User-Name) = notfound (52) } # policy filter_username = notfound (52) [preprocess] = ok (52) [chap] = noop (52) [mschap] = noop (52) [digest] = noop (52) suffix: Checking for suffix after "@" (52) suffix: No '@' in User-Name = "test01", looking up realm NULL (52) suffix: No such realm "NULL" (52) [suffix] = noop (52) eap: Peer sent EAP Response (code 2) ID 0 length 11 (52) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (52) [eap] = ok (52) } # authorize = ok (52) Found Auth-Type = eap (52) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (52) authenticate { (52) eap: Peer sent packet with method EAP Identity (1) (52) eap: Calling submodule eap_md5 to process data (52) eap_md5: Issuing MD5 Challenge (52) eap: Sending EAP Request (code 1) ID 1 length 22 (52) eap: EAP session adding &reply:State = 0x633491436335957d (52) [eap] = handled (52) } # authenticate = handled (52) Using Post-Auth-Type Challenge (52) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (52) Challenge { ... } # empty sub-section is ignored (52) Sent Access-Challenge Id 246 from 192.168.1.10:1812 to 192.168.1.20:32778 length 0 (52) EAP-Message = 0x010100160410ba5f459eda3617acd2e624d807a8723c (52) Message-Authenticator = 0x00000000000000000000000000000000 (52) State = 0x633491436335957dbc3411b176659974 (52) Finished request Waking up in 4.9 seconds. (53) Received Access-Request Id 247 from 192.168.1.20:32778 to 192.168.1.10:1812 length 176 (53) User-Name = "test01" (53) NAS-IP-Address = 192.168.1.20 (53) NAS-Port = 0 (53) Called-Station-Id = "70-69-5A-FD-23-05:ophtest-wpa2ent-up" (53) Calling-Station-Id = "78-04-73-D4-B4-24" (53) Framed-MTU = 1400 (53) NAS-Port-Type = Wireless-802.11 (53) Connect-Info = "CONNECT 0Mbps 802.11g" (53) EAP-Message = 0x020100060319 (53) State = 0x633491436335957dbc3411b176659974 (53) Message-Authenticator = 0x9cfee8f9a78b498db004da9449e91e98 (53) session-state: No cached attributes (53) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (53) authorize { (53) policy filter_username { (53) if (&User-Name) { (53) if (&User-Name) -> TRUE (53) if (&User-Name) { (53) if (&User-Name =~ / /) { (53) if (&User-Name =~ / /) -> FALSE (53) if (&User-Name =~ /@[^@]*@/ ) { (53) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (53) if (&User-Name =~ /\.\./ ) { (53) if (&User-Name =~ /\.\./ ) -> FALSE (53) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (53) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (53) if (&User-Name =~ /\.$/) { (53) if (&User-Name =~ /\.$/) -> FALSE (53) if (&User-Name =~ /@\./) { (53) if (&User-Name =~ /@\./) -> FALSE (53) } # if (&User-Name) = notfound (53) } # policy filter_username = notfound (53) [preprocess] = ok (53) [chap] = noop (53) [mschap] = noop (53) [digest] = noop (53) suffix: Checking for suffix after "@" (53) suffix: No '@' in User-Name = "test01", looking up realm NULL (53) suffix: No such realm "NULL" (53) [suffix] = noop (53) eap: Peer sent EAP Response (code 2) ID 1 length 6 (53) eap: No EAP Start, assuming it's an on-going EAP conversation (53) [eap] = updated (53) files: users: Matched entry test01 at line 1 (53) [files] = ok (53) [expiration] = noop (53) [logintime] = noop (53) pap: WARNING: Auth-Type already set. Not setting to PAP (53) [pap] = noop (53) } # authorize = updated (53) Found Auth-Type = eap (53) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (53) authenticate { (53) eap: Expiring EAP session with state 0x633491436335957d (53) eap: Finished EAP session with state 0x633491436335957d (53) eap: Previous EAP request found for state 0x633491436335957d, released from the list (53) eap: Peer sent packet with method EAP NAK (3) (53) eap: Found mutually acceptable type PEAP (25) (53) eap: Calling submodule eap_peap to process data (53) eap_peap: Initiating new TLS session (53) eap_peap: [eaptls start] = request (53) eap: Sending EAP Request (code 1) ID 2 length 6 (53) eap: EAP session adding &reply:State = 0x633491436236887d (53) [eap] = handled (53) } # authenticate = handled (53) Using Post-Auth-Type Challenge (53) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (53) Challenge { ... } # empty sub-section is ignored (53) Sent Access-Challenge Id 247 from 192.168.1.10:1812 to 192.168.1.20:32778 length 0 (53) EAP-Message = 0x010200061920 (53) Message-Authenticator = 0x00000000000000000000000000000000 (53) State = 0x633491436236887dbc3411b176659974 (53) Finished request Waking up in 4.9 seconds. (54) Received Access-Request Id 248 from 192.168.1.20:32778 to 192.168.1.10:1812 length 176 (54) User-Name = "test01" (54) NAS-IP-Address = 192.168.1.20 (54) NAS-Port = 0 (54) Called-Station-Id = "70-69-5A-FD-23-05:ophtest-wpa2ent-up" (54) Calling-Station-Id = "78-04-73-D4-B4-24" (54) Framed-MTU = 1400 (54) NAS-Port-Type = Wireless-802.11 (54) Connect-Info = "CONNECT 0Mbps 802.11g" (54) EAP-Message = 0x020200060300 (54) State = 0x633491436236887dbc3411b176659974 (54) Message-Authenticator = 0x90af88c3ea0d47d73d2b5e1764683fd8 (54) session-state: No cached attributes (54) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (54) authorize { (54) policy filter_username { (54) if (&User-Name) { (54) if (&User-Name) -> TRUE (54) if (&User-Name) { (54) if (&User-Name =~ / /) { (54) if (&User-Name =~ / /) -> FALSE (54) if (&User-Name =~ /@[^@]*@/ ) { (54) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (54) if (&User-Name =~ /\.\./ ) { (54) if (&User-Name =~ /\.\./ ) -> FALSE (54) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (54) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (54) if (&User-Name =~ /\.$/) { (54) if (&User-Name =~ /\.$/) -> FALSE (54) if (&User-Name =~ /@\./) { (54) if (&User-Name =~ /@\./) -> FALSE (54) } # if (&User-Name) = notfound (54) } # policy filter_username = notfound (54) [preprocess] = ok (54) [chap] = noop (54) [mschap] = noop (54) [digest] = noop (54) suffix: Checking for suffix after "@" (54) suffix: No '@' in User-Name = "test01", looking up realm NULL (54) suffix: No such realm "NULL" (54) [suffix] = noop (54) eap: Peer sent EAP Response (code 2) ID 2 length 6 (54) eap: No EAP Start, assuming it's an on-going EAP conversation (54) [eap] = updated (54) files: users: Matched entry test01 at line 1 (54) [files] = ok (54) [expiration] = noop (54) [logintime] = noop (54) pap: WARNING: Auth-Type already set. Not setting to PAP (54) [pap] = noop (54) } # authorize = updated (54) Found Auth-Type = eap (54) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (54) authenticate { (54) eap: Expiring EAP session with state 0x633491436236887d (54) eap: Finished EAP session with state 0x633491436236887d (54) eap: Previous EAP request found for state 0x633491436236887d, released from the list (54) eap: Peer sent packet with method EAP NAK (3) (54) eap: Peer NAK'd indicating it is not willing to continue (54) eap: Sending EAP Failure (code 4) ID 2 length 4 (54) eap: Failed in EAP select (54) [eap] = invalid (54) } # authenticate = invalid (54) Failed to authenticate the user (54) Using Post-Auth-Type Reject (54) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (54) Post-Auth-Type REJECT { (54) attr_filter.access_reject: EXPAND %{User-Name} (54) attr_filter.access_reject: --> test01 (54) attr_filter.access_reject: Matched entry DEFAULT at line 11 (54) [attr_filter.access_reject] = updated (54) [eap] = noop (54) policy remove_reply_message_if_eap { (54) if (&reply:EAP-Message && &reply:Reply-Message) { (54) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (54) else { (54) [noop] = noop (54) } # else = noop (54) } # policy remove_reply_message_if_eap = noop (54) } # Post-Auth-Type REJECT = updated (54) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (54) Sending delayed response (54) Sent Access-Reject Id 248 from 192.168.1.10:1812 to 192.168.1.20:32778 length 44 (54) EAP-Message = 0x04020004 (54) Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.9 seconds. (55) Received Access-Request Id 249 from 192.168.1.20:32778 to 192.168.1.10:1812 length 163 (55) User-Name = "test01" (55) NAS-IP-Address = 192.168.1.20 (55) NAS-Port = 0 (55) Called-Station-Id = "70-69-5A-FD-23-05:ophtest-wpa2ent-up" (55) Calling-Station-Id = "78-04-73-D4-B4-24" (55) Framed-MTU = 1400 (55) NAS-Port-Type = Wireless-802.11 (55) Connect-Info = "CONNECT 0Mbps 802.11g" (55) EAP-Message = 0x0200000b01746573743031 (55) Message-Authenticator = 0xef10fa68009844fdf7211b785d7c251b (55) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (55) authorize { (55) policy filter_username { (55) if (&User-Name) { (55) if (&User-Name) -> TRUE (55) if (&User-Name) { (55) if (&User-Name =~ / /) { (55) if (&User-Name =~ / /) -> FALSE (55) if (&User-Name =~ /@[^@]*@/ ) { (55) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (55) if (&User-Name =~ /\.\./ ) { (55) if (&User-Name =~ /\.\./ ) -> FALSE (55) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (55) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (55) if (&User-Name =~ /\.$/) { (55) if (&User-Name =~ /\.$/) -> FALSE (55) if (&User-Name =~ /@\./) { (55) if (&User-Name =~ /@\./) -> FALSE (55) } # if (&User-Name) = notfound (55) } # policy filter_username = notfound (55) [preprocess] = ok (55) [chap] = noop (55) [mschap] = noop (55) [digest] = noop (55) suffix: Checking for suffix after "@" (55) suffix: No '@' in User-Name = "test01", looking up realm NULL (55) suffix: No such realm "NULL" (55) [suffix] = noop (55) eap: Peer sent EAP Response (code 2) ID 0 length 11 (55) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (55) [eap] = ok (55) } # authorize = ok (55) Found Auth-Type = eap (55) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (55) authenticate { (55) eap: Peer sent packet with method EAP Identity (1) (55) eap: Calling submodule eap_md5 to process data (55) eap_md5: Issuing MD5 Challenge (55) eap: Sending EAP Request (code 1) ID 1 length 22 (55) eap: EAP session adding &reply:State = 0x63735e5863725ae6 (55) [eap] = handled (55) } # authenticate = handled (55) Using Post-Auth-Type Challenge (55) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (55) Challenge { ... } # empty sub-section is ignored (55) Sent Access-Challenge Id 249 from 192.168.1.10:1812 to 192.168.1.20:32778 length 0 (55) EAP-Message = 0x01010016041068b48875b03f069d5553d10b064ac816 (55) Message-Authenticator = 0x00000000000000000000000000000000 (55) State = 0x63735e5863725ae6e05a1d3b154eb421 (55) Finished request Waking up in 1.6 seconds. (56) Received Access-Request Id 250 from 192.168.1.20:32778 to 192.168.1.10:1812 length 176 (56) User-Name = "test01" (56) NAS-IP-Address = 192.168.1.20 (56) NAS-Port = 0 (56) Called-Station-Id = "70-69-5A-FD-23-05:ophtest-wpa2ent-up" (56) Calling-Station-Id = "78-04-73-D4-B4-24" (56) Framed-MTU = 1400 (56) NAS-Port-Type = Wireless-802.11 (56) Connect-Info = "CONNECT 0Mbps 802.11g" (56) EAP-Message = 0x020100060319 (56) State = 0x63735e5863725ae6e05a1d3b154eb421 (56) Message-Authenticator = 0xfc3751df489663d525ecfaa82e691525 (56) session-state: No cached attributes (56) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (56) authorize { (56) policy filter_username { (56) if (&User-Name) { (56) if (&User-Name) -> TRUE (56) if (&User-Name) { (56) if (&User-Name =~ / /) { (56) if (&User-Name =~ / /) -> FALSE (56) if (&User-Name =~ /@[^@]*@/ ) { (56) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (56) if (&User-Name =~ /\.\./ ) { (56) if (&User-Name =~ /\.\./ ) -> FALSE (56) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (56) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (56) if (&User-Name =~ /\.$/) { (56) if (&User-Name =~ /\.$/) -> FALSE (56) if (&User-Name =~ /@\./) { (56) if (&User-Name =~ /@\./) -> FALSE (56) } # if (&User-Name) = notfound (56) } # policy filter_username = notfound (56) [preprocess] = ok (56) [chap] = noop (56) [mschap] = noop (56) [digest] = noop (56) suffix: Checking for suffix after "@" (56) suffix: No '@' in User-Name = "test01", looking up realm NULL (56) suffix: No such realm "NULL" (56) [suffix] = noop (56) eap: Peer sent EAP Response (code 2) ID 1 length 6 (56) eap: No EAP Start, assuming it's an on-going EAP conversation (56) [eap] = updated (56) files: users: Matched entry test01 at line 1 (56) [files] = ok (56) [expiration] = noop (56) [logintime] = noop (56) pap: WARNING: Auth-Type already set. Not setting to PAP (56) [pap] = noop (56) } # authorize = updated (56) Found Auth-Type = eap (56) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (56) authenticate { (56) eap: Expiring EAP session with state 0x63735e5863725ae6 (56) eap: Finished EAP session with state 0x63735e5863725ae6 (56) eap: Previous EAP request found for state 0x63735e5863725ae6, released from the list (56) eap: Peer sent packet with method EAP NAK (3) (56) eap: Found mutually acceptable type PEAP (25) (56) eap: Calling submodule eap_peap to process data (56) eap_peap: Initiating new TLS session (56) eap_peap: [eaptls start] = request (56) eap: Sending EAP Request (code 1) ID 2 length 6 (56) eap: EAP session adding &reply:State = 0x63735e58627147e6 (56) [eap] = handled (56) } # authenticate = handled (56) Using Post-Auth-Type Challenge (56) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (56) Challenge { ... } # empty sub-section is ignored (56) Sent Access-Challenge Id 250 from 192.168.1.10:1812 to 192.168.1.20:32778 length 0 (56) EAP-Message = 0x010200061920 (56) Message-Authenticator = 0x00000000000000000000000000000000 (56) State = 0x63735e58627147e6e05a1d3b154eb421 (56) Finished request Waking up in 1.6 seconds. (57) Received Access-Request Id 251 from 192.168.1.20:32778 to 192.168.1.10:1812 length 176 (57) User-Name = "test01" (57) NAS-IP-Address = 192.168.1.20 (57) NAS-Port = 0 (57) Called-Station-Id = "70-69-5A-FD-23-05:ophtest-wpa2ent-up" (57) Calling-Station-Id = "78-04-73-D4-B4-24" (57) Framed-MTU = 1400 (57) NAS-Port-Type = Wireless-802.11 (57) Connect-Info = "CONNECT 0Mbps 802.11g" (57) EAP-Message = 0x020200060300 (57) State = 0x63735e58627147e6e05a1d3b154eb421 (57) Message-Authenticator = 0xc33ab970a8a9c1c0e5a1e367b874a105 (57) session-state: No cached attributes (57) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (57) authorize { (57) policy filter_username { (57) if (&User-Name) { (57) if (&User-Name) -> TRUE (57) if (&User-Name) { (57) if (&User-Name =~ / /) { (57) if (&User-Name =~ / /) -> FALSE (57) if (&User-Name =~ /@[^@]*@/ ) { (57) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (57) if (&User-Name =~ /\.\./ ) { (57) if (&User-Name =~ /\.\./ ) -> FALSE (57) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (57) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (57) if (&User-Name =~ /\.$/) { (57) if (&User-Name =~ /\.$/) -> FALSE (57) if (&User-Name =~ /@\./) { (57) if (&User-Name =~ /@\./) -> FALSE (57) } # if (&User-Name) = notfound (57) } # policy filter_username = notfound (57) [preprocess] = ok (57) [chap] = noop (57) [mschap] = noop (57) [digest] = noop (57) suffix: Checking for suffix after "@" (57) suffix: No '@' in User-Name = "test01", looking up realm NULL (57) suffix: No such realm "NULL" (57) [suffix] = noop (57) eap: Peer sent EAP Response (code 2) ID 2 length 6 (57) eap: No EAP Start, assuming it's an on-going EAP conversation (57) [eap] = updated (57) files: users: Matched entry test01 at line 1 (57) [files] = ok (57) [expiration] = noop (57) [logintime] = noop (57) pap: WARNING: Auth-Type already set. Not setting to PAP (57) [pap] = noop (57) } # authorize = updated (57) Found Auth-Type = eap (57) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (57) authenticate { (57) eap: Expiring EAP session with state 0x63735e58627147e6 (57) eap: Finished EAP session with state 0x63735e58627147e6 (57) eap: Previous EAP request found for state 0x63735e58627147e6, released from the list (57) eap: Peer sent packet with method EAP NAK (3) (57) eap: Peer NAK'd indicating it is not willing to continue (57) eap: Sending EAP Failure (code 4) ID 2 length 4 (57) eap: Failed in EAP select (57) [eap] = invalid (57) } # authenticate = invalid (57) Failed to authenticate the user (57) Using Post-Auth-Type Reject (57) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (57) Post-Auth-Type REJECT { (57) attr_filter.access_reject: EXPAND %{User-Name} (57) attr_filter.access_reject: --> test01 (57) attr_filter.access_reject: Matched entry DEFAULT at line 11 (57) [attr_filter.access_reject] = updated (57) [eap] = noop (57) policy remove_reply_message_if_eap { (57) if (&reply:EAP-Message && &reply:Reply-Message) { (57) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (57) else { (57) [noop] = noop (57) } # else = noop (57) } # policy remove_reply_message_if_eap = noop (57) } # Post-Auth-Type REJECT = updated (57) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (57) Sending delayed response (57) Sent Access-Reject Id 251 from 192.168.1.10:1812 to 192.168.1.20:32778 length 44 (57) EAP-Message = 0x04020004 (57) Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 0.6 seconds. (52) Cleaning up request packet ID 246 with timestamp +2298 (53) Cleaning up request packet ID 247 with timestamp +2298 (54) Cleaning up request packet ID 248 with timestamp +2298 Waking up in 3.3 seconds. (58) Received Access-Request Id 252 from 192.168.1.20:32778 to 192.168.1.10:1812 length 163 (58) User-Name = "test01" (58) NAS-IP-Address = 192.168.1.20 (58) NAS-Port = 0 (58) Called-Station-Id = "70-69-5A-FD-23-05:ophtest-wpa2ent-up" (58) Calling-Station-Id = "78-04-73-D4-B4-24" (58) Framed-MTU = 1400 (58) NAS-Port-Type = Wireless-802.11 (58) Connect-Info = "CONNECT 0Mbps 802.11g" (58) EAP-Message = 0x0200000b01746573743031 (58) Message-Authenticator = 0x8087e4271b0fdcde223342ef9dd07a2d (58) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (58) authorize { (58) policy filter_username { (58) if (&User-Name) { (58) if (&User-Name) -> TRUE (58) if (&User-Name) { (58) if (&User-Name =~ / /) { (58) if (&User-Name =~ / /) -> FALSE (58) if (&User-Name =~ /@[^@]*@/ ) { (58) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (58) if (&User-Name =~ /\.\./ ) { (58) if (&User-Name =~ /\.\./ ) -> FALSE (58) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (58) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (58) if (&User-Name =~ /\.$/) { (58) if (&User-Name =~ /\.$/) -> FALSE (58) if (&User-Name =~ /@\./) { (58) if (&User-Name =~ /@\./) -> FALSE (58) } # if (&User-Name) = notfound (58) } # policy filter_username = notfound (58) [preprocess] = ok (58) [chap] = noop (58) [mschap] = noop (58) [digest] = noop (58) suffix: Checking for suffix after "@" (58) suffix: No '@' in User-Name = "test01", looking up realm NULL (58) suffix: No such realm "NULL" (58) [suffix] = noop (58) eap: Peer sent EAP Response (code 2) ID 0 length 11 (58) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (58) [eap] = ok (58) } # authorize = ok (58) Found Auth-Type = eap (58) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (58) authenticate { (58) eap: Peer sent packet with method EAP Identity (1) (58) eap: Calling submodule eap_md5 to process data (58) eap_md5: Issuing MD5 Challenge (58) eap: Sending EAP Request (code 1) ID 1 length 22 (58) eap: EAP session adding &reply:State = 0x2495222a249426c6 (58) [eap] = handled (58) } # authenticate = handled (58) Using Post-Auth-Type Challenge (58) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (58) Challenge { ... } # empty sub-section is ignored (58) Sent Access-Challenge Id 252 from 192.168.1.10:1812 to 192.168.1.20:32778 length 0 (58) EAP-Message = 0x01010016041039f1f2b9147a22c98fa2c02d2638cf8c (58) Message-Authenticator = 0x00000000000000000000000000000000 (58) State = 0x2495222a249426c65548f2a1339b6a08 (58) Finished request Waking up in 1.3 seconds. (59) Received Access-Request Id 253 from 192.168.1.20:32778 to 192.168.1.10:1812 length 176 (59) User-Name = "test01" (59) NAS-IP-Address = 192.168.1.20 (59) NAS-Port = 0 (59) Called-Station-Id = "70-69-5A-FD-23-05:ophtest-wpa2ent-up" (59) Calling-Station-Id = "78-04-73-D4-B4-24" (59) Framed-MTU = 1400 (59) NAS-Port-Type = Wireless-802.11 (59) Connect-Info = "CONNECT 0Mbps 802.11g" (59) EAP-Message = 0x020100060319 (59) State = 0x2495222a249426c65548f2a1339b6a08 (59) Message-Authenticator = 0x14fc2eea705ed936b8612c6f0d377d37 (59) session-state: No cached attributes (59) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (59) authorize { (59) policy filter_username { (59) if (&User-Name) { (59) if (&User-Name) -> TRUE (59) if (&User-Name) { (59) if (&User-Name =~ / /) { (59) if (&User-Name =~ / /) -> FALSE (59) if (&User-Name =~ /@[^@]*@/ ) { (59) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (59) if (&User-Name =~ /\.\./ ) { (59) if (&User-Name =~ /\.\./ ) -> FALSE (59) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (59) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (59) if (&User-Name =~ /\.$/) { (59) if (&User-Name =~ /\.$/) -> FALSE (59) if (&User-Name =~ /@\./) { (59) if (&User-Name =~ /@\./) -> FALSE (59) } # if (&User-Name) = notfound (59) } # policy filter_username = notfound (59) [preprocess] = ok (59) [chap] = noop (59) [mschap] = noop (59) [digest] = noop (59) suffix: Checking for suffix after "@" (59) suffix: No '@' in User-Name = "test01", looking up realm NULL (59) suffix: No such realm "NULL" (59) [suffix] = noop (59) eap: Peer sent EAP Response (code 2) ID 1 length 6 (59) eap: No EAP Start, assuming it's an on-going EAP conversation (59) [eap] = updated (59) files: users: Matched entry test01 at line 1 (59) [files] = ok (59) [expiration] = noop (59) [logintime] = noop (59) pap: WARNING: Auth-Type already set. Not setting to PAP (59) [pap] = noop (59) } # authorize = updated (59) Found Auth-Type = eap (59) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (59) authenticate { (59) eap: Expiring EAP session with state 0x2495222a249426c6 (59) eap: Finished EAP session with state 0x2495222a249426c6 (59) eap: Previous EAP request found for state 0x2495222a249426c6, released from the list (59) eap: Peer sent packet with method EAP NAK (3) (59) eap: Found mutually acceptable type PEAP (25) (59) eap: Calling submodule eap_peap to process data (59) eap_peap: Initiating new TLS session (59) eap_peap: [eaptls start] = request (59) eap: Sending EAP Request (code 1) ID 2 length 6 (59) eap: EAP session adding &reply:State = 0x2495222a25973bc6 (59) [eap] = handled (59) } # authenticate = handled (59) Using Post-Auth-Type Challenge (59) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (59) Challenge { ... } # empty sub-section is ignored (59) Sent Access-Challenge Id 253 from 192.168.1.10:1812 to 192.168.1.20:32778 length 0 (59) EAP-Message = 0x010200061920 (59) Message-Authenticator = 0x00000000000000000000000000000000 (59) State = 0x2495222a25973bc65548f2a1339b6a08 (59) Finished request Waking up in 1.3 seconds. (60) Received Access-Request Id 254 from 192.168.1.20:32778 to 192.168.1.10:1812 length 176 (60) User-Name = "test01" (60) NAS-IP-Address = 192.168.1.20 (60) NAS-Port = 0 (60) Called-Station-Id = "70-69-5A-FD-23-05:ophtest-wpa2ent-up" (60) Calling-Station-Id = "78-04-73-D4-B4-24" (60) Framed-MTU = 1400 (60) NAS-Port-Type = Wireless-802.11 (60) Connect-Info = "CONNECT 0Mbps 802.11g" (60) EAP-Message = 0x020200060300 (60) State = 0x2495222a25973bc65548f2a1339b6a08 (60) Message-Authenticator = 0xb644cab894ae217a6849d0600c69190c (60) session-state: No cached attributes (60) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (60) authorize { (60) policy filter_username { (60) if (&User-Name) { (60) if (&User-Name) -> TRUE (60) if (&User-Name) { (60) if (&User-Name =~ / /) { (60) if (&User-Name =~ / /) -> FALSE (60) if (&User-Name =~ /@[^@]*@/ ) { (60) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (60) if (&User-Name =~ /\.\./ ) { (60) if (&User-Name =~ /\.\./ ) -> FALSE (60) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (60) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (60) if (&User-Name =~ /\.$/) { (60) if (&User-Name =~ /\.$/) -> FALSE (60) if (&User-Name =~ /@\./) { (60) if (&User-Name =~ /@\./) -> FALSE (60) } # if (&User-Name) = notfound (60) } # policy filter_username = notfound (60) [preprocess] = ok (60) [chap] = noop (60) [mschap] = noop (60) [digest] = noop (60) suffix: Checking for suffix after "@" (60) suffix: No '@' in User-Name = "test01", looking up realm NULL (60) suffix: No such realm "NULL" (60) [suffix] = noop (60) eap: Peer sent EAP Response (code 2) ID 2 length 6 (60) eap: No EAP Start, assuming it's an on-going EAP conversation (60) [eap] = updated (60) files: users: Matched entry test01 at line 1 (60) [files] = ok (60) [expiration] = noop (60) [logintime] = noop (60) pap: WARNING: Auth-Type already set. Not setting to PAP (60) [pap] = noop (60) } # authorize = updated (60) Found Auth-Type = eap (60) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (60) authenticate { (60) eap: Expiring EAP session with state 0x2495222a25973bc6 (60) eap: Finished EAP session with state 0x2495222a25973bc6 (60) eap: Previous EAP request found for state 0x2495222a25973bc6, released from the list (60) eap: Peer sent packet with method EAP NAK (3) (60) eap: Peer NAK'd indicating it is not willing to continue (60) eap: Sending EAP Failure (code 4) ID 2 length 4 (60) eap: Failed in EAP select (60) [eap] = invalid (60) } # authenticate = invalid (60) Failed to authenticate the user (60) Using Post-Auth-Type Reject (60) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (60) Post-Auth-Type REJECT { (60) attr_filter.access_reject: EXPAND %{User-Name} (60) attr_filter.access_reject: --> test01 (60) attr_filter.access_reject: Matched entry DEFAULT at line 11 (60) [attr_filter.access_reject] = updated (60) [eap] = noop (60) policy remove_reply_message_if_eap { (60) if (&reply:EAP-Message && &reply:Reply-Message) { (60) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (60) else { (60) [noop] = noop (60) } # else = noop (60) } # policy remove_reply_message_if_eap = noop (60) } # Post-Auth-Type REJECT = updated (60) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (60) Sending delayed response (60) Sent Access-Reject Id 254 from 192.168.1.10:1812 to 192.168.1.20:32778 length 44 (60) EAP-Message = 0x04020004 (60) Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 0.3 seconds. (55) Cleaning up request packet ID 249 with timestamp +2302 (56) Cleaning up request packet ID 250 with timestamp +2302 (57) Cleaning up request packet ID 251 with timestamp +2302 Waking up in 3.6 seconds. (61) Received Access-Request Id 255 from 192.168.1.20:32778 to 192.168.1.10:1812 length 163 (61) User-Name = "test01" (61) NAS-IP-Address = 192.168.1.20 (61) NAS-Port = 0 (61) Called-Station-Id = "70-69-5A-FD-23-05:ophtest-wpa2ent-up" (61) Calling-Station-Id = "78-04-73-D4-B4-24" (61) Framed-MTU = 1400 (61) NAS-Port-Type = Wireless-802.11 (61) Connect-Info = "CONNECT 0Mbps 802.11g" (61) EAP-Message = 0x0200000b01746573743031 (61) Message-Authenticator = 0x49e167e9cb3b5ff509d8d3e5b61c1b2a (61) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (61) authorize { (61) policy filter_username { (61) if (&User-Name) { (61) if (&User-Name) -> TRUE (61) if (&User-Name) { (61) if (&User-Name =~ / /) { (61) if (&User-Name =~ / /) -> FALSE (61) if (&User-Name =~ /@[^@]*@/ ) { (61) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (61) if (&User-Name =~ /\.\./ ) { (61) if (&User-Name =~ /\.\./ ) -> FALSE (61) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (61) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (61) if (&User-Name =~ /\.$/) { (61) if (&User-Name =~ /\.$/) -> FALSE (61) if (&User-Name =~ /@\./) { (61) if (&User-Name =~ /@\./) -> FALSE (61) } # if (&User-Name) = notfound (61) } # policy filter_username = notfound (61) [preprocess] = ok (61) [chap] = noop (61) [mschap] = noop (61) [digest] = noop (61) suffix: Checking for suffix after "@" (61) suffix: No '@' in User-Name = "test01", looking up realm NULL (61) suffix: No such realm "NULL" (61) [suffix] = noop (61) eap: Peer sent EAP Response (code 2) ID 0 length 11 (61) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (61) [eap] = ok (61) } # authorize = ok (61) Found Auth-Type = eap (61) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (61) authenticate { (61) eap: Peer sent packet with method EAP Identity (1) (61) eap: Calling submodule eap_md5 to process data (61) eap_md5: Issuing MD5 Challenge (61) eap: Sending EAP Request (code 1) ID 1 length 22 (61) eap: EAP session adding &reply:State = 0x01ee96a501ef923e (61) [eap] = handled (61) } # authenticate = handled (61) Using Post-Auth-Type Challenge (61) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (61) Challenge { ... } # empty sub-section is ignored (61) Sent Access-Challenge Id 255 from 192.168.1.10:1812 to 192.168.1.20:32778 length 0 (61) EAP-Message = 0x010100160410b9a93abf296e702820def3851ae1fe1e (61) Message-Authenticator = 0x00000000000000000000000000000000 (61) State = 0x01ee96a501ef923e357b999b078feb76 (61) Finished request Waking up in 1.6 seconds. (62) Received Access-Request Id 0 from 192.168.1.20:32778 to 192.168.1.10:1812 length 176 (62) User-Name = "test01" (62) NAS-IP-Address = 192.168.1.20 (62) NAS-Port = 0 (62) Called-Station-Id = "70-69-5A-FD-23-05:ophtest-wpa2ent-up" (62) Calling-Station-Id = "78-04-73-D4-B4-24" (62) Framed-MTU = 1400 (62) NAS-Port-Type = Wireless-802.11 (62) Connect-Info = "CONNECT 0Mbps 802.11g" (62) EAP-Message = 0x020100060319 (62) State = 0x01ee96a501ef923e357b999b078feb76 (62) Message-Authenticator = 0xa17bce3f4ec7c654391d269bedd78571 (62) session-state: No cached attributes (62) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (62) authorize { (62) policy filter_username { (62) if (&User-Name) { (62) if (&User-Name) -> TRUE (62) if (&User-Name) { (62) if (&User-Name =~ / /) { (62) if (&User-Name =~ / /) -> FALSE (62) if (&User-Name =~ /@[^@]*@/ ) { (62) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (62) if (&User-Name =~ /\.\./ ) { (62) if (&User-Name =~ /\.\./ ) -> FALSE (62) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (62) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (62) if (&User-Name =~ /\.$/) { (62) if (&User-Name =~ /\.$/) -> FALSE (62) if (&User-Name =~ /@\./) { (62) if (&User-Name =~ /@\./) -> FALSE (62) } # if (&User-Name) = notfound (62) } # policy filter_username = notfound (62) [preprocess] = ok (62) [chap] = noop (62) [mschap] = noop (62) [digest] = noop (62) suffix: Checking for suffix after "@" (62) suffix: No '@' in User-Name = "test01", looking up realm NULL (62) suffix: No such realm "NULL" (62) [suffix] = noop (62) eap: Peer sent EAP Response (code 2) ID 1 length 6 (62) eap: No EAP Start, assuming it's an on-going EAP conversation (62) [eap] = updated (62) files: users: Matched entry test01 at line 1 (62) [files] = ok (62) [expiration] = noop (62) [logintime] = noop (62) pap: WARNING: Auth-Type already set. Not setting to PAP (62) [pap] = noop (62) } # authorize = updated (62) Found Auth-Type = eap (62) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (62) authenticate { (62) eap: Expiring EAP session with state 0x01ee96a501ef923e (62) eap: Finished EAP session with state 0x01ee96a501ef923e (62) eap: Previous EAP request found for state 0x01ee96a501ef923e, released from the list (62) eap: Peer sent packet with method EAP NAK (3) (62) eap: Found mutually acceptable type PEAP (25) (62) eap: Calling submodule eap_peap to process data (62) eap_peap: Initiating new TLS session (62) eap_peap: [eaptls start] = request (62) eap: Sending EAP Request (code 1) ID 2 length 6 (62) eap: EAP session adding &reply:State = 0x01ee96a500ec8f3e (62) [eap] = handled (62) } # authenticate = handled (62) Using Post-Auth-Type Challenge (62) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (62) Challenge { ... } # empty sub-section is ignored (62) Sent Access-Challenge Id 0 from 192.168.1.10:1812 to 192.168.1.20:32778 length 0 (62) EAP-Message = 0x010200061920 (62) Message-Authenticator = 0x00000000000000000000000000000000 (62) State = 0x01ee96a500ec8f3e357b999b078feb76 (62) Finished request Waking up in 1.6 seconds. (63) Received Access-Request Id 1 from 192.168.1.20:32778 to 192.168.1.10:1812 length 176 (63) User-Name = "test01" (63) NAS-IP-Address = 192.168.1.20 (63) NAS-Port = 0 (63) Called-Station-Id = "70-69-5A-FD-23-05:ophtest-wpa2ent-up" (63) Calling-Station-Id = "78-04-73-D4-B4-24" (63) Framed-MTU = 1400 (63) NAS-Port-Type = Wireless-802.11 (63) Connect-Info = "CONNECT 0Mbps 802.11g" (63) EAP-Message = 0x020200060300 (63) State = 0x01ee96a500ec8f3e357b999b078feb76 (63) Message-Authenticator = 0x66bdf6161c0e88e2980aab79ee0ac5a8 (63) session-state: No cached attributes (63) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (63) authorize { (63) policy filter_username { (63) if (&User-Name) { (63) if (&User-Name) -> TRUE (63) if (&User-Name) { (63) if (&User-Name =~ / /) { (63) if (&User-Name =~ / /) -> FALSE (63) if (&User-Name =~ /@[^@]*@/ ) { (63) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (63) if (&User-Name =~ /\.\./ ) { (63) if (&User-Name =~ /\.\./ ) -> FALSE (63) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (63) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (63) if (&User-Name =~ /\.$/) { (63) if (&User-Name =~ /\.$/) -> FALSE (63) if (&User-Name =~ /@\./) { (63) if (&User-Name =~ /@\./) -> FALSE (63) } # if (&User-Name) = notfound (63) } # policy filter_username = notfound (63) [preprocess] = ok (63) [chap] = noop (63) [mschap] = noop (63) [digest] = noop (63) suffix: Checking for suffix after "@" (63) suffix: No '@' in User-Name = "test01", looking up realm NULL (63) suffix: No such realm "NULL" (63) [suffix] = noop (63) eap: Peer sent EAP Response (code 2) ID 2 length 6 (63) eap: No EAP Start, assuming it's an on-going EAP conversation (63) [eap] = updated (63) files: users: Matched entry test01 at line 1 (63) [files] = ok (63) [expiration] = noop (63) [logintime] = noop (63) pap: WARNING: Auth-Type already set. Not setting to PAP (63) [pap] = noop (63) } # authorize = updated (63) Found Auth-Type = eap (63) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (63) authenticate { (63) eap: Expiring EAP session with state 0x01ee96a500ec8f3e (63) eap: Finished EAP session with state 0x01ee96a500ec8f3e (63) eap: Previous EAP request found for state 0x01ee96a500ec8f3e, released from the list (63) eap: Peer sent packet with method EAP NAK (3) (63) eap: Peer NAK'd indicating it is not willing to continue (63) eap: Sending EAP Failure (code 4) ID 2 length 4 (63) eap: Failed in EAP select (63) [eap] = invalid (63) } # authenticate = invalid (63) Failed to authenticate the user (63) Using Post-Auth-Type Reject (63) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (63) Post-Auth-Type REJECT { (63) attr_filter.access_reject: EXPAND %{User-Name} (63) attr_filter.access_reject: --> test01 (63) attr_filter.access_reject: Matched entry DEFAULT at line 11 (63) [attr_filter.access_reject] = updated (63) [eap] = noop (63) policy remove_reply_message_if_eap { (63) if (&reply:EAP-Message && &reply:Reply-Message) { (63) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (63) else { (63) [noop] = noop (63) } # else = noop (63) } # policy remove_reply_message_if_eap = noop (63) } # Post-Auth-Type REJECT = updated (63) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (63) Sending delayed response (63) Sent Access-Reject Id 1 from 192.168.1.10:1812 to 192.168.1.20:32778 length 44 (63) EAP-Message = 0x04020004 (63) Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 0.5 seconds. (58) Cleaning up request packet ID 252 with timestamp +2305 (59) Cleaning up request packet ID 253 with timestamp +2305 (60) Cleaning up request packet ID 254 with timestamp +2305 Waking up in 3.3 seconds. (61) Cleaning up request packet ID 255 with timestamp +2309 (62) Cleaning up request packet ID 0 with timestamp +2309 (63) Cleaning up request packet ID 1 with timestamp +2309 Ready to process requests