Freeradius2 + DDWRT WPA2 Enterprise
-
Hi guys! I planned pfSense so that my users can authenticate with WPA2 Enterprise. PfSense and the DDWRT router can communicate and authenticate users using EAP-TTLS. My ddwrt router is a ciscoE1000.
This is my EAP config:/usr/local/etc/raddb/eap.conf Array ### EAP eap { default_eap_type = ttls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = yes max_sessions = 4096 ### DISABLED WEAK EAP TYPES MD5, GTC, LEAP ### ### EAP-TLS and EAP-TLS with OCSP support tls { certdir = ${confdir}/certs cadir = ${confdir}/certs private_key_password = whatever private_key_file = ${certdir}/server_key.pem certificate_file = ${certdir}/server_cert.pem CA_file = ${cadir}/ca_cert.pem dh_file = ${certdir}/dh random_file = ${certdir}/random fragment_size = 1024 include_length = yes # check_crl = yes CA_path = ${cadir} ### check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd/emailAddress=test@mycomp.com/CN=myca" ### ### check_cert_cn = %{User-Name} ### cipher_list = "DEFAULT" ecdh_curve = "prime256v1" cache { enable = no lifetime = 24 max_entries = 255 } verify { # tmpdir = /tmp/radiusd # client = "/path/to/openssl verify -CApath %{TLS-Client-Cert-Filename}" } ocsp { enable = no override_cert_url = no url = "http://127.0.0.1/ocsp/" } } ### EAP-TTLS ttls { default_eap_type = mschapv2 copy_request_to_tunnel = yes use_tunneled_reply = yes include_length = yes } ### end ttls ### EAP-PEAP peap { default_eap_type = tls copy_request_to_tunnel = yes use_tunneled_reply = yes # proxy_tunneled_request_as_eap = yes ### MS SoH Server is disabled ### } mschapv2 { # send_error = no } }
This is my radius config:
/usr/local/etc/raddb/radiusd.conf prefix = /usr/local exec_prefix = ${prefix} sysconfdir = ${prefix}/etc localstatedir = /var sbindir = ${exec_prefix}/sbin logdir = ${localstatedir}/log raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct confdir = ${raddbdir} run_dir = ${localstatedir}/run libdir = ${exec_prefix}/lib/freeradius-2.1.12 pidfile = ${run_dir}/radiusd.pid db_dir = ${raddbdir} name = radiusd #chroot = /path/to/chroot/directory #user = freeradius #group = freeradius ############################################################################### ### Is not present in freeradius 2.x radiusd.conf anymore but it was in 1.x ### ### delete_blocked_requests = no ### ### usercollide = no ### ### lower_user = no ### ### lower_pass = no ### ### nospace_user = no ### ### nospace_pass = no ### ############################################################################### max_request_time = 30 cleanup_delay = 5 max_requests = 1024 hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = no listen { type = auth ipaddr = 192.168.1.1 port = 1812 } listen { type = acct ipaddr = 192.168.1.1 port = 1813 } log { destination = syslog file = ${logdir}/radius.log syslog_facility = daemon stripped_names = no auth = yes auth_badpass = yes auth_goodpass = yes msg_goodpass = "" msg_badpass = "" } checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = no } ### disbale proxy module. In most environments we do not need to proxy requests to another RADIUS PROXY server #proxy_requests = yes #$INCLUDE proxy.conf $INCLUDE clients.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_queue_size = 65536 max_requests_per_server = 0 } modules { $INCLUDE ${confdir}/modules/ $INCLUDE eap.conf ### Dis-/Enable sql.conf INCLUDE #$INCLUDE sql.conf ### Dis-/Enable sql/mysql/counter.conf INCLUDE #$INCLUDE sql/mysql/counter.conf #$INCLUDE sqlippool.conf } instantiate { exec expr daily weekly monthly forever expiration logintime ### Dis-/Enable sql instatiate #sql } $INCLUDE policy.conf $INCLUDE sites-enabled/
And this is my client config:
/usr/local/etc/raddb/clients.conf client "DDWRT" { ipaddr = 192.168.1.3 proto = tcp secret = b2biIJP3kifQDljSzj require_message_authenticator = no max_connections = 16 shortname = DDWRT nastype = other ### login = !root ### ### password = someadminpass ### }
This is my SystemLog
Jan 30 11:21:13 radiusd[12412]: Ready to process requests. Jan 30 11:21:13 radiusd[12409]: Loaded virtual server <default> Jan 30 11:21:11 php: /pkg_edit.php: The command '/usr/local/etc/rc.d/radiusd.sh stop' returned exit code '1', the output was 'radiusd not running?' Jan 30 11:21:11 radiusd[9699]: Exiting normally. Jan 30 11:21:11 radiusd[9699]: Signalled to terminate Jan 30 11:21:10 check_reload_status: Syncing firewall Jan 30 11:18:48 radiusd[9699]: Login OK: [iPad/<via auth-type="EAP">] (from client DDWRT port 62 cli 3cd0f80ed5a5) Jan 30 11:18:48 radiusd[9699]: Login OK: [iPad/<via auth-type="EAP">] (from client DDWRT port 62 cli 3cd0f80ed5a5) Jan 30 11:18:48 radiusd[9699]: Login OK: [iPad/<via auth-type="mschap">] (from client DDWRT port 0 via TLS tunnel) Jan 30 11:18:48 radiusd[9699]: Login OK: [iPad/<via auth-type="mschap">] (from client DDWRT port 0 via TLS tunnel) Jan 30 11:18:20 radiusd[9699]: Ready to process requests. Jan 30 11:18:20 radiusd[9383]: Loaded virtual server <default> Jan 30 11:18:18 php: /pkg_edit.php: The command '/usr/local/etc/rc.d/radiusd.sh stop' returned exit code '1', the output was 'radiusd not running?' Jan 30 11:18:18 radiusd[55432]: Exiting normally. Jan 30 11:18:18 radiusd[55432]: Signalled to terminate Jan 30 11:18:17 check_reload_status: Syncing firewall Jan 30 11:17:18 radiusd[55432]: Login OK: [iPad/<via auth-type="EAP">] (from client DDWRT port 62 cli 3cd0f80ed5a5) Jan 30 11:17:18 radiusd[55432]: Login OK: [iPad/<via auth-type="EAP">] (from client DDWRT port 62 cli 3cd0f80ed5a5) Jan 30 11:17:18 radiusd[55432]: Login OK: [iPad/<via auth-type="mschap">] (from client DDWRT port 0 via TLS tunnel) Jan 30 11:17:18 radiusd[55432]: Login OK: [iPad/<via auth-type="mschap">] (from client DDWRT port 0 via TLS tunnel) Jan 30 11:15:22 apinger: rrdtool respawning too fast, waiting 300s. Jan 30 11:14:22 apinger: Error while feeding rrdtool: Broken pipe</via></via></via></via></default></via></via></via></via></default>
The problem is that iPhone/iPad users can authenticate and can surf internet for about 1 minute, than internet stop but they are still connect to the WiFi. ???
If I authenticate with my macbookpro I don't have any problem :o
I tried to change every config but also my iPad/iPhone has this problem.
Can anyone help??? :) -
Do all changes and configuration in the GUI.
Then stop the radiusd service on the GUIssh to your pfsense and run:
radiusd -X
This runs freeradius in debug mode and you will see everything what is happening.
Read the debug carefully from top to down and freeradius will tell you what it is doing. You can post the debug output here, too, but make sure that there is no sensitive data in it like passwords or something like that. -
Here is my iPad access log:```
Last login: Wed Jan 30 21:30:39 on ttys000
Mac-Pro-di-Davide:~ Davide$ ssh admin@192.168.1.1
Password:
*** Welcome to pfSense 2.0.2-RELEASE-pfSense (amd64) on wifi ***WAN (wan) -> vr0 -> 192.168.1.1
LAN (lan) -> rl0 -> 13.3.19.89- Logout (SSH only) 8) Shell
- Assign Interfaces 9) pfTop
- Set interface(s) IP address 10) Filter Logs
- Reset webConfigurator password 11) Restart webConfigurator
- Reset to factory defaults 12) pfSense Developer Shell
- Reboot system 13) Upgrade from console
- Halt system 14) Disable Secure Shell (sshd)
- Ping host
Enter an option: 8
[2.0.2-RELEASE][admin@wifi.crnew]/root(1): radiusd -X
FreeRADIUS Version 2.1.12, for host amd64-portbld-freebsd8.1, built on Jun 19 2012 at 08:36:32
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/clients.conf
including files in directory /usr/local/etc/raddb/modules/
including configuration file /usr/local/etc/raddb/modules/wimax
including configuration file /usr/local/etc/raddb/modules/always
including configuration file /usr/local/etc/raddb/modules/attr_filter
including configuration file /usr/local/etc/raddb/modules/attr_rewrite
including configuration file /usr/local/etc/raddb/modules/chap
including configuration file /usr/local/etc/raddb/modules/checkval
including configuration file /usr/local/etc/raddb/modules/counter
including configuration file /usr/local/etc/raddb/modules/cui
including configuration file /usr/local/etc/raddb/modules/detail
including configuration file /usr/local/etc/raddb/modules/detail.example.com
including configuration file /usr/local/etc/raddb/modules/detail.log
including configuration file /usr/local/etc/raddb/modules/digest
including configuration file /usr/local/etc/raddb/modules/dynamic_clients
including configuration file /usr/local/etc/raddb/modules/echo
including configuration file /usr/local/etc/raddb/modules/etc_group
including configuration file /usr/local/etc/raddb/modules/exec
including configuration file /usr/local/etc/raddb/modules/expiration
including configuration file /usr/local/etc/raddb/modules/expr
including configuration file /usr/local/etc/raddb/modules/files
including configuration file /usr/local/etc/raddb/modules/inner-eap
including configuration file /usr/local/etc/raddb/modules/ippool
including configuration file /usr/local/etc/raddb/modules/krb5
including configuration file /usr/local/etc/raddb/modules/ldap
including configuration file /usr/local/etc/raddb/modules/linelog
including configuration file /usr/local/etc/raddb/modules/logintime
including configuration file /usr/local/etc/raddb/modules/mac2ip
including configuration file /usr/local/etc/raddb/modules/mschap
including configuration file /usr/local/etc/raddb/modules/mac2vlan
including configuration file /usr/local/etc/raddb/modules/ntlm_auth
including configuration file /usr/local/etc/raddb/modules/opendirectory
including configuration file /usr/local/etc/raddb/modules/otp
including configuration file /usr/local/etc/raddb/modules/pam
including configuration file /usr/local/etc/raddb/modules/pap
including configuration file /usr/local/etc/raddb/modules/passwd
including configuration file /usr/local/etc/raddb/modules/perl
including configuration file /usr/local/etc/raddb/modules/policy
including configuration file /usr/local/etc/raddb/modules/preprocess
including configuration file /usr/local/etc/raddb/modules/radutmp
including configuration file /usr/local/etc/raddb/modules/realm
including configuration file /usr/local/etc/raddb/modules/redis
including configuration file /usr/local/etc/raddb/modules/rediswho
including configuration file /usr/local/etc/raddb/modules/replicate
including configuration file /usr/local/etc/raddb/modules/smbpasswd
including configuration file /usr/local/etc/raddb/modules/smsotp
including configuration file /usr/local/etc/raddb/modules/soh
including configuration file /usr/local/etc/raddb/modules/sql_log
including configuration file /usr/local/etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /usr/local/etc/raddb/modules/sradutmp
including configuration file /usr/local/etc/raddb/modules/unix
including configuration file /usr/local/etc/raddb/modules/acct_unique
including configuration file /usr/local/etc/raddb/modules/motp
including configuration file /usr/local/etc/raddb/modules/datacounter_acct
including configuration file /usr/local/etc/raddb/eap.conf
including configuration file /usr/local/etc/raddb/policy.conf
including files in directory /usr/local/etc/raddb/sites-enabled/
including configuration file /usr/local/etc/raddb/sites-enabled/default
main {
allow_core_dumps = no
}
including dictionary file /usr/local/etc/raddb/dictionary
main {
name = "radiusd"
prefix = "/usr/local"
localstatedir = "/var"
sbindir = "/usr/local/sbin"
logdir = "/var/log"
run_dir = "/var/run"
libdir = "/usr/local/lib/freeradius-2.1.12"
radacctdir = "/var/log/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/var/run/radiusd.pid"
checkrad = "/usr/local/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = yes
auth_badpass = yes
auth_goodpass = yes
msg_badpass = ""
msg_goodpass = ""
}
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
}
radiusd: #### Loading Realms and Home Servers ####
radiusd: #### Loading Clients ####
client DDWRT {
ipaddr = 192.168.1.3
require_message_authenticator = no
secret = "b2biIJP3kifQDljSzj"
shortname = "DDWRT"
nastype = "other"
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating module "exec" from file /usr/local/etc/raddb/modules/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating module "expr" from file /usr/local/etc/raddb/modules/expr
Module: Linked to module rlm_counter
Module: Instantiating module "daily" from file /usr/local/etc/raddb/modules/counter
counter daily {
filename = "/var/log/radacct/timecounter/db.daily"
key = "User-Name"
reset = "daily"
count-attribute = "Acct-Session-Time"
counter-name = "Daily-Session-Time"
check-name = "Max-Daily-Session"
reply-name = "Session-Timeout"
cache-size = 5000
}
rlm_counter: Counter attribute Daily-Session-Time is number 11273
rlm_counter: Current Time: 1359579930 [2013-01-30 22:05:30], Next reset 1359586800 [2013-01-31 00:00:00]
Module: Instantiating module "weekly" from file /usr/local/etc/raddb/modules/counter
counter weekly {
filename = "/var/log/radacct/timecounter/db.weekly"
key = "User-Name"
reset = "weekly"
count-attribute = "Acct-Session-Time"
counter-name = "Weekly-Session-Time"
check-name = "Max-Weekly-Session"
reply-name = "Session-Timeout"
cache-size = 5000
}
rlm_counter: Counter attribute Weekly-Session-Time is number 11275
rlm_counter: Current Time: 1359579930 [2013-01-30 22:05:30], Next reset 1359846000 [2013-02-03 00:00:00]
Module: Instantiating module "monthly" from file /usr/local/etc/raddb/modules/counter
counter monthly {
filename = "/var/log/radacct/timecounter/db.monthly"
key = "User-Name"
reset = "monthly"
count-attribute = "Acct-Session-Time"
counter-name = "Monthly-Session-Time"
check-name = "Max-Monthly-Session"
reply-name = "Session-Timeout"
cache-size = 5000
}
rlm_counter: Counter attribute Monthly-Session-Time is number 11277
rlm_counter: Current Time: 1359579930 [2013-01-30 22:05:30], Next reset 1359673200 [2013-02-01 00:00:00]
Module: Instantiating module "forever" from file /usr/local/etc/raddb/modules/counter
counter forever {
filename = "/var/log/radacct/timecounter/db.forever"
key = "User-Name"
reset = "never"
count-attribute = "Acct-Session-Time"
counter-name = "Forever-Session-Time"
check-name = "Max-Forever-Session"
reply-name = "Session-Timeout"
cache-size = 5000
}
rlm_counter: Counter attribute Forever-Session-Time is number 11279
rlm_counter: Current Time: 1359579930 [2013-01-30 22:05:30], Next reset 0 [2013-01-30 22:00:00]
Module: Linked to module rlm_expiration
Module: Instantiating module "expiration" from file /usr/local/etc/raddb/modules/expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating module "logintime" from file /usr/local/etc/raddb/modules/logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server { # from file /usr/local/etc/raddb/radiusd.conf
modules {
Module: Creating Auth-Type = MOTP
Module: Creating Auth-Type = digest
Module: Creating Autz-Type = Status-Server
Module: Creating Acct-Type = Status-Server
Module: Creating Post-Auth-Type = REJECT
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating module "pap" from file /usr/local/etc/raddb/modules/pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating module "chap" from file /usr/local/etc/raddb/modules/chap
Module: Linked to module rlm_mschap
Module: Instantiating module "mschap" from file /usr/local/etc/raddb/modules/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
allow_retry = yes
}
Module: Instantiating module "motp" from file /usr/local/etc/raddb/modules/motp
exec motp {
wait = yes
program = "/usr/local/bin/bash /usr/local/etc/raddb/scripts/otpverify.sh %{request:User-Name} %{request:User-Password} %{reply:MOTP-Init-Secret} %{reply:MOTP-PIN} %{reply:MOTP-Offset}"
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_digest
Module: Instantiating module "digest" from file /usr/local/etc/raddb/modules/digest
Module: Linked to module rlm_unix
Module: Instantiating module "unix" from file /usr/local/etc/raddb/modules/unix
unix {
radwtmp = "/var/log/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating module "eap" from file /usr/local/etc/raddb/eap.conf
eap {
default_eap_type = "ttls"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = yes
max_sessions = 4096
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
CA_path = "/usr/local/etc/raddb/certs"
pem_file_type = yes
private_key_file = "/usr/local/etc/raddb/certs/server_key.pem"
certificate_file = "/usr/local/etc/raddb/certs/server_cert.pem"
CA_file = "/usr/local/etc/raddb/certs/ca_cert.pem"
private_key_password = "whatever"
dh_file = "/usr/local/etc/raddb/certs/dh"
random_file = "/usr/local/etc/raddb/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
ecdh_curve = "prime256v1"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
}
ocsp {
enable = no
override_cert_url = no
url = "http://127.0.0.1/ocsp/"
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "mschapv2"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
include_length = yes
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "tls"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
proxy_tunneled_request_as_eap = yes
soh = no
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating module "preprocess" from file /usr/local/etc/raddb/modules/preprocess
preprocess {
huntgroups = "/usr/local/etc/raddb/huntgroups"
hints = "/usr/local/etc/raddb/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Linked to module rlm_realm
Module: Instantiating module "suffix" from file /usr/local/etc/raddb/modules/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = yes
}
Module: Instantiating module "ntdomain" from file /usr/local/etc/raddb/modules/realm
realm ntdomain {
format = "prefix"
delimiter = ""
ignore_default = no
ignore_null = yes
}
Module: Linked to module rlm_files
Module: Instantiating module "files" from file /usr/local/etc/raddb/modules/files
files {
usersfile = "/usr/local/etc/raddb/users"
acctusersfile = "/usr/local/etc/raddb/acct_users"
preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users"
compat = "no"
}
Module: Linked to module rlm_checkval
Module: Instantiating module "checkval" from file /usr/local/etc/raddb/modules/checkval
checkval {
item-name = "Calling-Station-Id"
check-name = "Calling-Station-Id"
data-type = "string"
notfound-reject = no
}
rlm_checkval: Registered name Calling-Station-Id for attribute 31
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating module "acct_unique" from file /usr/local/etc/raddb/modules/acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating module "detail" from file /usr/local/etc/raddb/modules/detail
detail {
detailfile = "/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Instantiating module "datacounterdaily" from file /usr/local/etc/raddb/modules/datacounter_acct
exec datacounterdaily {
wait = yes
program = "/bin/sh /usr/local/etc/raddb/scripts/datacounter_acct.sh %{request:User-Name} daily %{request:Acct-Input-Octets} %{request:Acct-Output-Octets}"
input_pairs = "request"
shell_escape = yes
}
Module: Instantiating module "datacounterweekly" from file /usr/local/etc/raddb/modules/datacounter_acct
exec datacounterweekly {
wait = yes
program = "/bin/sh /usr/local/etc/raddb/scripts/datacounter_acct.sh %{request:User-Name} weekly %{request:Acct-Input-Octets} %{request:Acct-Output-Octets}"
input_pairs = "request"
shell_escape = yes
}
Module: Instantiating module "datacountermonthly" from file /usr/local/etc/raddb/modules/datacounter_acct
exec datacountermonthly {
wait = yes
program = "/bin/sh /usr/local/etc/raddb/scripts/datacounter_acct.sh %{request:User-Name} monthly %{request:Acct-Input-Octets} %{request:Acct-Output-Octets}"
input_pairs = "request"
shell_escape = yes
}
Module: Instantiating module "datacounterforever" from file /usr/local/etc/raddb/modules/datacounter_acct
exec datacounterforever {
wait = yes
program = "/bin/sh /usr/local/etc/raddb/scripts/datacounter_acct.sh %{request:User-Name} forever %{request:Acct-Input-Octets} %{request:Acct-Output-Octets}"
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_radutmp
Module: Instantiating module "radutmp" from file /usr/local/etc/raddb/modules/radutmp
radutmp {
filename = "/var/log/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Linked to module rlm_attr_filter
Module: Instantiating module "attr_filter.accounting_response" from file /usr/local/etc/raddb/modules/attr_filter
attr_filter attr_filter.accounting_response {
attrsfile = "/usr/local/etc/raddb/attrs.accounting_response"
key = "%{User-Name}"
relaxed = no
}
Module: Checking session {...} for more modules to load
Module: Checking pre-proxy {...} for more modules to load
Module: Instantiating module "attr_filter.pre-proxy" from file /usr/local/etc/raddb/modules/attr_filter
attr_filter attr_filter.pre-proxy {
attrsfile = "/usr/local/etc/raddb/attrs.pre-proxy"
key = "%{Realm}"
relaxed = no
}
Module: Checking post-proxy {...} for more modules to load
Module: Instantiating module "attr_filter.post-proxy" from file /usr/local/etc/raddb/modules/attr_filter
attr_filter attr_filter.post-proxy {
attrsfile = "/usr/local/etc/raddb/attrs"
key = "%{Realm}"
relaxed = no
}
Module: Checking post-auth {...} for more modules to load
Module: Instantiating module "attr_filter.access_reject" from file /usr/local/etc/raddb/modules/attr_filter
attr_filter attr_filter.access_reject {
attrsfile = "/usr/local/etc/raddb/attrs.access_reject"
key = "%{User-Name}"
relaxed = no
}
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = 192.168.1.1
port = 1812
}
Listening on authentication address 192.168.1.1 port 1812
Listening on proxy address 192.168.1.1 port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.1.3 port 32777, id=1, length=121
User-Name = "iPad"
NAS-IP-Address = 192.168.1.3
Called-Station-Id = "c2c1c00e689e"
Calling-Station-Id = "a46706941f29"
NAS-Identifier = "c2c1c00e689e"
NAS-Port = 34
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020000090169506164
Message-Authenticator = 0x2dda3209920a160194db88409e0287e1Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "iPad", skipping NULL due to config.
++[suffix] returns noop
[ntdomain] No '' in User-Name = "iPad", skipping NULL due to config.
++[ntdomain] returns noop
[eap] EAP packet type response id 0 length 9
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry iPad at line 97
++[files] returns ok
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
++[daily] returns noop
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
++[weekly] returns noop
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
++[monthly] returns noop
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
++[forever] returns noop
rlm_checkval: Item Name: Calling-Station-Id, Value: a46706941f29
rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs
++[checkval] returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAPExecuting group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 1 to 192.168.1.3 port 32777
EAP-Message = 0x010100061520
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x94215fb794204acd45d98454623e2c2b
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.3 port 32777, id=1, length=296
Cleaning up request 0 ID 1 with timestamp +25
User-Name = "iPad"
NAS-IP-Address = 192.168.1.3
Called-Station-Id = "c2c1c00e689e"
Calling-Station-Id = "a46706941f29"
NAS-Identifier = "c2c1c00e689e"
NAS-Port = 34
Framed-MTU = 1400
State = 0x94215fb794204acd45d98454623e2c2b
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020100a615800000009c160301009701000093030151098b34151f242280f30e9d2f0cc80621b979cd44485afda47f1371fdf4bf4a00005800ffc024c023c00ac009c007c008c028c027c014c013c011c012c026c025c02ac029c004c005c002c003c00ec00fc00cc00d003d003c002f000500040035000a0067006b003300390016c006c010c001c00b003b0002000101000012000a00080006001700180019000b00020100
Message-Authenticator = 0x333630872965c0dfba9a698e36eac0c2Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "iPad", skipping NULL due to config.
++[suffix] returns noop
[ntdomain] No '' in User-Name = "iPad", skipping NULL due to config.
++[ntdomain] returns noop
[eap] EAP packet type response id 1 length 166
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAPExecuting group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
TLS Length 156
[ttls] Length Included
[ttls] eaptls_verify returned 11
[ttls] (other): before/accept initialization
[ttls] TLS_accept: before/accept initialization
[ttls] <<< TLS 1.0 Handshake [length 0097], ClientHello
[ttls] TLS_accept: SSLv3 read client hello A
[ttls] >>> TLS 1.0 Handshake [length 0031], ServerHello
[ttls] TLS_accept: SSLv3 write server hello A
[ttls] >>> TLS 1.0 Handshake [length 085f], Certificate
[ttls] TLS_accept: SSLv3 write certificate A
[ttls] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[ttls] TLS_accept: SSLv3 write server done A
[ttls] TLS_accept: SSLv3 flush data
[ttls] TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[ttls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 1 to 192.168.1.3 port 32777
EAP-Message = 0x0102040015c0000008a316030100310200002d030151098b33e396ef63cbb7d15634d096b965ab20e065d0dd39e77645331676ad1300002f000005ff01000100160301085f0b00085b00085800041c3082041830820300a003020102020102300d06092a864886f70d01010505003073310b300906035504061302495431123010060355040813094c6f6d626172646961310e300c060355040713054372656d61310e300c060355040a13054c41303337311c301a06092a864886f70d010901160d776966694063726e65772e697431123010060355040313094153492043724e6577301e170d3133303133303039313633365a170d32333031323830
EAP-Message = 0x39313633365a3074310b300906035504061302495431123010060355040813094c6f6d626172646961310e300c060355040713054372656d61310e300c060355040a13054c41303337311c301a06092a864886f70d010901160d776966694063726e65772e6974311330110603550403130a576946692043724e657730819f300d06092a864886f70d010101050003818d0030818902818100cecf62420d6cecfca457df3fbba025e3a514c5948c50776443cb1a50e685cc14126b369bbb22f401457d3dd19bb629e834cd2797d05ce639e368c9522bd945ea1262ad4524f269261ea78693ce4e670cb1fb6a7956abd0579209e92c2282cf14d2b556a8
EAP-Message = 0x8acfe267ccaf7af4079f4fbad8e8be7bec306b1e33e63c1b87663c3b0203010001a38201383082013430090603551d1304023000301106096086480186f8420101040403020640303306096086480186f842010d042616244f70656e53534c2047656e65726174656420536572766572204365727469666963617465301d0603551d0e041604143cc25c57910ca9be7de0a82f2b21d526e46595f930819d0603551d230481953081928014ac3e27e1ee72a134ac1eff279ba44eadc42f8e23a177a4753073310b300906035504061302495431123010060355040813094c6f6d626172646961310e300c060355040713054372656d61310e300c060355
EAP-Message = 0x040a13054c41303337311c301a06092a864886f70d010901160d776966694063726e65772e697431123010060355040313094153492043724e657782010030130603551d25040c300a06082b06010505070301300b0603551d0f0404030205a0300d06092a864886f70d01010505000382010100a80d50f89d43d86092a779f387a6c30db24e851178872f2c76e306b7b56bbd73203e98b415d9657e53a1abdebbf93942e241617267856002d0c8af616e3aca1412257c1afbfc5a2af425de35c1022820c0c583dd3ba09453fd30a7ded94ef407eda622d59632628f6e457c0db328909a0d2bb77c2fdec72a973838900404afcf381e06b232934e1736
EAP-Message = 0x7e1c99d4d260cf7162e45dd7
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x94215fb795234acd45d98454623e2c2b
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.3 port 32777, id=1, length=136
Cleaning up request 1 ID 1 with timestamp +25
User-Name = "iPad"
NAS-IP-Address = 192.168.1.3
Called-Station-Id = "c2c1c00e689e"
Calling-Station-Id = "a46706941f29"
NAS-Identifier = "c2c1c00e689e"
NAS-Port = 34
Framed-MTU = 1400
State = 0x94215fb795234acd45d98454623e2c2b
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020200061500
Message-Authenticator = 0xa7a6a8828361fe3f3641feb4e2ac10e2Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "iPad", skipping NULL due to config.
++[suffix] returns noop
[ntdomain] No '' in User-Name = "iPad", skipping NULL due to config.
++[ntdomain] returns noop
[eap] EAP packet type response id 2 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAPExecuting group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] Received TLS ACK
[ttls] ACK handshake fragment handler
[ttls] eaptls_verify returned 1
[ttls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 1 to 192.168.1.3 port 32777
EAP-Message = 0x0103040015c0000008a30b82b8f442dc3b6956820818d6eabd63bd56bb6944b1e31df00d95df4849b318d1951592831170d62fa5abc796faae8d109390db187c9d0eb5f17280bdc395aefc7038c9685029447ce437c2ae8848af7f3efb84902145355a6054d27fcd938e0d8ce4c71199f7c77879b9000436308204323082031aa003020102020100300d06092a864886f70d01010505003073310b300906035504061302495431123010060355040813094c6f6d626172646961310e300c060355040713054372656d61310e300c060355040a13054c41303337311c301a06092a864886f70d010901160d776966694063726e65772e69743112301006
EAP-Message = 0x0355040313094153492043724e6577301e170d3133303132393131303333365a170d3233303132373131303333365a3073310b300906035504061302495431123010060355040813094c6f6d626172646961310e300c060355040713054372656d61310e300c060355040a13054c41303337311c301a06092a864886f70d010901160d776966694063726e65772e697431123010060355040313094153492043724e657730820122300d06092a864886f70d01010105000382010f003082010a0282010100c027f09e7af99251a4a481f386f01c0890ec992dafd4eb9daaad18186c49125799411e4d10be48e18be515d6f0b88ec55f78d9af36cee087
EAP-Message = 0xaa8a55e19ad3ef23f0963c5db75e69654d9cc8554ab5035c0e884cd57bdc58e7fc0da1257b337034a853b48fcd6afa64500b0fac22c4be2db936e4ecdb7aa84d28aa1d8b8ff7febfdeaf972282628ce9a88deaff369d0394c7d3809d488d1cd31cd392c1ae5cf2b6b6bea354101e025ceb7bd9a41ef62e6c9727eafca242f004631e1f36c0f76c0f7e3c34562c2035957015589b9772101c0b0838f9609b9ffbeb3c068f12dadba6d6eaec42c8ce52f42abc1af7154a5a1f79ce328788301f4596b6c56611caed630203010001a381d03081cd301d0603551d0e04160414ac3e27e1ee72a134ac1eff279ba44eadc42f8e2330819d0603551d23048195
EAP-Message = 0x3081928014ac3e27e1ee72a134ac1eff279ba44eadc42f8e23a177a4753073310b300906035504061302495431123010060355040813094c6f6d626172646961310e300c060355040713054372656d61310e300c060355040a13054c41303337311c301a06092a864886f70d010901160d776966694063726e65772e697431123010060355040313094153492043724e6577820100300c0603551d13040530030101ff300d06092a864886f70d010105050003820101004a8160c41cb815ff4d18004e6b5b6577aa1dafae6d2df70468cb60ce283a2a7377e43ae5e94c85a9aeefc0fe39006f44d853511b0a53923b2fd9021331fca457eb2e6ab807bd
EAP-Message = 0xb8960c9c801097dd1e941b16
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x94215fb796224acd45d98454623e2c2b
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.3 port 32777, id=1, length=136
Cleaning up request 2 ID 1 with timestamp +25
User-Name = "iPad"
NAS-IP-Address = 192.168.1.3
Called-Station-Id = "c2c1c00e689e"
Calling-Station-Id = "a46706941f29"
NAS-Identifier = "c2c1c00e689e"
NAS-Port = 34
Framed-MTU = 1400
State = 0x94215fb796224acd45d98454623e2c2b
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020300061500
Message-Authenticator = 0x4a2d6deb865440b3426564b7fd5b36edExecuting section authorize from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "iPad", skipping NULL due to config.
++[suffix] returns noop
[ntdomain] No '' in User-Name = "iPad", skipping NULL due to config.
++[ntdomain] returns noop
[eap] EAP packet type response id 3 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAPExecuting group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] Received TLS ACK
[ttls] ACK handshake fragment handler
[ttls] eaptls_verify returned 1
[ttls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 1 to 192.168.1.3 port 32777
EAP-Message = 0x010400c11580000008a390f514b521b67360c591cc78f7ecd97594a7823a57db3373fd940fd3cc0b47871454e476139cc53356ff2d30133229385a11432d34662a879b24a86e3d7b66f2f78dde1089628b4313c842ddea969da40440d6624a5c936878a6bb52a45745d9738a680b983bec2b70a5ff5a26bb113fa383deaf90199ad05aba595ab4841a72885bd534e0b8e6dcb71ee801c81fb7b191ab6d675094af7420b81075b8a8f5cced9b47e2dab1732a68f759d5497b16030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x94215fb797254acd45d98454623e2c2b
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.3 port 32777, id=1, length=338
Cleaning up request 3 ID 1 with timestamp +25
User-Name = "iPad"
NAS-IP-Address = 192.168.1.3
Called-Station-Id = "c2c1c00e689e"
Calling-Station-Id = "a46706941f29"
NAS-Identifier = "c2c1c00e689e"
NAS-Port = 34
Framed-MTU = 1400
State = 0x94215fb797254acd45d98454623e2c2b
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020400d01580000000c61603010086100000820080c46bf4b5b790b71c130f1987e9bdfca5c175e98e85b532ae72d7f0ab38c251fa6825f39a9920a07defe8be9156a7946858c4b03b8319364a9b83b4bb09edfdb6e6357d93d9ef416e48ebb263328adde16d7b00d906bab729f9438fcaa48e425ef87d59716169a27084240f500998ad86ab82139578e29bba9bc94bdbdd1276b21403010001011603010030c10530e8095e96c3509891ff8491db4673d2a15368f71618b80dc4c399558df7795c78800a1e49b3f9e16892a3997e2b
Message-Authenticator = 0xe5e0b7c956b13c669db1717b79f17ae0Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "iPad", skipping NULL due to config.
++[suffix] returns noop
[ntdomain] No '' in User-Name = "iPad", skipping NULL due to config.
++[ntdomain] returns noop
[eap] EAP packet type response id 4 length 208
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAPExecuting group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
TLS Length 198
[ttls] Length Included
[ttls] eaptls_verify returned 11
[ttls] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
[ttls] TLS_accept: SSLv3 read client key exchange A
[ttls] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[ttls] <<< TLS 1.0 Handshake [length 0010], Finished
[ttls] TLS_accept: SSLv3 read finished A
[ttls] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[ttls] TLS_accept: SSLv3 write change cipher spec A
[ttls] >>> TLS 1.0 Handshake [length 0010], Finished
[ttls] TLS_accept: SSLv3 write finished A
[ttls] TLS_accept: SSLv3 flush data
[ttls] (other): SSL negotiation finished successfully
SSL Connection Established
[ttls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 1 to 192.168.1.3 port 32777
EAP-Message = 0x0105004515800000003b140301000101160301003034a486d8966d41cd37c59248c94f49154ad12fb37a110eede1a5aaba0f10bdf406862cfb279bfdf7d9255ed4b83d7014
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x94215fb790244acd45d98454623e2c2b
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.3 port 32777, id=1, length=273
Cleaning up request 4 ID 1 with timestamp +25
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING: !! EAP session for state 0x94215fb790244acd did not finish!
WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
User-Name = "iPad"
NAS-IP-Address = 192.168.1.3
Called-Station-Id = "c2c1c00e689e"
Calling-Station-Id = "a46706941f29"
NAS-Identifier = "c2c1c00e689e"
NAS-Port = 34
Framed-MTU = 1400
State = 0x94215fb790244acd45d98454623e2c2b
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0205008f1580000000851703010080e9c572c5c0c62b307dda87c740eccd3c857f9f0e873b66027f1a2d6c51393b5cda2e7545f50dcc284fecf7820da49c435e37e97fe311c0b3b3156cd6e9d8d3f7fba9fb4b31c085b12f9725b5e227a3c93c3e56f334d4d9d5d8e635ec8f397abf608ae8b10bce5f9a66d9d52a15140a34e9e4f6b24e09bc1e9602359797ca1b53
Message-Authenticator = 0x6d2b616ca1f36e48bf97173dbe2df119Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "iPad", skipping NULL due to config.
++[suffix] returns noop
[ntdomain] No '' in User-Name = "iPad", skipping NULL due to config.
++[ntdomain] returns noop
[eap] EAP packet type response id 5 length 143
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAPExecuting group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
TLS Length 133
[ttls] Length Included
[ttls] eaptls_verify returned 11
[ttls] eaptls_process returned 7
[ttls] Session established. Proceeding to decode tunneled attributes.
[ttls] Got tunneled request
User-Name = "iPad"
MS-CHAP-Challenge = 0x093490bc65840024aba84788d4c925b0
MS-CHAP2-Response = 0x2900323f20a14542a33cd3688fdbc05c59790000000000000000a1015e46a2f08832b788e34de32c764abae001d13997106a
FreeRADIUS-Proxied-To = 127.0.0.1
[ttls] Sending tunneled request
User-Name = "iPad"
MS-CHAP-Challenge = 0x093490bc65840024aba84788d4c925b0
MS-CHAP2-Response = 0x2900323f20a14542a33cd3688fdbc05c59790000000000000000a1015e46a2f08832b788e34de32c764abae001d13997106a
FreeRADIUS-Proxied-To = 127.0.0.1
NAS-IP-Address = 192.168.1.3
Called-Station-Id = "c2c1c00e689e"
Calling-Station-Id = "a46706941f29"
NAS-Identifier = "c2c1c00e689e"
NAS-Port = 34
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
server {Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
++[digest] returns noop
[suffix] No '@' in User-Name = "iPad", skipping NULL due to config.
++[suffix] returns noop
[ntdomain] No '' in User-Name = "iPad", skipping NULL due to config.
++[ntdomain] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry iPad at line 97
++[files] returns ok
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
++[daily] returns noop
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
++[weekly] returns noop
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
++[monthly] returns noop
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
++[forever] returns noop
rlm_checkval: Item Name: Calling-Station-Id, Value: a46706941f29
rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs
++[checkval] returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = MSCHAPExecuting group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group MS-CHAP {...}
[mschap] Creating challenge hash with username: iPad
[mschap] Told to do MS-CHAPv2 for iPad with NT-Password
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
expand: ->
Login OK: [iPad/<via auth-type="mschap">] (from client DDWRT port 34 cli a46706941f29 via TLS tunnel)Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
} # server
[ttls] Got tunneled reply code 2
MS-CHAP2-Success = 0x29533d30323331463037313036394235453637324144384433303836323241413532464534453341304131
MS-MPPE-Recv-Key = 0xcb7a8c4763ceeda8fc01cf337f19d95f
MS-MPPE-Send-Key = 0xb5180abe5eaba9a027bb9c2788d3a770
MS-MPPE-Encryption-Policy = 0x00000001
MS-MPPE-Encryption-Types = 0x00000006
[ttls] Got tunneled Access-Accept
[ttls] Got MS-CHAP2-Success, tunneling it to the client in a challenge.
++[eap] returns handled
Sending Access-Challenge of id 1 to 192.168.1.3 port 32777
EAP-Message = 0x0106005f1580000000551703010050133518df9e7df1d120d561933a4b10717cadf25efa4b79d6a27af8a79b1a85f9d3874761a3b49231003304c538cf901deef171379ee87f731f42fdef2f10cd96b0e9acd65bf5a7ffd1ee64980f9ee0f4
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x94215fb791274acd45d98454623e2c2b
Finished request 5.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.3 port 32777, id=1, length=136
Cleaning up request 5 ID 1 with timestamp +29
User-Name = "iPad"
NAS-IP-Address = 192.168.1.3
Called-Station-Id = "c2c1c00e689e"
Calling-Station-Id = "a46706941f29"
NAS-Identifier = "c2c1c00e689e"
NAS-Port = 34
Framed-MTU = 1400
State = 0x94215fb791274acd45d98454623e2c2b
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020600061500
Message-Authenticator = 0x0061b2da35be299e47214ce0dbe7e4ffExecuting section authorize from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "iPad", skipping NULL due to config.
++[suffix] returns noop
[ntdomain] No '' in User-Name = "iPad", skipping NULL due to config.
++[ntdomain] returns noop
[eap] EAP packet type response id 6 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAPExecuting group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] Received TLS ACK
[ttls] ACK handshake is finished
[ttls] eaptls_verify returned 3
[ttls] eaptls_process returned 3
[ttls] Using saved attributes from the original Access-Accept
[eap] Freeing handler
++[eap] returns ok
expand: ->
Login OK: [iPad/<via auth-type="EAP">] (from client DDWRT port 34 cli a46706941f29)Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 1 to 192.168.1.3 port 32777
MS-MPPE-Recv-Key = 0xe4a80c1afc4de09ba8cdeb129584bc73f261c65d2584c914eda9f5c7da46fb9c
MS-MPPE-Send-Key = 0x9c2d77fa68aa2e2aa533669a550422a3b4e2ce15cf07415c447d7679f08c9889
EAP-Message = 0x03060004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "iPad"
Finished request 6.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 6 ID 1 with timestamp +29
Ready to process requests.</via></via>When I tap "renew the lease" on the iPad the internet works for an another minute then internet stop again to work but the ipad not disconnect from wifi…
-
And this is my Mac log..
Ready to process requests. rad_recv: Access-Request packet from host 192.168.1.3 port 32777, id=0, length=121 User-Name = "iMac" NAS-IP-Address = 192.168.1.3 Called-Station-Id = "c2c1c00e689e" Calling-Station-Id = "6470020d9a60" NAS-Identifier = "c2c1c00e689e" NAS-Port = 55 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0200000901694d6163 Message-Authenticator = 0x9c13a03c07eab38a110a59e874aac850 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "iMac", skipping NULL due to config. ++[suffix] returns noop [ntdomain] No '\' in User-Name = "iMac", skipping NULL due to config. ++[ntdomain] returns noop [eap] EAP packet type response id 0 length 9 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry iMac at line 93 ++[files] returns ok rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[daily] returns noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[weekly] returns noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[monthly] returns noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[forever] returns noop rlm_checkval: Item Name: Calling-Station-Id, Value: 6470020d9a60 rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs ++[checkval] returns notfound ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.1.3 port 32777 EAP-Message = 0x010100061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1382b4531383a10a15b5f944c410db05 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.3 port 32777, id=0, length=258 Cleaning up request 0 ID 0 with timestamp +19 User-Name = "iMac" NAS-IP-Address = 192.168.1.3 Called-Station-Id = "c2c1c00e689e" Calling-Station-Id = "6470020d9a60" NAS-Identifier = "c2c1c00e689e" NAS-Port = 55 Framed-MTU = 1400 State = 0x1382b4531383a10a15b5f944c410db05 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0201008015800000007616030100710100006d030151098d55a1e9f1029eddfe94d5826dabc35538e36d55033adea4d9a38fa1d5c100003200ffc00ac009c007c008c014c013c011c012c004c005c002c003c00ec00fc00cc00d002f000500040035000a00330039001601000012000a00080006001700180019000b00020100 Message-Authenticator = 0xb38e5665f025282cdd55e467378bc591 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "iMac", skipping NULL due to config. ++[suffix] returns noop [ntdomain] No '\' in User-Name = "iMac", skipping NULL due to config. ++[ntdomain] returns noop [eap] EAP packet type response id 1 length 128 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS TLS Length 118 [ttls] Length Included [ttls] eaptls_verify returned 11 [ttls] (other): before/accept initialization [ttls] TLS_accept: before/accept initialization [ttls] <<< TLS 1.0 Handshake [length 0071], ClientHello [ttls] TLS_accept: SSLv3 read client hello A [ttls] >>> TLS 1.0 Handshake [length 0031], ServerHello [ttls] TLS_accept: SSLv3 write server hello A [ttls] >>> TLS 1.0 Handshake [length 085f], Certificate [ttls] TLS_accept: SSLv3 write certificate A [ttls] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [ttls] TLS_accept: SSLv3 write server done A [ttls] TLS_accept: SSLv3 flush data [ttls] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.1.3 port 32777 EAP-Message = 0x0102040015c0000008a316030100310200002d030151098d55570570ae77366b3939b5698ed1b761f404dc558fb4d4ef830f48daf700002f000005ff01000100160301085f0b00085b00085800041c3082041830820300a003020102020102300d06092a864886f70d01010505003073310b300906035504061302495431123010060355040813094c6f6d626172646961310e300c060355040713054372656d61310e300c060355040a13054c41303337311c301a06092a864886f70d010901160d776966694063726e65772e697431123010060355040313094153492043724e6577301e170d3133303133303039313633365a170d32333031323830 EAP-Message = 0x39313633365a3074310b300906035504061302495431123010060355040813094c6f6d626172646961310e300c060355040713054372656d61310e300c060355040a13054c41303337311c301a06092a864886f70d010901160d776966694063726e65772e6974311330110603550403130a576946692043724e657730819f300d06092a864886f70d010101050003818d0030818902818100cecf62420d6cecfca457df3fbba025e3a514c5948c50776443cb1a50e685cc14126b369bbb22f401457d3dd19bb629e834cd2797d05ce639e368c9522bd945ea1262ad4524f269261ea78693ce4e670cb1fb6a7956abd0579209e92c2282cf14d2b556a8 EAP-Message = 0x8acfe267ccaf7af4079f4fbad8e8be7bec306b1e33e63c1b87663c3b0203010001a38201383082013430090603551d1304023000301106096086480186f8420101040403020640303306096086480186f842010d042616244f70656e53534c2047656e65726174656420536572766572204365727469666963617465301d0603551d0e041604143cc25c57910ca9be7de0a82f2b21d526e46595f930819d0603551d230481953081928014ac3e27e1ee72a134ac1eff279ba44eadc42f8e23a177a4753073310b300906035504061302495431123010060355040813094c6f6d626172646961310e300c060355040713054372656d61310e300c060355 EAP-Message = 0x040a13054c41303337311c301a06092a864886f70d010901160d776966694063726e65772e697431123010060355040313094153492043724e657782010030130603551d25040c300a06082b06010505070301300b0603551d0f0404030205a0300d06092a864886f70d01010505000382010100a80d50f89d43d86092a779f387a6c30db24e851178872f2c76e306b7b56bbd73203e98b415d9657e53a1abdebbf93942e241617267856002d0c8af616e3aca1412257c1afbfc5a2af425de35c1022820c0c583dd3ba09453fd30a7ded94ef407eda622d59632628f6e457c0db328909a0d2bb77c2fdec72a973838900404afcf381e06b232934e1736 EAP-Message = 0x7e1c99d4d260cf7162e45dd7 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1382b4531280a10a15b5f944c410db05 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.3 port 32777, id=0, length=136 Cleaning up request 1 ID 0 with timestamp +19 User-Name = "iMac" NAS-IP-Address = 192.168.1.3 Called-Station-Id = "c2c1c00e689e" Calling-Station-Id = "6470020d9a60" NAS-Identifier = "c2c1c00e689e" NAS-Port = 55 Framed-MTU = 1400 State = 0x1382b4531280a10a15b5f944c410db05 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020200061500 Message-Authenticator = 0x6578b31271da2ff6dde8d4919c6a41af # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "iMac", skipping NULL due to config. ++[suffix] returns noop [ntdomain] No '\' in User-Name = "iMac", skipping NULL due to config. ++[ntdomain] returns noop [eap] EAP packet type response id 2 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] Received TLS ACK [ttls] ACK handshake fragment handler [ttls] eaptls_verify returned 1 [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.1.3 port 32777 EAP-Message = 0x0103040015c0000008a30b82b8f442dc3b6956820818d6eabd63bd56bb6944b1e31df00d95df4849b318d1951592831170d62fa5abc796faae8d109390db187c9d0eb5f17280bdc395aefc7038c9685029447ce437c2ae8848af7f3efb84902145355a6054d27fcd938e0d8ce4c71199f7c77879b9000436308204323082031aa003020102020100300d06092a864886f70d01010505003073310b300906035504061302495431123010060355040813094c6f6d626172646961310e300c060355040713054372656d61310e300c060355040a13054c41303337311c301a06092a864886f70d010901160d776966694063726e65772e69743112301006 EAP-Message = 0x0355040313094153492043724e6577301e170d3133303132393131303333365a170d3233303132373131303333365a3073310b300906035504061302495431123010060355040813094c6f6d626172646961310e300c060355040713054372656d61310e300c060355040a13054c41303337311c301a06092a864886f70d010901160d776966694063726e65772e697431123010060355040313094153492043724e657730820122300d06092a864886f70d01010105000382010f003082010a0282010100c027f09e7af99251a4a481f386f01c0890ec992dafd4eb9daaad18186c49125799411e4d10be48e18be515d6f0b88ec55f78d9af36cee087 EAP-Message = 0xaa8a55e19ad3ef23f0963c5db75e69654d9cc8554ab5035c0e884cd57bdc58e7fc0da1257b337034a853b48fcd6afa64500b0fac22c4be2db936e4ecdb7aa84d28aa1d8b8ff7febfdeaf972282628ce9a88deaff369d0394c7d3809d488d1cd31cd392c1ae5cf2b6b6bea354101e025ceb7bd9a41ef62e6c9727eafca242f004631e1f36c0f76c0f7e3c34562c2035957015589b9772101c0b0838f9609b9ffbeb3c068f12dadba6d6eaec42c8ce52f42abc1af7154a5a1f79ce328788301f4596b6c56611caed630203010001a381d03081cd301d0603551d0e04160414ac3e27e1ee72a134ac1eff279ba44eadc42f8e2330819d0603551d23048195 EAP-Message = 0x3081928014ac3e27e1ee72a134ac1eff279ba44eadc42f8e23a177a4753073310b300906035504061302495431123010060355040813094c6f6d626172646961310e300c060355040713054372656d61310e300c060355040a13054c41303337311c301a06092a864886f70d010901160d776966694063726e65772e697431123010060355040313094153492043724e6577820100300c0603551d13040530030101ff300d06092a864886f70d010105050003820101004a8160c41cb815ff4d18004e6b5b6577aa1dafae6d2df70468cb60ce283a2a7377e43ae5e94c85a9aeefc0fe39006f44d853511b0a53923b2fd9021331fca457eb2e6ab807bd EAP-Message = 0xb8960c9c801097dd1e941b16 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1382b4531181a10a15b5f944c410db05 Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.3 port 32777, id=0, length=136 Cleaning up request 2 ID 0 with timestamp +19 User-Name = "iMac" NAS-IP-Address = 192.168.1.3 Called-Station-Id = "c2c1c00e689e" Calling-Station-Id = "6470020d9a60" NAS-Identifier = "c2c1c00e689e" NAS-Port = 55 Framed-MTU = 1400 State = 0x1382b4531181a10a15b5f944c410db05 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020300061500 Message-Authenticator = 0xb2da3df775ec12ab2444101216280070 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "iMac", skipping NULL due to config. ++[suffix] returns noop [ntdomain] No '\' in User-Name = "iMac", skipping NULL due to config. ++[ntdomain] returns noop [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] Received TLS ACK [ttls] ACK handshake fragment handler [ttls] eaptls_verify returned 1 [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.1.3 port 32777 EAP-Message = 0x010400c11580000008a390f514b521b67360c591cc78f7ecd97594a7823a57db3373fd940fd3cc0b47871454e476139cc53356ff2d30133229385a11432d34662a879b24a86e3d7b66f2f78dde1089628b4313c842ddea969da40440d6624a5c936878a6bb52a45745d9738a680b983bec2b70a5ff5a26bb113fa383deaf90199ad05aba595ab4841a72885bd534e0b8e6dcb71ee801c81fb7b191ab6d675094af7420b81075b8a8f5cced9b47e2dab1732a68f759d5497b16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1382b4531086a10a15b5f944c410db05 Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.3 port 32777, id=0, length=338 Cleaning up request 3 ID 0 with timestamp +19 User-Name = "iMac" NAS-IP-Address = 192.168.1.3 Called-Station-Id = "c2c1c00e689e" Calling-Station-Id = "6470020d9a60" NAS-Identifier = "c2c1c00e689e" NAS-Port = 55 Framed-MTU = 1400 State = 0x1382b4531086a10a15b5f944c410db05 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020400d01580000000c616030100861000008200807519ef6cceff086f5962e26838788737a663c820392d1ac0984721aef30ed723e3121fc67619c5092261418f9e51c6ad7dd13d777cb9b717dcc532289aca026efa1158093f90f83d5605fa62c950ca9a454bdda956f9e2a30dbcbb220d6308c6cf7102a6a3f343f03b282902d5ce3f3b5b08f18045f2fde0a1912d3c3f8474ce1403010001011603010030b3fc54f8577174dbdb756eaed7bb01c4a76dcc243253bd5eaaf4b53aae7786b567ceb9bc6939d26f75bb407a84a441f6 Message-Authenticator = 0x1375ab587846a1b863e131ffead4d770 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "iMac", skipping NULL due to config. ++[suffix] returns noop [ntdomain] No '\' in User-Name = "iMac", skipping NULL due to config. ++[ntdomain] returns noop [eap] EAP packet type response id 4 length 208 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS TLS Length 198 [ttls] Length Included [ttls] eaptls_verify returned 11 [ttls] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange [ttls] TLS_accept: SSLv3 read client key exchange A [ttls] <<< TLS 1.0 ChangeCipherSpec [length 0001] [ttls] <<< TLS 1.0 Handshake [length 0010], Finished [ttls] TLS_accept: SSLv3 read finished A [ttls] >>> TLS 1.0 ChangeCipherSpec [length 0001] [ttls] TLS_accept: SSLv3 write change cipher spec A [ttls] >>> TLS 1.0 Handshake [length 0010], Finished [ttls] TLS_accept: SSLv3 write finished A [ttls] TLS_accept: SSLv3 flush data [ttls] (other): SSL negotiation finished successfully SSL Connection Established [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.1.3 port 32777 EAP-Message = 0x0105004515800000003b1403010001011603010030deb0819e1dd9d78b553158e57147f6013cb6fb491a52fe3124275b891d43bcbfd5b186690c3d3e7700441a4592e2c979 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1382b4531787a10a15b5f944c410db05 Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.3 port 32777, id=0, length=273 Cleaning up request 4 ID 0 with timestamp +19 User-Name = "iMac" NAS-IP-Address = 192.168.1.3 Called-Station-Id = "c2c1c00e689e" Calling-Station-Id = "6470020d9a60" NAS-Identifier = "c2c1c00e689e" NAS-Port = 55 Framed-MTU = 1400 State = 0x1382b4531787a10a15b5f944c410db05 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0205008f1580000000851703010080e169a44d3e65f0149ef956cc91a1b62133eeaab1da6e23203c5c98320ae38f3d03adf4db9cda266899e118c939b4764a3b571a22d467d4d0986812b0717323d61c91c64c0074eb7efa372c3baf43101d05656f0c0e6a6afc813f544dcf75da09c907b455862201f72fdb7fcaccc99bf00ca852ec36e95e504c054bdc649db15a Message-Authenticator = 0xb013f9209430b2c372e3aeb7f61f9dfc # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "iMac", skipping NULL due to config. ++[suffix] returns noop [ntdomain] No '\' in User-Name = "iMac", skipping NULL due to config. ++[ntdomain] returns noop [eap] EAP packet type response id 5 length 143 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS TLS Length 133 [ttls] Length Included [ttls] eaptls_verify returned 11 [ttls] eaptls_process returned 7 [ttls] Session established. Proceeding to decode tunneled attributes. [ttls] Got tunneled request User-Name = "iMac" MS-CHAP-Challenge = 0xcc6298cba8b161bb9d0a4838d5eca2e2 MS-CHAP2-Response = 0xb2005c6e16fc1911a9b0edc83554da5ca61300000000000000005ef4841a62476db0ef14b3f8a5cca03e5476d29e76e8ca8b FreeRADIUS-Proxied-To = 127.0.0.1 [ttls] Sending tunneled request User-Name = "iMac" MS-CHAP-Challenge = 0xcc6298cba8b161bb9d0a4838d5eca2e2 MS-CHAP2-Response = 0xb2005c6e16fc1911a9b0edc83554da5ca61300000000000000005ef4841a62476db0ef14b3f8a5cca03e5476d29e76e8ca8b FreeRADIUS-Proxied-To = 127.0.0.1 NAS-IP-Address = 192.168.1.3 Called-Station-Id = "c2c1c00e689e" Calling-Station-Id = "6470020d9a60" NAS-Identifier = "c2c1c00e689e" NAS-Port = 55 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 server { # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' ++[mschap] returns ok ++[digest] returns noop [suffix] No '@' in User-Name = "iMac", skipping NULL due to config. ++[suffix] returns noop [ntdomain] No '\' in User-Name = "iMac", skipping NULL due to config. ++[ntdomain] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry iMac at line 93 ++[files] returns ok rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[daily] returns noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[weekly] returns noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[monthly] returns noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[forever] returns noop rlm_checkval: Item Name: Calling-Station-Id, Value: 6470020d9a60 rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs ++[checkval] returns notfound ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = MSCHAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group MS-CHAP {...} [mschap] Creating challenge hash with username: iMac [mschap] Told to do MS-CHAPv2 for iMac with NT-Password [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok expand: -> Login OK: [iMac/<via auth-type="mschap">] (from client DDWRT port 55 cli 6470020d9a60 via TLS tunnel) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop } # server [ttls] Got tunneled reply code 2 MS-CHAP2-Success = 0xb2533d41314344433146424339424435323734353730343636344643343630383038383943423046354546 MS-MPPE-Recv-Key = 0x3ee5a67f518f8b217f447340af5ba72b MS-MPPE-Send-Key = 0x316bd72d945b07ebc91e2b3189cc1851 MS-MPPE-Encryption-Policy = 0x00000001 MS-MPPE-Encryption-Types = 0x00000006 [ttls] Got tunneled Access-Accept [ttls] Got MS-CHAP2-Success, tunneling it to the client in a challenge. ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.1.3 port 32777 EAP-Message = 0x0106005f15800000005517030100500d6d01deb451305ab16ef800d9add4426a3c25ee51ba0f9771e0d293d3e68a5e214684d5beb70b054d7079aea5859721ab49e470079163c2d8e0ce358281f662b2325c32c168abcb5e1687b16bd5ec39 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1382b4531684a10a15b5f944c410db05 Finished request 5. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.3 port 32777, id=0, length=136 Cleaning up request 5 ID 0 with timestamp +19 User-Name = "iMac" NAS-IP-Address = 192.168.1.3 Called-Station-Id = "c2c1c00e689e" Calling-Station-Id = "6470020d9a60" NAS-Identifier = "c2c1c00e689e" NAS-Port = 55 Framed-MTU = 1400 State = 0x1382b4531684a10a15b5f944c410db05 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020600061500 Message-Authenticator = 0x82131b8787036731112f17082ec2f991 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "iMac", skipping NULL due to config. ++[suffix] returns noop [ntdomain] No '\' in User-Name = "iMac", skipping NULL due to config. ++[ntdomain] returns noop [eap] EAP packet type response id 6 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] Received TLS ACK [ttls] ACK handshake is finished [ttls] eaptls_verify returned 3 [ttls] eaptls_process returned 3 [ttls] Using saved attributes from the original Access-Accept [eap] Freeing handler ++[eap] returns ok expand: -> Login OK: [iMac/<via auth-type="EAP">] (from client DDWRT port 55 cli 6470020d9a60) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 0 to 192.168.1.3 port 32777 MS-MPPE-Recv-Key = 0xacd8f46fa3435add4f44b48f482ae3ca0c6f45def714628188203c1d1381fabd MS-MPPE-Send-Key = 0x9c50355c211a8a7cb426fd13937679181d243de4798118f1ebebee1ecf0697c7 EAP-Message = 0x03060004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "iMac" Finished request 6. Going to the next request Waking up in 4.9 seconds. Cleaning up request 6 ID 0 with timestamp +19 Ready to process requests. rad_recv: Access-Request packet from host 192.168.1.3 port 32777, id=0, length=121 User-Name = "iMac" NAS-IP-Address = 192.168.1.3 Called-Station-Id = "c2c1c00e689e" Calling-Station-Id = "6470020d9a60" NAS-Identifier = "c2c1c00e689e" NAS-Port = 55 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0200000901694d6163 Message-Authenticator = 0x26d2daa1b284cba289422cb984790f54 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "iMac", skipping NULL due to config. ++[suffix] returns noop [ntdomain] No '\' in User-Name = "iMac", skipping NULL due to config. ++[ntdomain] returns noop [eap] EAP packet type response id 0 length 9 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry iMac at line 93 ++[files] returns ok rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[daily] returns noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[weekly] returns noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[monthly] returns noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[forever] returns noop rlm_checkval: Item Name: Calling-Station-Id, Value: 6470020d9a60 rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs ++[checkval] returns notfound ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.1.3 port 32777 EAP-Message = 0x010100061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa5bdaa33a5bcbf7615f7075b5970b3e6 Finished request 7. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.3 port 32777, id=0, length=258 Cleaning up request 7 ID 0 with timestamp +53 User-Name = "iMac" NAS-IP-Address = 192.168.1.3 Called-Station-Id = "c2c1c00e689e" Calling-Station-Id = "6470020d9a60" NAS-Identifier = "c2c1c00e689e" NAS-Port = 55 Framed-MTU = 1400 State = 0xa5bdaa33a5bcbf7615f7075b5970b3e6 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0201008015800000007616030100710100006d030151098d77823e23f340fce39737aca017500381c02046d067aa630d5e0dc3331b00003200ffc00ac009c007c008c014c013c011c012c004c005c002c003c00ec00fc00cc00d002f000500040035000a00330039001601000012000a00080006001700180019000b00020100 Message-Authenticator = 0x353ad6a41749680aef6eff6fe4cc15e7 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "iMac", skipping NULL due to config. ++[suffix] returns noop [ntdomain] No '\' in User-Name = "iMac", skipping NULL due to config. ++[ntdomain] returns noop [eap] EAP packet type response id 1 length 128 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS TLS Length 118 [ttls] Length Included [ttls] eaptls_verify returned 11 [ttls] (other): before/accept initialization [ttls] TLS_accept: before/accept initialization [ttls] <<< TLS 1.0 Handshake [length 0071], ClientHello [ttls] TLS_accept: SSLv3 read client hello A [ttls] >>> TLS 1.0 Handshake [length 0031], ServerHello [ttls] TLS_accept: SSLv3 write server hello A [ttls] >>> TLS 1.0 Handshake [length 085f], Certificate [ttls] TLS_accept: SSLv3 write certificate A [ttls] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [ttls] TLS_accept: SSLv3 write server done A [ttls] TLS_accept: SSLv3 flush data [ttls] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.1.3 port 32777 EAP-Message = 0x0102040015c0000008a316030100310200002d030151098d77ddcce7408b6a341f28e15b5b48b57fa07800e42a10af2c3125cc81cc00002f000005ff01000100160301085f0b00085b00085800041c3082041830820300a003020102020102300d06092a864886f70d01010505003073310b300906035504061302495431123010060355040813094c6f6d626172646961310e300c060355040713054372656d61310e300c060355040a13054c41303337311c301a06092a864886f70d010901160d776966694063726e65772e697431123010060355040313094153492043724e6577301e170d3133303133303039313633365a170d32333031323830 EAP-Message = 0x39313633365a3074310b300906035504061302495431123010060355040813094c6f6d626172646961310e300c060355040713054372656d61310e300c060355040a13054c41303337311c301a06092a864886f70d010901160d776966694063726e65772e6974311330110603550403130a576946692043724e657730819f300d06092a864886f70d010101050003818d0030818902818100cecf62420d6cecfca457df3fbba025e3a514c5948c50776443cb1a50e685cc14126b369bbb22f401457d3dd19bb629e834cd2797d05ce639e368c9522bd945ea1262ad4524f269261ea78693ce4e670cb1fb6a7956abd0579209e92c2282cf14d2b556a8 EAP-Message = 0x8acfe267ccaf7af4079f4fbad8e8be7bec306b1e33e63c1b87663c3b0203010001a38201383082013430090603551d1304023000301106096086480186f8420101040403020640303306096086480186f842010d042616244f70656e53534c2047656e65726174656420536572766572204365727469666963617465301d0603551d0e041604143cc25c57910ca9be7de0a82f2b21d526e46595f930819d0603551d230481953081928014ac3e27e1ee72a134ac1eff279ba44eadc42f8e23a177a4753073310b300906035504061302495431123010060355040813094c6f6d626172646961310e300c060355040713054372656d61310e300c060355 EAP-Message = 0x040a13054c41303337311c301a06092a864886f70d010901160d776966694063726e65772e697431123010060355040313094153492043724e657782010030130603551d25040c300a06082b06010505070301300b0603551d0f0404030205a0300d06092a864886f70d01010505000382010100a80d50f89d43d86092a779f387a6c30db24e851178872f2c76e306b7b56bbd73203e98b415d9657e53a1abdebbf93942e241617267856002d0c8af616e3aca1412257c1afbfc5a2af425de35c1022820c0c583dd3ba09453fd30a7ded94ef407eda622d59632628f6e457c0db328909a0d2bb77c2fdec72a973838900404afcf381e06b232934e1736 EAP-Message = 0x7e1c99d4d260cf7162e45dd7 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa5bdaa33a4bfbf7615f7075b5970b3e6 Finished request 8. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.3 port 32777, id=0, length=136 Cleaning up request 8 ID 0 with timestamp +53 User-Name = "iMac" NAS-IP-Address = 192.168.1.3 Called-Station-Id = "c2c1c00e689e" Calling-Station-Id = "6470020d9a60" NAS-Identifier = "c2c1c00e689e" NAS-Port = 55 Framed-MTU = 1400 State = 0xa5bdaa33a4bfbf7615f7075b5970b3e6 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020200061500 Message-Authenticator = 0x0deceb8155ceaab4e82ac3791c2f3420 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "iMac", skipping NULL due to config. ++[suffix] returns noop [ntdomain] No '\' in User-Name = "iMac", skipping NULL due to config. ++[ntdomain] returns noop [eap] EAP packet type response id 2 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] Received TLS ACK [ttls] ACK handshake fragment handler [ttls] eaptls_verify returned 1 [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.1.3 port 32777 EAP-Message = 0x0103040015c0000008a30b82b8f442dc3b6956820818d6eabd63bd56bb6944b1e31df00d95df4849b318d1951592831170d62fa5abc796faae8d109390db187c9d0eb5f17280bdc395aefc7038c9685029447ce437c2ae8848af7f3efb84902145355a6054d27fcd938e0d8ce4c71199f7c77879b9000436308204323082031aa003020102020100300d06092a864886f70d01010505003073310b300906035504061302495431123010060355040813094c6f6d626172646961310e300c060355040713054372656d61310e300c060355040a13054c41303337311c301a06092a864886f70d010901160d776966694063726e65772e69743112301006 EAP-Message = 0x0355040313094153492043724e6577301e170d3133303132393131303333365a170d3233303132373131303333365a3073310b300906035504061302495431123010060355040813094c6f6d626172646961310e300c060355040713054372656d61310e300c060355040a13054c41303337311c301a06092a864886f70d010901160d776966694063726e65772e697431123010060355040313094153492043724e657730820122300d06092a864886f70d01010105000382010f003082010a0282010100c027f09e7af99251a4a481f386f01c0890ec992dafd4eb9daaad18186c49125799411e4d10be48e18be515d6f0b88ec55f78d9af36cee087 EAP-Message = 0xaa8a55e19ad3ef23f0963c5db75e69654d9cc8554ab5035c0e884cd57bdc58e7fc0da1257b337034a853b48fcd6afa64500b0fac22c4be2db936e4ecdb7aa84d28aa1d8b8ff7febfdeaf972282628ce9a88deaff369d0394c7d3809d488d1cd31cd392c1ae5cf2b6b6bea354101e025ceb7bd9a41ef62e6c9727eafca242f004631e1f36c0f76c0f7e3c34562c2035957015589b9772101c0b0838f9609b9ffbeb3c068f12dadba6d6eaec42c8ce52f42abc1af7154a5a1f79ce328788301f4596b6c56611caed630203010001a381d03081cd301d0603551d0e04160414ac3e27e1ee72a134ac1eff279ba44eadc42f8e2330819d0603551d23048195 EAP-Message = 0x3081928014ac3e27e1ee72a134ac1eff279ba44eadc42f8e23a177a4753073310b300906035504061302495431123010060355040813094c6f6d626172646961310e300c060355040713054372656d61310e300c060355040a13054c41303337311c301a06092a864886f70d010901160d776966694063726e65772e697431123010060355040313094153492043724e6577820100300c0603551d13040530030101ff300d06092a864886f70d010105050003820101004a8160c41cb815ff4d18004e6b5b6577aa1dafae6d2df70468cb60ce283a2a7377e43ae5e94c85a9aeefc0fe39006f44d853511b0a53923b2fd9021331fca457eb2e6ab807bd EAP-Message = 0xb8960c9c801097dd1e941b16 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa5bdaa33a7bebf7615f7075b5970b3e6 Finished request 9. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.3 port 32777, id=0, length=136 Cleaning up request 9 ID 0 with timestamp +53 User-Name = "iMac" NAS-IP-Address = 192.168.1.3 Called-Station-Id = "c2c1c00e689e" Calling-Station-Id = "6470020d9a60" NAS-Identifier = "c2c1c00e689e" NAS-Port = 55 Framed-MTU = 1400 State = 0xa5bdaa33a7bebf7615f7075b5970b3e6 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020300061500 Message-Authenticator = 0x60c86b636fd6ea3523e9a202e489b241 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "iMac", skipping NULL due to config. ++[suffix] returns noop [ntdomain] No '\' in User-Name = "iMac", skipping NULL due to config. ++[ntdomain] returns noop [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] Received TLS ACK [ttls] ACK handshake fragment handler [ttls] eaptls_verify returned 1 [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.1.3 port 32777 EAP-Message = 0x010400c11580000008a390f514b521b67360c591cc78f7ecd97594a7823a57db3373fd940fd3cc0b47871454e476139cc53356ff2d30133229385a11432d34662a879b24a86e3d7b66f2f78dde1089628b4313c842ddea969da40440d6624a5c936878a6bb52a45745d9738a680b983bec2b70a5ff5a26bb113fa383deaf90199ad05aba595ab4841a72885bd534e0b8e6dcb71ee801c81fb7b191ab6d675094af7420b81075b8a8f5cced9b47e2dab1732a68f759d5497b16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa5bdaa33a6b9bf7615f7075b5970b3e6 Finished request 10. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.3 port 32777, id=0, length=338 Cleaning up request 10 ID 0 with timestamp +53 User-Name = "iMac" NAS-IP-Address = 192.168.1.3 Called-Station-Id = "c2c1c00e689e" Calling-Station-Id = "6470020d9a60" NAS-Identifier = "c2c1c00e689e" NAS-Port = 55 Framed-MTU = 1400 State = 0xa5bdaa33a6b9bf7615f7075b5970b3e6 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020400d01580000000c6160301008610000082008069173536bfc7ee7791552aacdda0fd3882cccf197f2b475cdd65eb8914f8ab8745241a58ac414edaac3b7ae66c3b29a53851c104a39706a834cc8d9971218652dff6b445a052bfde4edfab808c5f7d8f5bf218bf9a70413c0379c60c03adaaf3e5e3f3e731be93c4b6b0c778effd2f045b3e80de55328a8b452584c19eb5c7641403010001011603010030e7cf383fbf1575586b46afc7b602b833819a628c3bb5b2b09e6d5185952e72bb11285e2ef0bbfd05b4c59b57b2385414 Message-Authenticator = 0xf82c8d3c547ad0eab25ca945056bdcd3 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "iMac", skipping NULL due to config. ++[suffix] returns noop [ntdomain] No '\' in User-Name = "iMac", skipping NULL due to config. ++[ntdomain] returns noop [eap] EAP packet type response id 4 length 208 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS TLS Length 198 [ttls] Length Included [ttls] eaptls_verify returned 11 [ttls] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange [ttls] TLS_accept: SSLv3 read client key exchange A [ttls] <<< TLS 1.0 ChangeCipherSpec [length 0001] [ttls] <<< TLS 1.0 Handshake [length 0010], Finished [ttls] TLS_accept: SSLv3 read finished A [ttls] >>> TLS 1.0 ChangeCipherSpec [length 0001] [ttls] TLS_accept: SSLv3 write change cipher spec A [ttls] >>> TLS 1.0 Handshake [length 0010], Finished [ttls] TLS_accept: SSLv3 write finished A [ttls] TLS_accept: SSLv3 flush data [ttls] (other): SSL negotiation finished successfully SSL Connection Established [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.1.3 port 32777 EAP-Message = 0x0105004515800000003b14030100010116030100309f29009a79ccfde28f7ae3a940426ec7d38df955b8c2f612a939f267e2a93664f867d3d23400685f9515bce439da11ca Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa5bdaa33a1b8bf7615f7075b5970b3e6 Finished request 11. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.3 port 32777, id=0, length=273 Cleaning up request 11 ID 0 with timestamp +53 User-Name = "iMac" NAS-IP-Address = 192.168.1.3 Called-Station-Id = "c2c1c00e689e" Calling-Station-Id = "6470020d9a60" NAS-Identifier = "c2c1c00e689e" NAS-Port = 55 Framed-MTU = 1400 State = 0xa5bdaa33a1b8bf7615f7075b5970b3e6 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0205008f15800000008517030100800c5401a9205d3b231283767efe5cab504bbc8ea3bf23a0252e6e2fb0e25c44052167860c7a038ca15d4aff84a641c68de621bfe99c581b25fbe4f206b67fe7479a67e988e7d9266f0a11fa30bc508a77fc41bd132335d8b695eb08719bcece3529a75bdaf74bdad04a9f083fedb6158227293542619d0f7eb74e2973dca89682 Message-Authenticator = 0xd746bd69bc1d78c782da3a672584b123 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "iMac", skipping NULL due to config. ++[suffix] returns noop [ntdomain] No '\' in User-Name = "iMac", skipping NULL due to config. ++[ntdomain] returns noop [eap] EAP packet type response id 5 length 143 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS TLS Length 133 [ttls] Length Included [ttls] eaptls_verify returned 11 [ttls] eaptls_process returned 7 [ttls] Session established. Proceeding to decode tunneled attributes. [ttls] Got tunneled request User-Name = "iMac" MS-CHAP-Challenge = 0x216e6d7055b6953d0c5c274e8c711562 MS-CHAP2-Response = 0x930032134e0db83e0e739dd1f9deab504b8b0000000000000000358813952bcb09e1da295f0db3f0c422c3b62833ea0d27ee FreeRADIUS-Proxied-To = 127.0.0.1 [ttls] Sending tunneled request User-Name = "iMac" MS-CHAP-Challenge = 0x216e6d7055b6953d0c5c274e8c711562 MS-CHAP2-Response = 0x930032134e0db83e0e739dd1f9deab504b8b0000000000000000358813952bcb09e1da295f0db3f0c422c3b62833ea0d27ee FreeRADIUS-Proxied-To = 127.0.0.1 NAS-IP-Address = 192.168.1.3 Called-Station-Id = "c2c1c00e689e" Calling-Station-Id = "6470020d9a60" NAS-Identifier = "c2c1c00e689e" NAS-Port = 55 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 server { # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' ++[mschap] returns ok ++[digest] returns noop [suffix] No '@' in User-Name = "iMac", skipping NULL due to config. ++[suffix] returns noop [ntdomain] No '\' in User-Name = "iMac", skipping NULL due to config. ++[ntdomain] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry iMac at line 93 ++[files] returns ok rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[daily] returns noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[weekly] returns noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[monthly] returns noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[forever] returns noop rlm_checkval: Item Name: Calling-Station-Id, Value: 6470020d9a60 rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs ++[checkval] returns notfound ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = MSCHAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group MS-CHAP {...} [mschap] Creating challenge hash with username: iMac [mschap] Told to do MS-CHAPv2 for iMac with NT-Password [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok expand: -> Login OK: [iMac/<via auth-type="mschap">] (from client DDWRT port 55 cli 6470020d9a60 via TLS tunnel) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop } # server [ttls] Got tunneled reply code 2 MS-CHAP2-Success = 0x93533d39374131363033353637343945314339393946433543413433463645334434433344304433443941 MS-MPPE-Recv-Key = 0x05c970907689df9dbe77e699083a3adf MS-MPPE-Send-Key = 0x82c190c2664540b58c0386a3cb0ca4e0 MS-MPPE-Encryption-Policy = 0x00000001 MS-MPPE-Encryption-Types = 0x00000006 [ttls] Got tunneled Access-Accept [ttls] Got MS-CHAP2-Success, tunneling it to the client in a challenge. ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.1.3 port 32777 EAP-Message = 0x0106005f1580000000551703010050f9c88cad381982a1f0ae154e0f519e88b6fbcdbd7896333fb06ab6524ae714b6e2731e77747135858c4952f2f2a8c3c5a36c3f4d4d2f7330ff69d11fb10754113cfb05d8bd0983ab6e9ddbd223ba875f Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa5bdaa33a0bbbf7615f7075b5970b3e6 Finished request 12. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.3 port 32777, id=0, length=136 Cleaning up request 12 ID 0 with timestamp +53 User-Name = "iMac" NAS-IP-Address = 192.168.1.3 Called-Station-Id = "c2c1c00e689e" Calling-Station-Id = "6470020d9a60" NAS-Identifier = "c2c1c00e689e" NAS-Port = 55 Framed-MTU = 1400 State = 0xa5bdaa33a0bbbf7615f7075b5970b3e6 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020600061500 Message-Authenticator = 0x6c0cd455b83db547049df27c1c4d0f04 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "iMac", skipping NULL due to config. ++[suffix] returns noop [ntdomain] No '\' in User-Name = "iMac", skipping NULL due to config. ++[ntdomain] returns noop [eap] EAP packet type response id 6 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] Received TLS ACK [ttls] ACK handshake is finished [ttls] eaptls_verify returned 3 [ttls] eaptls_process returned 3 [ttls] Using saved attributes from the original Access-Accept [eap] Freeing handler ++[eap] returns ok expand: -> Login OK: [iMac/<via auth-type="EAP">] (from client DDWRT port 55 cli 6470020d9a60) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 0 to 192.168.1.3 port 32777 MS-MPPE-Recv-Key = 0xe9344df21fd77df35a00cb75110bf1d978d4572954c5747f069ccd42fd5ecfaa MS-MPPE-Send-Key = 0xe79c8437ca1b7bf9655c2312af508f4d8f747dd6023456f8049ef7c070844927 EAP-Message = 0x03060004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "iMac" Finished request 13. Going to the next request Waking up in 4.9 seconds. Cleaning up request 13 ID 0 with timestamp +53 Ready to process requests.</via></via></via></via>
I'm still on internet after 20 :o minutes…
I can't understand wher's the problem...
Do you understand something?? :) -
Hmm,
I am no freeradius log expert but I do not see anything strange…
But if you say, that the WLAN connection still exists but there is a problem with the IP address then perhaps you need to search somewhere else.
You can try to add a static IP tor your devices and try again if it then is working.Further tyr if this problem exists if both are connected at the same time and if it does not exist when only one device is connected (only your iPad)
-
well.. I changed the security authentication… I use open wifi with the pfsense CaptivePortal... and... tatatadaaa.. same problem!!!!
the mac can connect to cp and can surf internet for ALL time.. iPhone/iPad after a minute are still connect to the wifi network but can't surf internet... :'(
than i think is a freeradius2 problem because when I used freeradius there weren't these problems... :-[so.. what can I do? reinstall freeradius2? ??? ???
-
Can you try to increase:
"Expiration of EAP-Response / EAP-Request List" to lets say 120s and try again.I don't think it is a freeradius problem. perhaps a problem of the supplicant installed on iPad/iPhone
If the MAC is working with the same settings and other devices do not work - then it is probably not a RADIUS issue. -
OK, after a hard reset of pfsense and ddwrt now I've understand!! ;D ;D ;D
Are you good with iptables?
Into my ddwrt I have 2 network: public(13.3.89.X) and private (192.168.1.X).
but in both pfsense and ddwrt firewall I have the rule that public network ( with wpa2 enterprise) can't access private network..
BUT the RADIUS is into the private network!!
I post an example image :D```
https://dl.dropbox.com/u/28376825/foto.JPGSo, if i put into DDWRT iptables the rule that private network can **only** access to pfsense RADIUS port than It should works..!! Do you know the iptables to do this??? :)
-
Sorry, I do not have any experience with iptables.
Probably asking google will give you better answers ;) -
It is a DDWRT Bug..!!
I discovered that the encryption agent is using the wrong bridge interface.
Thank You very much :D
Now I'll go into DDWRT forum to get help for this Bug ;)