Freeradius2 + DDWRT WPA2 Enterprise



  • Hi guys! I planned pfSense so that my users can authenticate with WPA2 Enterprise. PfSense and the DDWRT router can communicate and authenticate users using EAP-TTLS. My ddwrt router is a ciscoE1000.
    This is my EAP config:

    /usr/local/etc/raddb/eap.conf
    Array	### EAP
    	eap {
    		default_eap_type = ttls
    		timer_expire     = 60
    		ignore_unknown_eap_types = no
    		cisco_accounting_username_bug = yes
    		max_sessions = 4096
    
    		### DISABLED WEAK EAP TYPES MD5, GTC, LEAP ###
    
    		### EAP-TLS and EAP-TLS with OCSP support
    		tls {
    			certdir = ${confdir}/certs
    			cadir = ${confdir}/certs
    			private_key_password = whatever
    			private_key_file = ${certdir}/server_key.pem
    			certificate_file = ${certdir}/server_cert.pem
    			CA_file = ${cadir}/ca_cert.pem
    			dh_file = ${certdir}/dh
    			random_file = ${certdir}/random
    			fragment_size = 1024
    			include_length = yes
    		#	check_crl = yes
    			CA_path = ${cadir}
    			### check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd/emailAddress=test@mycomp.com/CN=myca" ###
    			### check_cert_cn = %{User-Name} ###
    			cipher_list = "DEFAULT"
    			ecdh_curve = "prime256v1"
    			cache {
    			      enable = no
    			      lifetime = 24
    			      max_entries = 255
    			}
    			verify {
    		#     		tmpdir = /tmp/radiusd
    		#    		client = "/path/to/openssl verify -CApath  %{TLS-Client-Cert-Filename}"
    			}
    			ocsp {
    			      enable = no
    			      override_cert_url = no
    			      url = "http://127.0.0.1/ocsp/"
    			}
    		}
    
    		### EAP-TTLS
    		ttls {
    			default_eap_type = mschapv2
    			copy_request_to_tunnel = yes
    			use_tunneled_reply = yes
    			include_length = yes
    		}	### end ttls	
    
    		### EAP-PEAP
    		peap {
    			default_eap_type = tls
    			copy_request_to_tunnel = yes
    			use_tunneled_reply = yes
    		#	proxy_tunneled_request_as_eap = yes
    			### MS SoH Server is disabled ###
    		}
    		mschapv2 {
    		#	send_error = no
    		}	
    	}
    

    This is my radius config:

    /usr/local/etc/raddb/radiusd.conf
    prefix = /usr/local
    exec_prefix = ${prefix}
    sysconfdir = ${prefix}/etc
    localstatedir = /var
    sbindir = ${exec_prefix}/sbin
    logdir = ${localstatedir}/log
    raddbdir = ${sysconfdir}/raddb
    radacctdir = ${logdir}/radacct
    confdir = ${raddbdir}
    run_dir = ${localstatedir}/run
    libdir = ${exec_prefix}/lib/freeradius-2.1.12
    pidfile = ${run_dir}/radiusd.pid
    db_dir = ${raddbdir}
    name = radiusd
    #chroot = /path/to/chroot/directory
    #user = freeradius
    #group = freeradius
    
    ###############################################################################
    ### Is not present in freeradius 2.x radiusd.conf anymore but it was in 1.x ###
    ### delete_blocked_requests = no                                            ###
    ### usercollide = no                                                        ###
    ### lower_user = no                                                         ###
    ### lower_pass = no                                                         ###
    ### nospace_user = no                                                       ###
    ### nospace_pass = no                                                       ###
    ###############################################################################
    
    max_request_time = 30
    cleanup_delay = 5
    max_requests = 1024
    hostname_lookups = no
    allow_core_dumps = no
    regular_expressions = yes
    extended_expressions = no
    listen {
    		type = auth
    		ipaddr = 192.168.1.1
    		port = 1812
    }
    listen {
    		type = acct
    		ipaddr = 192.168.1.1
    		port = 1813
    }
    
    log {
    	destination = syslog
    	file = ${logdir}/radius.log
    	syslog_facility = daemon
    	stripped_names = no
    	auth = yes
    	auth_badpass = yes
    	auth_goodpass = yes
    	msg_goodpass = ""
    	msg_badpass = ""
    }
    
    checkrad = ${sbindir}/checkrad
    security {
    	max_attributes = 200
    	reject_delay = 1
    	status_server = no
    }
    
    ### disbale proxy module. In most environments we do not need to proxy requests to another RADIUS PROXY server
    #proxy_requests = yes
    #$INCLUDE  proxy.conf
    $INCLUDE  clients.conf
    thread pool {
    	start_servers = 5
    	max_servers = 32
    	min_spare_servers = 3
    	max_spare_servers = 10
    	max_queue_size = 65536
    	max_requests_per_server = 0
    }
    
    modules {
    	$INCLUDE ${confdir}/modules/
    	$INCLUDE eap.conf
    	### Dis-/Enable sql.conf INCLUDE
    	#$INCLUDE sql.conf
    
    	### Dis-/Enable sql/mysql/counter.conf INCLUDE
    	#$INCLUDE sql/mysql/counter.conf
    
    	#$INCLUDE sqlippool.conf
    }
    
    instantiate {
    
    	exec
    	expr
    	daily
    	weekly
    	monthly
    	forever
    	expiration
    	logintime
    	### Dis-/Enable sql instatiate
    	#sql
    }
    $INCLUDE policy.conf
    $INCLUDE sites-enabled/
    
    

    And this is my client config:

    /usr/local/etc/raddb/clients.conf
    
    client "DDWRT" {
    	ipaddr = 192.168.1.3
    	proto = tcp
    	secret = b2biIJP3kifQDljSzj
    	require_message_authenticator = no
    	max_connections = 16
    	shortname = DDWRT
    	nastype = other
    	### login = !root ###
    	### password = someadminpass ###
    }
    

    This is my SystemLog

    Jan 30 11:21:13	radiusd[12412]: Ready to process requests.
    Jan 30 11:21:13	radiusd[12409]: Loaded virtual server <default>
    Jan 30 11:21:11	php: /pkg_edit.php: The command '/usr/local/etc/rc.d/radiusd.sh stop' returned exit code '1', the output was 'radiusd not running?'
    Jan 30 11:21:11	radiusd[9699]: Exiting normally.
    Jan 30 11:21:11	radiusd[9699]: Signalled to terminate
    Jan 30 11:21:10	check_reload_status: Syncing firewall
    Jan 30 11:18:48	radiusd[9699]: Login OK: [iPad/<via auth-type="EAP">] (from client DDWRT port 62 cli 3cd0f80ed5a5)
    Jan 30 11:18:48	radiusd[9699]: Login OK: [iPad/<via auth-type="EAP">] (from client DDWRT port 62 cli 3cd0f80ed5a5)
    Jan 30 11:18:48	radiusd[9699]: Login OK: [iPad/<via auth-type="mschap">] (from client DDWRT port 0 via TLS tunnel)
    Jan 30 11:18:48	radiusd[9699]: Login OK: [iPad/<via auth-type="mschap">] (from client DDWRT port 0 via TLS tunnel)
    Jan 30 11:18:20	radiusd[9699]: Ready to process requests.
    Jan 30 11:18:20	radiusd[9383]: Loaded virtual server <default>
    Jan 30 11:18:18	php: /pkg_edit.php: The command '/usr/local/etc/rc.d/radiusd.sh stop' returned exit code '1', the output was 'radiusd not running?'
    Jan 30 11:18:18	radiusd[55432]: Exiting normally.
    Jan 30 11:18:18	radiusd[55432]: Signalled to terminate
    Jan 30 11:18:17	check_reload_status: Syncing firewall
    Jan 30 11:17:18	radiusd[55432]: Login OK: [iPad/<via auth-type="EAP">] (from client DDWRT port 62 cli 3cd0f80ed5a5)
    Jan 30 11:17:18	radiusd[55432]: Login OK: [iPad/<via auth-type="EAP">] (from client DDWRT port 62 cli 3cd0f80ed5a5)
    Jan 30 11:17:18	radiusd[55432]: Login OK: [iPad/<via auth-type="mschap">] (from client DDWRT port 0 via TLS tunnel)
    Jan 30 11:17:18	radiusd[55432]: Login OK: [iPad/<via auth-type="mschap">] (from client DDWRT port 0 via TLS tunnel)
    Jan 30 11:15:22	apinger: rrdtool respawning too fast, waiting 300s.
    Jan 30 11:14:22	apinger: Error while feeding rrdtool: Broken pipe</via></via></via></via></default></via></via></via></via></default>
    

    The problem is that iPhone/iPad users can authenticate and can surf internet for about 1 minute, than internet stop but they are still connect to the WiFi.  ???
    If I authenticate with my macbookpro I don't have any problem :o
    I tried to change every config but also my iPad/iPhone has this problem.
    Can anyone help???  :)



  • Do all changes and configuration in the GUI.
    Then stop the radiusd service on the GUI

    ssh to your pfsense and run:

    radiusd -X
    

    This runs freeradius in debug mode and you will see everything what is happening.
    Read the debug carefully from top to down and freeradius will tell you what it is doing. You can post the debug output here, too, but make sure that there is no sensitive data in it like passwords or something like that.



  • Here is my iPad access log:```
    Last login: Wed Jan 30 21:30:39 on ttys000
    Mac-Pro-di-Davide:~ Davide$ ssh admin@192.168.1.1
    Password:
    *** Welcome to pfSense 2.0.2-RELEASE-pfSense (amd64) on wifi ***

    WAN (wan)                -> vr0        -> 192.168.1.1
      LAN (lan)                -> rl0        -> 13.3.19.89

    1. Logout (SSH only)                  8) Shell
    2. Assign Interfaces                  9) pfTop
    3. Set interface(s) IP address      10) Filter Logs
    4. Reset webConfigurator password    11) Restart webConfigurator
    5. Reset to factory defaults        12) pfSense Developer Shell
    6. Reboot system                    13) Upgrade from console
    7. Halt system                      14) Disable Secure Shell (sshd)
    8. Ping host

    Enter an option: 8

    [2.0.2-RELEASE][admin@wifi.crnew]/root(1): radiusd -X
    FreeRADIUS Version 2.1.12, for host amd64-portbld-freebsd8.1, built on Jun 19 2012 at 08:36:32
    Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
    There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
    PARTICULAR PURPOSE.
    You may redistribute copies of FreeRADIUS under the terms of the
    GNU General Public License v2.
    Starting - reading configuration files ...
    including configuration file /usr/local/etc/raddb/radiusd.conf
    including configuration file /usr/local/etc/raddb/clients.conf
    including files in directory /usr/local/etc/raddb/modules/
    including configuration file /usr/local/etc/raddb/modules/wimax
    including configuration file /usr/local/etc/raddb/modules/always
    including configuration file /usr/local/etc/raddb/modules/attr_filter
    including configuration file /usr/local/etc/raddb/modules/attr_rewrite
    including configuration file /usr/local/etc/raddb/modules/chap
    including configuration file /usr/local/etc/raddb/modules/checkval
    including configuration file /usr/local/etc/raddb/modules/counter
    including configuration file /usr/local/etc/raddb/modules/cui
    including configuration file /usr/local/etc/raddb/modules/detail
    including configuration file /usr/local/etc/raddb/modules/detail.example.com
    including configuration file /usr/local/etc/raddb/modules/detail.log
    including configuration file /usr/local/etc/raddb/modules/digest
    including configuration file /usr/local/etc/raddb/modules/dynamic_clients
    including configuration file /usr/local/etc/raddb/modules/echo
    including configuration file /usr/local/etc/raddb/modules/etc_group
    including configuration file /usr/local/etc/raddb/modules/exec
    including configuration file /usr/local/etc/raddb/modules/expiration
    including configuration file /usr/local/etc/raddb/modules/expr
    including configuration file /usr/local/etc/raddb/modules/files
    including configuration file /usr/local/etc/raddb/modules/inner-eap
    including configuration file /usr/local/etc/raddb/modules/ippool
    including configuration file /usr/local/etc/raddb/modules/krb5
    including configuration file /usr/local/etc/raddb/modules/ldap
    including configuration file /usr/local/etc/raddb/modules/linelog
    including configuration file /usr/local/etc/raddb/modules/logintime
    including configuration file /usr/local/etc/raddb/modules/mac2ip
    including configuration file /usr/local/etc/raddb/modules/mschap
    including configuration file /usr/local/etc/raddb/modules/mac2vlan
    including configuration file /usr/local/etc/raddb/modules/ntlm_auth
    including configuration file /usr/local/etc/raddb/modules/opendirectory
    including configuration file /usr/local/etc/raddb/modules/otp
    including configuration file /usr/local/etc/raddb/modules/pam
    including configuration file /usr/local/etc/raddb/modules/pap
    including configuration file /usr/local/etc/raddb/modules/passwd
    including configuration file /usr/local/etc/raddb/modules/perl
    including configuration file /usr/local/etc/raddb/modules/policy
    including configuration file /usr/local/etc/raddb/modules/preprocess
    including configuration file /usr/local/etc/raddb/modules/radutmp
    including configuration file /usr/local/etc/raddb/modules/realm
    including configuration file /usr/local/etc/raddb/modules/redis
    including configuration file /usr/local/etc/raddb/modules/rediswho
    including configuration file /usr/local/etc/raddb/modules/replicate
    including configuration file /usr/local/etc/raddb/modules/smbpasswd
    including configuration file /usr/local/etc/raddb/modules/smsotp
    including configuration file /usr/local/etc/raddb/modules/soh
    including configuration file /usr/local/etc/raddb/modules/sql_log
    including configuration file /usr/local/etc/raddb/modules/sqlcounter_expire_on_login
    including configuration file /usr/local/etc/raddb/modules/sradutmp
    including configuration file /usr/local/etc/raddb/modules/unix
    including configuration file /usr/local/etc/raddb/modules/acct_unique
    including configuration file /usr/local/etc/raddb/modules/motp
    including configuration file /usr/local/etc/raddb/modules/datacounter_acct
    including configuration file /usr/local/etc/raddb/eap.conf
    including configuration file /usr/local/etc/raddb/policy.conf
    including files in directory /usr/local/etc/raddb/sites-enabled/
    including configuration file /usr/local/etc/raddb/sites-enabled/default
    main {
    allow_core_dumps = no
    }
    including dictionary file /usr/local/etc/raddb/dictionary
    main {
    name = "radiusd"
    prefix = "/usr/local"
    localstatedir = "/var"
    sbindir = "/usr/local/sbin"
    logdir = "/var/log"
    run_dir = "/var/run"
    libdir = "/usr/local/lib/freeradius-2.1.12"
    radacctdir = "/var/log/radacct"
    hostname_lookups = no
    max_request_time = 30
    cleanup_delay = 5
    max_requests = 1024
    pidfile = "/var/run/radiusd.pid"
    checkrad = "/usr/local/sbin/checkrad"
    debug_level = 0
    proxy_requests = yes
    log {
    stripped_names = no
    auth = yes
    auth_badpass = yes
    auth_goodpass = yes
    msg_badpass = ""
    msg_goodpass = ""
    }
    security {
    max_attributes = 200
    reject_delay = 1
    status_server = no
    }
    }
    radiusd: #### Loading Realms and Home Servers ####
    radiusd: #### Loading Clients ####
    client DDWRT {
    ipaddr = 192.168.1.3
    require_message_authenticator = no
    secret = "b2biIJP3kifQDljSzj"
    shortname = "DDWRT"
    nastype = "other"
    }
    radiusd: #### Instantiating modules ####
    instantiate {
    Module: Linked to module rlm_exec
    Module: Instantiating module "exec" from file /usr/local/etc/raddb/modules/exec
      exec {
    wait = no
    input_pairs = "request"
    shell_escape = yes
      }
    Module: Linked to module rlm_expr
    Module: Instantiating module "expr" from file /usr/local/etc/raddb/modules/expr
    Module: Linked to module rlm_counter
    Module: Instantiating module "daily" from file /usr/local/etc/raddb/modules/counter
      counter daily {
    filename = "/var/log/radacct/timecounter/db.daily"
    key = "User-Name"
    reset = "daily"
    count-attribute = "Acct-Session-Time"
    counter-name = "Daily-Session-Time"
    check-name = "Max-Daily-Session"
    reply-name = "Session-Timeout"
    cache-size = 5000
      }
    rlm_counter: Counter attribute Daily-Session-Time is number 11273
    rlm_counter: Current Time: 1359579930 [2013-01-30 22:05:30], Next reset 1359586800 [2013-01-31 00:00:00]
    Module: Instantiating module "weekly" from file /usr/local/etc/raddb/modules/counter
      counter weekly {
    filename = "/var/log/radacct/timecounter/db.weekly"
    key = "User-Name"
    reset = "weekly"
    count-attribute = "Acct-Session-Time"
    counter-name = "Weekly-Session-Time"
    check-name = "Max-Weekly-Session"
    reply-name = "Session-Timeout"
    cache-size = 5000
      }
    rlm_counter: Counter attribute Weekly-Session-Time is number 11275
    rlm_counter: Current Time: 1359579930 [2013-01-30 22:05:30], Next reset 1359846000 [2013-02-03 00:00:00]
    Module: Instantiating module "monthly" from file /usr/local/etc/raddb/modules/counter
      counter monthly {
    filename = "/var/log/radacct/timecounter/db.monthly"
    key = "User-Name"
    reset = "monthly"
    count-attribute = "Acct-Session-Time"
    counter-name = "Monthly-Session-Time"
    check-name = "Max-Monthly-Session"
    reply-name = "Session-Timeout"
    cache-size = 5000
      }
    rlm_counter: Counter attribute Monthly-Session-Time is number 11277
    rlm_counter: Current Time: 1359579930 [2013-01-30 22:05:30], Next reset 1359673200 [2013-02-01 00:00:00]
    Module: Instantiating module "forever" from file /usr/local/etc/raddb/modules/counter
      counter forever {
    filename = "/var/log/radacct/timecounter/db.forever"
    key = "User-Name"
    reset = "never"
    count-attribute = "Acct-Session-Time"
    counter-name = "Forever-Session-Time"
    check-name = "Max-Forever-Session"
    reply-name = "Session-Timeout"
    cache-size = 5000
      }
    rlm_counter: Counter attribute Forever-Session-Time is number 11279
    rlm_counter: Current Time: 1359579930 [2013-01-30 22:05:30], Next reset 0 [2013-01-30 22:00:00]
    Module: Linked to module rlm_expiration
    Module: Instantiating module "expiration" from file /usr/local/etc/raddb/modules/expiration
      expiration {
    reply-message = "Password Has Expired  "
      }
    Module: Linked to module rlm_logintime
    Module: Instantiating module "logintime" from file /usr/local/etc/raddb/modules/logintime
      logintime {
    reply-message = "You are calling outside your allowed timespan  "
    minimum-timeout = 60
      }
    }
    radiusd: #### Loading Virtual Servers ####
    server { # from file /usr/local/etc/raddb/radiusd.conf
    modules {
      Module: Creating Auth-Type = MOTP
      Module: Creating Auth-Type = digest
      Module: Creating Autz-Type = Status-Server
      Module: Creating Acct-Type = Status-Server
      Module: Creating Post-Auth-Type = REJECT
    Module: Checking authenticate {...} for more modules to load
    Module: Linked to module rlm_pap
    Module: Instantiating module "pap" from file /usr/local/etc/raddb/modules/pap
      pap {
    encryption_scheme = "auto"
    auto_header = no
      }
    Module: Linked to module rlm_chap
    Module: Instantiating module "chap" from file /usr/local/etc/raddb/modules/chap
    Module: Linked to module rlm_mschap
    Module: Instantiating module "mschap" from file /usr/local/etc/raddb/modules/mschap
      mschap {
    use_mppe = yes
    require_encryption = no
    require_strong = no
    with_ntdomain_hack = yes
    allow_retry = yes
      }
    Module: Instantiating module "motp" from file /usr/local/etc/raddb/modules/motp
      exec motp {
    wait = yes
    program = "/usr/local/bin/bash /usr/local/etc/raddb/scripts/otpverify.sh %{request:User-Name} %{request:User-Password} %{reply:MOTP-Init-Secret} %{reply:MOTP-PIN} %{reply:MOTP-Offset}"
    input_pairs = "request"
    shell_escape = yes
      }
    Module: Linked to module rlm_digest
    Module: Instantiating module "digest" from file /usr/local/etc/raddb/modules/digest
    Module: Linked to module rlm_unix
    Module: Instantiating module "unix" from file /usr/local/etc/raddb/modules/unix
      unix {
    radwtmp = "/var/log/radwtmp"
      }
    Module: Linked to module rlm_eap
    Module: Instantiating module "eap" from file /usr/local/etc/raddb/eap.conf
      eap {
    default_eap_type = "ttls"
    timer_expire = 60
    ignore_unknown_eap_types = no
    cisco_accounting_username_bug = yes
    max_sessions = 4096
      }
    Module: Linked to sub-module rlm_eap_tls
    Module: Instantiating eap-tls
      tls {
    rsa_key_exchange = no
    dh_key_exchange = yes
    rsa_key_length = 512
    dh_key_length = 512
    verify_depth = 0
    CA_path = "/usr/local/etc/raddb/certs"
    pem_file_type = yes
    private_key_file = "/usr/local/etc/raddb/certs/server_key.pem"
    certificate_file = "/usr/local/etc/raddb/certs/server_cert.pem"
    CA_file = "/usr/local/etc/raddb/certs/ca_cert.pem"
    private_key_password = "whatever"
    dh_file = "/usr/local/etc/raddb/certs/dh"
    random_file = "/usr/local/etc/raddb/certs/random"
    fragment_size = 1024
    include_length = yes
    check_crl = no
    cipher_list = "DEFAULT"
    ecdh_curve = "prime256v1"
        cache {
    enable = no
    lifetime = 24
    max_entries = 255
        }
        verify {
        }
        ocsp {
    enable = no
    override_cert_url = no
    url = "http://127.0.0.1/ocsp/"
        }
      }
    Module: Linked to sub-module rlm_eap_ttls
    Module: Instantiating eap-ttls
      ttls {
    default_eap_type = "mschapv2"
    copy_request_to_tunnel = yes
    use_tunneled_reply = yes
    include_length = yes
      }
    Module: Linked to sub-module rlm_eap_peap
    Module: Instantiating eap-peap
      peap {
    default_eap_type = "tls"
    copy_request_to_tunnel = yes
    use_tunneled_reply = yes
    proxy_tunneled_request_as_eap = yes
    soh = no
      }
    Module: Linked to sub-module rlm_eap_mschapv2
    Module: Instantiating eap-mschapv2
      mschapv2 {
    with_ntdomain_hack = no
    send_error = no
      }
    Module: Checking authorize {...} for more modules to load
    Module: Linked to module rlm_preprocess
    Module: Instantiating module "preprocess" from file /usr/local/etc/raddb/modules/preprocess
      preprocess {
    huntgroups = "/usr/local/etc/raddb/huntgroups"
    hints = "/usr/local/etc/raddb/hints"
    with_ascend_hack = no
    ascend_channels_per_line = 23
    with_ntdomain_hack = no
    with_specialix_jetstream_hack = no
    with_cisco_vsa_hack = no
    with_alvarion_vsa_hack = no
      }
    Module: Linked to module rlm_realm
    Module: Instantiating module "suffix" from file /usr/local/etc/raddb/modules/realm
      realm suffix {
    format = "suffix"
    delimiter = "@"
    ignore_default = no
    ignore_null = yes
      }
    Module: Instantiating module "ntdomain" from file /usr/local/etc/raddb/modules/realm
      realm ntdomain {
    format = "prefix"
    delimiter = ""
    ignore_default = no
    ignore_null = yes
      }
    Module: Linked to module rlm_files
    Module: Instantiating module "files" from file /usr/local/etc/raddb/modules/files
      files {
    usersfile = "/usr/local/etc/raddb/users"
    acctusersfile = "/usr/local/etc/raddb/acct_users"
    preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users"
    compat = "no"
      }
    Module: Linked to module rlm_checkval
    Module: Instantiating module "checkval" from file /usr/local/etc/raddb/modules/checkval
      checkval {
    item-name = "Calling-Station-Id"
    check-name = "Calling-Station-Id"
    data-type = "string"
    notfound-reject = no
      }
    rlm_checkval: Registered name Calling-Station-Id for attribute 31
    Module: Checking preacct {...} for more modules to load
    Module: Linked to module rlm_acct_unique
    Module: Instantiating module "acct_unique" from file /usr/local/etc/raddb/modules/acct_unique
      acct_unique {
    key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
      }
    Module: Checking accounting {...} for more modules to load
    Module: Linked to module rlm_detail
    Module: Instantiating module "detail" from file /usr/local/etc/raddb/modules/detail
      detail {
    detailfile = "/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
    header = "%t"
    detailperm = 384
    dirperm = 493
    locking = no
    log_packet_header = no
      }
    Module: Instantiating module "datacounterdaily" from file /usr/local/etc/raddb/modules/datacounter_acct
      exec datacounterdaily {
    wait = yes
    program = "/bin/sh /usr/local/etc/raddb/scripts/datacounter_acct.sh %{request:User-Name} daily %{request:Acct-Input-Octets} %{request:Acct-Output-Octets}"
    input_pairs = "request"
    shell_escape = yes
      }
    Module: Instantiating module "datacounterweekly" from file /usr/local/etc/raddb/modules/datacounter_acct
      exec datacounterweekly {
    wait = yes
    program = "/bin/sh /usr/local/etc/raddb/scripts/datacounter_acct.sh %{request:User-Name} weekly %{request:Acct-Input-Octets} %{request:Acct-Output-Octets}"
    input_pairs = "request"
    shell_escape = yes
      }
    Module: Instantiating module "datacountermonthly" from file /usr/local/etc/raddb/modules/datacounter_acct
      exec datacountermonthly {
    wait = yes
    program = "/bin/sh /usr/local/etc/raddb/scripts/datacounter_acct.sh %{request:User-Name} monthly %{request:Acct-Input-Octets} %{request:Acct-Output-Octets}"
    input_pairs = "request"
    shell_escape = yes
      }
    Module: Instantiating module "datacounterforever" from file /usr/local/etc/raddb/modules/datacounter_acct
      exec datacounterforever {
    wait = yes
    program = "/bin/sh /usr/local/etc/raddb/scripts/datacounter_acct.sh %{request:User-Name} forever %{request:Acct-Input-Octets} %{request:Acct-Output-Octets}"
    input_pairs = "request"
    shell_escape = yes
      }
    Module: Linked to module rlm_radutmp
    Module: Instantiating module "radutmp" from file /usr/local/etc/raddb/modules/radutmp
      radutmp {
    filename = "/var/log/radutmp"
    username = "%{User-Name}"
    case_sensitive = yes
    check_with_nas = yes
    perm = 384
    callerid = yes
      }
    Module: Linked to module rlm_attr_filter
    Module: Instantiating module "attr_filter.accounting_response" from file /usr/local/etc/raddb/modules/attr_filter
      attr_filter attr_filter.accounting_response {
    attrsfile = "/usr/local/etc/raddb/attrs.accounting_response"
    key = "%{User-Name}"
    relaxed = no
      }
    Module: Checking session {...} for more modules to load
    Module: Checking pre-proxy {...} for more modules to load
    Module: Instantiating module "attr_filter.pre-proxy" from file /usr/local/etc/raddb/modules/attr_filter
      attr_filter attr_filter.pre-proxy {
    attrsfile = "/usr/local/etc/raddb/attrs.pre-proxy"
    key = "%{Realm}"
    relaxed = no
      }
    Module: Checking post-proxy {...} for more modules to load
    Module: Instantiating module "attr_filter.post-proxy" from file /usr/local/etc/raddb/modules/attr_filter
      attr_filter attr_filter.post-proxy {
    attrsfile = "/usr/local/etc/raddb/attrs"
    key = "%{Realm}"
    relaxed = no
      }
    Module: Checking post-auth {...} for more modules to load
    Module: Instantiating module "attr_filter.access_reject" from file /usr/local/etc/raddb/modules/attr_filter
      attr_filter attr_filter.access_reject {
    attrsfile = "/usr/local/etc/raddb/attrs.access_reject"
    key = "%{User-Name}"
    relaxed = no
      }
    } # modules
    } # server
    radiusd: #### Opening IP addresses and Ports ####
    listen {
    type = "auth"
    ipaddr = 192.168.1.1
    port = 1812
    }
    Listening on authentication address 192.168.1.1 port 1812
    Listening on proxy address 192.168.1.1 port 1814
    Ready to process requests.
    rad_recv: Access-Request packet from host 192.168.1.3 port 32777, id=1, length=121
    User-Name = "iPad"
    NAS-IP-Address = 192.168.1.3
    Called-Station-Id = "c2c1c00e689e"
    Calling-Station-Id = "a46706941f29"
    NAS-Identifier = "c2c1c00e689e"
    NAS-Port = 34
    Framed-MTU = 1400
    NAS-Port-Type = Wireless-802.11
    EAP-Message = 0x020000090169506164
    Message-Authenticator = 0x2dda3209920a160194db88409e0287e1

    Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default

    +- entering group authorize {...}
    ++[preprocess] returns ok
    ++[chap] returns noop
    ++[mschap] returns noop
    ++[digest] returns noop
    [suffix] No '@' in User-Name = "iPad", skipping NULL due to config.
    ++[suffix] returns noop
    [ntdomain] No '' in User-Name = "iPad", skipping NULL due to config.
    ++[ntdomain] returns noop
    [eap] EAP packet type response id 0 length 9
    [eap] No EAP Start, assuming it's an on-going EAP conversation
    ++[eap] returns updated
    [files] users: Matched entry iPad at line 97
    ++[files] returns ok
    rlm_counter: Entering module authorize code
    rlm_counter: Could not find Check item value pair
    ++[daily] returns noop
    rlm_counter: Entering module authorize code
    rlm_counter: Could not find Check item value pair
    ++[weekly] returns noop
    rlm_counter: Entering module authorize code
    rlm_counter: Could not find Check item value pair
    ++[monthly] returns noop
    rlm_counter: Entering module authorize code
    rlm_counter: Could not find Check item value pair
    ++[forever] returns noop
    rlm_checkval: Item Name: Calling-Station-Id, Value: a46706941f29
    rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs
    ++[checkval] returns notfound
    ++[expiration] returns noop
    ++[logintime] returns noop
    [pap] WARNING: Auth-Type already set.  Not setting to PAP
    ++[pap] returns noop
    Found Auth-Type = EAP

    Executing group from file /usr/local/etc/raddb/sites-enabled/default

    +- entering group authenticate {...}
    [eap] EAP Identity
    [eap] processing type tls
    [tls] Initiate
    [tls] Start returned 1
    ++[eap] returns handled
    Sending Access-Challenge of id 1 to 192.168.1.3 port 32777
    EAP-Message = 0x010100061520
    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0x94215fb794204acd45d98454623e2c2b
    Finished request 0.
    Going to the next request
    Waking up in 4.9 seconds.
    rad_recv: Access-Request packet from host 192.168.1.3 port 32777, id=1, length=296
    Cleaning up request 0 ID 1 with timestamp +25
    User-Name = "iPad"
    NAS-IP-Address = 192.168.1.3
    Called-Station-Id = "c2c1c00e689e"
    Calling-Station-Id = "a46706941f29"
    NAS-Identifier = "c2c1c00e689e"
    NAS-Port = 34
    Framed-MTU = 1400
    State = 0x94215fb794204acd45d98454623e2c2b
    NAS-Port-Type = Wireless-802.11
    EAP-Message = 0x020100a615800000009c160301009701000093030151098b34151f242280f30e9d2f0cc80621b979cd44485afda47f1371fdf4bf4a00005800ffc024c023c00ac009c007c008c028c027c014c013c011c012c026c025c02ac029c004c005c002c003c00ec00fc00cc00d003d003c002f000500040035000a0067006b003300390016c006c010c001c00b003b0002000101000012000a00080006001700180019000b00020100
    Message-Authenticator = 0x333630872965c0dfba9a698e36eac0c2

    Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default

    +- entering group authorize {...}
    ++[preprocess] returns ok
    ++[chap] returns noop
    ++[mschap] returns noop
    ++[digest] returns noop
    [suffix] No '@' in User-Name = "iPad", skipping NULL due to config.
    ++[suffix] returns noop
    [ntdomain] No '' in User-Name = "iPad", skipping NULL due to config.
    ++[ntdomain] returns noop
    [eap] EAP packet type response id 1 length 166
    [eap] Continuing tunnel setup.
    ++[eap] returns ok
    Found Auth-Type = EAP

    Executing group from file /usr/local/etc/raddb/sites-enabled/default

    +- entering group authenticate {...}
    [eap] Request found, released from the list
    [eap] EAP/ttls
    [eap] processing type ttls
    [ttls] Authenticate
    [ttls] processing EAP-TLS
      TLS Length 156
    [ttls] Length Included
    [ttls] eaptls_verify returned 11
    [ttls]    (other): before/accept initialization
    [ttls]    TLS_accept: before/accept initialization
    [ttls] <<< TLS 1.0 Handshake [length 0097], ClientHello 
    [ttls]    TLS_accept: SSLv3 read client hello A
    [ttls] >>> TLS 1.0 Handshake [length 0031], ServerHello 
    [ttls]    TLS_accept: SSLv3 write server hello A
    [ttls] >>> TLS 1.0 Handshake [length 085f], Certificate 
    [ttls]    TLS_accept: SSLv3 write certificate A
    [ttls] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone 
    [ttls]    TLS_accept: SSLv3 write server done A
    [ttls]    TLS_accept: SSLv3 flush data
    [ttls]    TLS_accept: Need to read more data: SSLv3 read client certificate A
    In SSL Handshake Phase
    In SSL Accept mode 
    [ttls] eaptls_process returned 13
    ++[eap] returns handled
    Sending Access-Challenge of id 1 to 192.168.1.3 port 32777
    EAP-Message = 0x0102040015c0000008a316030100310200002d030151098b33e396ef63cbb7d15634d096b965ab20e065d0dd39e77645331676ad1300002f000005ff01000100160301085f0b00085b00085800041c3082041830820300a003020102020102300d06092a864886f70d01010505003073310b300906035504061302495431123010060355040813094c6f6d626172646961310e300c060355040713054372656d61310e300c060355040a13054c41303337311c301a06092a864886f70d010901160d776966694063726e65772e697431123010060355040313094153492043724e6577301e170d3133303133303039313633365a170d32333031323830
    EAP-Message = 0x39313633365a3074310b300906035504061302495431123010060355040813094c6f6d626172646961310e300c060355040713054372656d61310e300c060355040a13054c41303337311c301a06092a864886f70d010901160d776966694063726e65772e6974311330110603550403130a576946692043724e657730819f300d06092a864886f70d010101050003818d0030818902818100cecf62420d6cecfca457df3fbba025e3a514c5948c50776443cb1a50e685cc14126b369bbb22f401457d3dd19bb629e834cd2797d05ce639e368c9522bd945ea1262ad4524f269261ea78693ce4e670cb1fb6a7956abd0579209e92c2282cf14d2b556a8
    EAP-Message = 0x8acfe267ccaf7af4079f4fbad8e8be7bec306b1e33e63c1b87663c3b0203010001a38201383082013430090603551d1304023000301106096086480186f8420101040403020640303306096086480186f842010d042616244f70656e53534c2047656e65726174656420536572766572204365727469666963617465301d0603551d0e041604143cc25c57910ca9be7de0a82f2b21d526e46595f930819d0603551d230481953081928014ac3e27e1ee72a134ac1eff279ba44eadc42f8e23a177a4753073310b300906035504061302495431123010060355040813094c6f6d626172646961310e300c060355040713054372656d61310e300c060355
    EAP-Message = 0x040a13054c41303337311c301a06092a864886f70d010901160d776966694063726e65772e697431123010060355040313094153492043724e657782010030130603551d25040c300a06082b06010505070301300b0603551d0f0404030205a0300d06092a864886f70d01010505000382010100a80d50f89d43d86092a779f387a6c30db24e851178872f2c76e306b7b56bbd73203e98b415d9657e53a1abdebbf93942e241617267856002d0c8af616e3aca1412257c1afbfc5a2af425de35c1022820c0c583dd3ba09453fd30a7ded94ef407eda622d59632628f6e457c0db328909a0d2bb77c2fdec72a973838900404afcf381e06b232934e1736
    EAP-Message = 0x7e1c99d4d260cf7162e45dd7
    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0x94215fb795234acd45d98454623e2c2b
    Finished request 1.
    Going to the next request
    Waking up in 4.9 seconds.
    rad_recv: Access-Request packet from host 192.168.1.3 port 32777, id=1, length=136
    Cleaning up request 1 ID 1 with timestamp +25
    User-Name = "iPad"
    NAS-IP-Address = 192.168.1.3
    Called-Station-Id = "c2c1c00e689e"
    Calling-Station-Id = "a46706941f29"
    NAS-Identifier = "c2c1c00e689e"
    NAS-Port = 34
    Framed-MTU = 1400
    State = 0x94215fb795234acd45d98454623e2c2b
    NAS-Port-Type = Wireless-802.11
    EAP-Message = 0x020200061500
    Message-Authenticator = 0xa7a6a8828361fe3f3641feb4e2ac10e2

    Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default

    +- entering group authorize {...}
    ++[preprocess] returns ok
    ++[chap] returns noop
    ++[mschap] returns noop
    ++[digest] returns noop
    [suffix] No '@' in User-Name = "iPad", skipping NULL due to config.
    ++[suffix] returns noop
    [ntdomain] No '' in User-Name = "iPad", skipping NULL due to config.
    ++[ntdomain] returns noop
    [eap] EAP packet type response id 2 length 6
    [eap] Continuing tunnel setup.
    ++[eap] returns ok
    Found Auth-Type = EAP

    Executing group from file /usr/local/etc/raddb/sites-enabled/default

    +- entering group authenticate {...}
    [eap] Request found, released from the list
    [eap] EAP/ttls
    [eap] processing type ttls
    [ttls] Authenticate
    [ttls] processing EAP-TLS
    [ttls] Received TLS ACK
    [ttls] ACK handshake fragment handler
    [ttls] eaptls_verify returned 1
    [ttls] eaptls_process returned 13
    ++[eap] returns handled
    Sending Access-Challenge of id 1 to 192.168.1.3 port 32777
    EAP-Message = 0x0103040015c0000008a30b82b8f442dc3b6956820818d6eabd63bd56bb6944b1e31df00d95df4849b318d1951592831170d62fa5abc796faae8d109390db187c9d0eb5f17280bdc395aefc7038c9685029447ce437c2ae8848af7f3efb84902145355a6054d27fcd938e0d8ce4c71199f7c77879b9000436308204323082031aa003020102020100300d06092a864886f70d01010505003073310b300906035504061302495431123010060355040813094c6f6d626172646961310e300c060355040713054372656d61310e300c060355040a13054c41303337311c301a06092a864886f70d010901160d776966694063726e65772e69743112301006
    EAP-Message = 0x0355040313094153492043724e6577301e170d3133303132393131303333365a170d3233303132373131303333365a3073310b300906035504061302495431123010060355040813094c6f6d626172646961310e300c060355040713054372656d61310e300c060355040a13054c41303337311c301a06092a864886f70d010901160d776966694063726e65772e697431123010060355040313094153492043724e657730820122300d06092a864886f70d01010105000382010f003082010a0282010100c027f09e7af99251a4a481f386f01c0890ec992dafd4eb9daaad18186c49125799411e4d10be48e18be515d6f0b88ec55f78d9af36cee087
    EAP-Message = 0xaa8a55e19ad3ef23f0963c5db75e69654d9cc8554ab5035c0e884cd57bdc58e7fc0da1257b337034a853b48fcd6afa64500b0fac22c4be2db936e4ecdb7aa84d28aa1d8b8ff7febfdeaf972282628ce9a88deaff369d0394c7d3809d488d1cd31cd392c1ae5cf2b6b6bea354101e025ceb7bd9a41ef62e6c9727eafca242f004631e1f36c0f76c0f7e3c34562c2035957015589b9772101c0b0838f9609b9ffbeb3c068f12dadba6d6eaec42c8ce52f42abc1af7154a5a1f79ce328788301f4596b6c56611caed630203010001a381d03081cd301d0603551d0e04160414ac3e27e1ee72a134ac1eff279ba44eadc42f8e2330819d0603551d23048195
    EAP-Message = 0x3081928014ac3e27e1ee72a134ac1eff279ba44eadc42f8e23a177a4753073310b300906035504061302495431123010060355040813094c6f6d626172646961310e300c060355040713054372656d61310e300c060355040a13054c41303337311c301a06092a864886f70d010901160d776966694063726e65772e697431123010060355040313094153492043724e6577820100300c0603551d13040530030101ff300d06092a864886f70d010105050003820101004a8160c41cb815ff4d18004e6b5b6577aa1dafae6d2df70468cb60ce283a2a7377e43ae5e94c85a9aeefc0fe39006f44d853511b0a53923b2fd9021331fca457eb2e6ab807bd
    EAP-Message = 0xb8960c9c801097dd1e941b16
    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0x94215fb796224acd45d98454623e2c2b
    Finished request 2.
    Going to the next request
    Waking up in 4.9 seconds.
    rad_recv: Access-Request packet from host 192.168.1.3 port 32777, id=1, length=136
    Cleaning up request 2 ID 1 with timestamp +25
    User-Name = "iPad"
    NAS-IP-Address = 192.168.1.3
    Called-Station-Id = "c2c1c00e689e"
    Calling-Station-Id = "a46706941f29"
    NAS-Identifier = "c2c1c00e689e"
    NAS-Port = 34
    Framed-MTU = 1400
    State = 0x94215fb796224acd45d98454623e2c2b
    NAS-Port-Type = Wireless-802.11
    EAP-Message = 0x020300061500
    Message-Authenticator = 0x4a2d6deb865440b3426564b7fd5b36ed

    Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default

    +- entering group authorize {...}
    ++[preprocess] returns ok
    ++[chap] returns noop
    ++[mschap] returns noop
    ++[digest] returns noop
    [suffix] No '@' in User-Name = "iPad", skipping NULL due to config.
    ++[suffix] returns noop
    [ntdomain] No '' in User-Name = "iPad", skipping NULL due to config.
    ++[ntdomain] returns noop
    [eap] EAP packet type response id 3 length 6
    [eap] Continuing tunnel setup.
    ++[eap] returns ok
    Found Auth-Type = EAP

    Executing group from file /usr/local/etc/raddb/sites-enabled/default

    +- entering group authenticate {...}
    [eap] Request found, released from the list
    [eap] EAP/ttls
    [eap] processing type ttls
    [ttls] Authenticate
    [ttls] processing EAP-TLS
    [ttls] Received TLS ACK
    [ttls] ACK handshake fragment handler
    [ttls] eaptls_verify returned 1
    [ttls] eaptls_process returned 13
    ++[eap] returns handled
    Sending Access-Challenge of id 1 to 192.168.1.3 port 32777
    EAP-Message = 0x010400c11580000008a390f514b521b67360c591cc78f7ecd97594a7823a57db3373fd940fd3cc0b47871454e476139cc53356ff2d30133229385a11432d34662a879b24a86e3d7b66f2f78dde1089628b4313c842ddea969da40440d6624a5c936878a6bb52a45745d9738a680b983bec2b70a5ff5a26bb113fa383deaf90199ad05aba595ab4841a72885bd534e0b8e6dcb71ee801c81fb7b191ab6d675094af7420b81075b8a8f5cced9b47e2dab1732a68f759d5497b16030100040e000000
    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0x94215fb797254acd45d98454623e2c2b
    Finished request 3.
    Going to the next request
    Waking up in 4.9 seconds.
    rad_recv: Access-Request packet from host 192.168.1.3 port 32777, id=1, length=338
    Cleaning up request 3 ID 1 with timestamp +25
    User-Name = "iPad"
    NAS-IP-Address = 192.168.1.3
    Called-Station-Id = "c2c1c00e689e"
    Calling-Station-Id = "a46706941f29"
    NAS-Identifier = "c2c1c00e689e"
    NAS-Port = 34
    Framed-MTU = 1400
    State = 0x94215fb797254acd45d98454623e2c2b
    NAS-Port-Type = Wireless-802.11
    EAP-Message = 0x020400d01580000000c61603010086100000820080c46bf4b5b790b71c130f1987e9bdfca5c175e98e85b532ae72d7f0ab38c251fa6825f39a9920a07defe8be9156a7946858c4b03b8319364a9b83b4bb09edfdb6e6357d93d9ef416e48ebb263328adde16d7b00d906bab729f9438fcaa48e425ef87d59716169a27084240f500998ad86ab82139578e29bba9bc94bdbdd1276b21403010001011603010030c10530e8095e96c3509891ff8491db4673d2a15368f71618b80dc4c399558df7795c78800a1e49b3f9e16892a3997e2b
    Message-Authenticator = 0xe5e0b7c956b13c669db1717b79f17ae0

    Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default

    +- entering group authorize {...}
    ++[preprocess] returns ok
    ++[chap] returns noop
    ++[mschap] returns noop
    ++[digest] returns noop
    [suffix] No '@' in User-Name = "iPad", skipping NULL due to config.
    ++[suffix] returns noop
    [ntdomain] No '' in User-Name = "iPad", skipping NULL due to config.
    ++[ntdomain] returns noop
    [eap] EAP packet type response id 4 length 208
    [eap] Continuing tunnel setup.
    ++[eap] returns ok
    Found Auth-Type = EAP

    Executing group from file /usr/local/etc/raddb/sites-enabled/default

    +- entering group authenticate {...}
    [eap] Request found, released from the list
    [eap] EAP/ttls
    [eap] processing type ttls
    [ttls] Authenticate
    [ttls] processing EAP-TLS
      TLS Length 198
    [ttls] Length Included
    [ttls] eaptls_verify returned 11
    [ttls] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange 
    [ttls]    TLS_accept: SSLv3 read client key exchange A
    [ttls] <<< TLS 1.0 ChangeCipherSpec [length 0001] 
    [ttls] <<< TLS 1.0 Handshake [length 0010], Finished 
    [ttls]    TLS_accept: SSLv3 read finished A
    [ttls] >>> TLS 1.0 ChangeCipherSpec [length 0001] 
    [ttls]    TLS_accept: SSLv3 write change cipher spec A
    [ttls] >>> TLS 1.0 Handshake [length 0010], Finished 
    [ttls]    TLS_accept: SSLv3 write finished A
    [ttls]    TLS_accept: SSLv3 flush data
    [ttls]    (other): SSL negotiation finished successfully
    SSL Connection Established
    [ttls] eaptls_process returned 13
    ++[eap] returns handled
    Sending Access-Challenge of id 1 to 192.168.1.3 port 32777
    EAP-Message = 0x0105004515800000003b140301000101160301003034a486d8966d41cd37c59248c94f49154ad12fb37a110eede1a5aaba0f10bdf406862cfb279bfdf7d9255ed4b83d7014
    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0x94215fb790244acd45d98454623e2c2b
    Finished request 4.
    Going to the next request
    Waking up in 4.9 seconds.
    rad_recv: Access-Request packet from host 192.168.1.3 port 32777, id=1, length=273
    Cleaning up request 4 ID 1 with timestamp +25
    WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
    WARNING: !! EAP session for state 0x94215fb790244acd did not finish!
    WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility
    WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
    User-Name = "iPad"
    NAS-IP-Address = 192.168.1.3
    Called-Station-Id = "c2c1c00e689e"
    Calling-Station-Id = "a46706941f29"
    NAS-Identifier = "c2c1c00e689e"
    NAS-Port = 34
    Framed-MTU = 1400
    State = 0x94215fb790244acd45d98454623e2c2b
    NAS-Port-Type = Wireless-802.11
    EAP-Message = 0x0205008f1580000000851703010080e9c572c5c0c62b307dda87c740eccd3c857f9f0e873b66027f1a2d6c51393b5cda2e7545f50dcc284fecf7820da49c435e37e97fe311c0b3b3156cd6e9d8d3f7fba9fb4b31c085b12f9725b5e227a3c93c3e56f334d4d9d5d8e635ec8f397abf608ae8b10bce5f9a66d9d52a15140a34e9e4f6b24e09bc1e9602359797ca1b53
    Message-Authenticator = 0x6d2b616ca1f36e48bf97173dbe2df119

    Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default

    +- entering group authorize {...}
    ++[preprocess] returns ok
    ++[chap] returns noop
    ++[mschap] returns noop
    ++[digest] returns noop
    [suffix] No '@' in User-Name = "iPad", skipping NULL due to config.
    ++[suffix] returns noop
    [ntdomain] No '' in User-Name = "iPad", skipping NULL due to config.
    ++[ntdomain] returns noop
    [eap] EAP packet type response id 5 length 143
    [eap] Continuing tunnel setup.
    ++[eap] returns ok
    Found Auth-Type = EAP

    Executing group from file /usr/local/etc/raddb/sites-enabled/default

    +- entering group authenticate {...}
    [eap] Request found, released from the list
    [eap] EAP/ttls
    [eap] processing type ttls
    [ttls] Authenticate
    [ttls] processing EAP-TLS
      TLS Length 133
    [ttls] Length Included
    [ttls] eaptls_verify returned 11
    [ttls] eaptls_process returned 7
    [ttls] Session established.  Proceeding to decode tunneled attributes.
    [ttls] Got tunneled request
    User-Name = "iPad"
    MS-CHAP-Challenge = 0x093490bc65840024aba84788d4c925b0
    MS-CHAP2-Response = 0x2900323f20a14542a33cd3688fdbc05c59790000000000000000a1015e46a2f08832b788e34de32c764abae001d13997106a
    FreeRADIUS-Proxied-To = 127.0.0.1
    [ttls] Sending tunneled request
    User-Name = "iPad"
    MS-CHAP-Challenge = 0x093490bc65840024aba84788d4c925b0
    MS-CHAP2-Response = 0x2900323f20a14542a33cd3688fdbc05c59790000000000000000a1015e46a2f08832b788e34de32c764abae001d13997106a
    FreeRADIUS-Proxied-To = 127.0.0.1
    NAS-IP-Address = 192.168.1.3
    Called-Station-Id = "c2c1c00e689e"
    Calling-Station-Id = "a46706941f29"
    NAS-Identifier = "c2c1c00e689e"
    NAS-Port = 34
    Framed-MTU = 1400
    NAS-Port-Type = Wireless-802.11
    server  {

    Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default

    +- entering group authorize {...}
    ++[preprocess] returns ok
    ++[chap] returns noop
    [mschap] Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
    ++[mschap] returns ok
    ++[digest] returns noop
    [suffix] No '@' in User-Name = "iPad", skipping NULL due to config.
    ++[suffix] returns noop
    [ntdomain] No '' in User-Name = "iPad", skipping NULL due to config.
    ++[ntdomain] returns noop
    [eap] No EAP-Message, not doing EAP
    ++[eap] returns noop
    [files] users: Matched entry iPad at line 97
    ++[files] returns ok
    rlm_counter: Entering module authorize code
    rlm_counter: Could not find Check item value pair
    ++[daily] returns noop
    rlm_counter: Entering module authorize code
    rlm_counter: Could not find Check item value pair
    ++[weekly] returns noop
    rlm_counter: Entering module authorize code
    rlm_counter: Could not find Check item value pair
    ++[monthly] returns noop
    rlm_counter: Entering module authorize code
    rlm_counter: Could not find Check item value pair
    ++[forever] returns noop
    rlm_checkval: Item Name: Calling-Station-Id, Value: a46706941f29
    rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs
    ++[checkval] returns notfound
    ++[expiration] returns noop
    ++[logintime] returns noop
    [pap] WARNING: Auth-Type already set.  Not setting to PAP
    ++[pap] returns noop
    Found Auth-Type = MSCHAP

    Executing group from file /usr/local/etc/raddb/sites-enabled/default

    +- entering group MS-CHAP {...}
    [mschap] Creating challenge hash with username: iPad
    [mschap] Told to do MS-CHAPv2 for iPad with NT-Password
    [mschap] adding MS-CHAPv2 MPPE keys
    ++[mschap] returns ok
    expand:  ->
    Login OK: [iPad/<via auth-type="mschap">] (from client DDWRT port 34 cli a46706941f29 via TLS tunnel)

    Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default

    +- entering group post-auth {...}
    ++[exec] returns noop
    } # server
    [ttls] Got tunneled reply code 2
    MS-CHAP2-Success = 0x29533d30323331463037313036394235453637324144384433303836323241413532464534453341304131
    MS-MPPE-Recv-Key = 0xcb7a8c4763ceeda8fc01cf337f19d95f
    MS-MPPE-Send-Key = 0xb5180abe5eaba9a027bb9c2788d3a770
    MS-MPPE-Encryption-Policy = 0x00000001
    MS-MPPE-Encryption-Types = 0x00000006
    [ttls] Got tunneled Access-Accept
    [ttls] Got MS-CHAP2-Success, tunneling it to the client in a challenge.
    ++[eap] returns handled
    Sending Access-Challenge of id 1 to 192.168.1.3 port 32777
    EAP-Message = 0x0106005f1580000000551703010050133518df9e7df1d120d561933a4b10717cadf25efa4b79d6a27af8a79b1a85f9d3874761a3b49231003304c538cf901deef171379ee87f731f42fdef2f10cd96b0e9acd65bf5a7ffd1ee64980f9ee0f4
    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0x94215fb791274acd45d98454623e2c2b
    Finished request 5.
    Going to the next request
    Waking up in 4.9 seconds.
    rad_recv: Access-Request packet from host 192.168.1.3 port 32777, id=1, length=136
    Cleaning up request 5 ID 1 with timestamp +29
    User-Name = "iPad"
    NAS-IP-Address = 192.168.1.3
    Called-Station-Id = "c2c1c00e689e"
    Calling-Station-Id = "a46706941f29"
    NAS-Identifier = "c2c1c00e689e"
    NAS-Port = 34
    Framed-MTU = 1400
    State = 0x94215fb791274acd45d98454623e2c2b
    NAS-Port-Type = Wireless-802.11
    EAP-Message = 0x020600061500
    Message-Authenticator = 0x0061b2da35be299e47214ce0dbe7e4ff

    Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default

    +- entering group authorize {...}
    ++[preprocess] returns ok
    ++[chap] returns noop
    ++[mschap] returns noop
    ++[digest] returns noop
    [suffix] No '@' in User-Name = "iPad", skipping NULL due to config.
    ++[suffix] returns noop
    [ntdomain] No '' in User-Name = "iPad", skipping NULL due to config.
    ++[ntdomain] returns noop
    [eap] EAP packet type response id 6 length 6
    [eap] Continuing tunnel setup.
    ++[eap] returns ok
    Found Auth-Type = EAP

    Executing group from file /usr/local/etc/raddb/sites-enabled/default

    +- entering group authenticate {...}
    [eap] Request found, released from the list
    [eap] EAP/ttls
    [eap] processing type ttls
    [ttls] Authenticate
    [ttls] processing EAP-TLS
    [ttls] Received TLS ACK
    [ttls] ACK handshake is finished
    [ttls] eaptls_verify returned 3
    [ttls] eaptls_process returned 3
    [ttls] Using saved attributes from the original Access-Accept
    [eap] Freeing handler
    ++[eap] returns ok
    expand:  ->
    Login OK: [iPad/<via auth-type="EAP">] (from client DDWRT port 34 cli a46706941f29)

    Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default

    +- entering group post-auth {...}
    ++[exec] returns noop
    Sending Access-Accept of id 1 to 192.168.1.3 port 32777
    MS-MPPE-Recv-Key = 0xe4a80c1afc4de09ba8cdeb129584bc73f261c65d2584c914eda9f5c7da46fb9c
    MS-MPPE-Send-Key = 0x9c2d77fa68aa2e2aa533669a550422a3b4e2ce15cf07415c447d7679f08c9889
    EAP-Message = 0x03060004
    Message-Authenticator = 0x00000000000000000000000000000000
    User-Name = "iPad"
    Finished request 6.
    Going to the next request
    Waking up in 4.9 seconds.
    Cleaning up request 6 ID 1 with timestamp +29
    Ready to process requests.</via></via>

    
    When I tap "renew the lease" on the iPad the internet works for an another minute then internet stop again to work but the ipad not disconnect from wifi…


  • And this is my Mac log..

    Ready to process requests.
    rad_recv: Access-Request packet from host 192.168.1.3 port 32777, id=0, length=121
    	User-Name = "iMac"
    	NAS-IP-Address = 192.168.1.3
    	Called-Station-Id = "c2c1c00e689e"
    	Calling-Station-Id = "6470020d9a60"
    	NAS-Identifier = "c2c1c00e689e"
    	NAS-Port = 55
    	Framed-MTU = 1400
    	NAS-Port-Type = Wireless-802.11
    	EAP-Message = 0x0200000901694d6163
    	Message-Authenticator = 0x9c13a03c07eab38a110a59e874aac850
    # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
    +- entering group authorize {...}
    ++[preprocess] returns ok
    ++[chap] returns noop
    ++[mschap] returns noop
    ++[digest] returns noop
    [suffix] No '@' in User-Name = "iMac", skipping NULL due to config.
    ++[suffix] returns noop
    [ntdomain] No '\' in User-Name = "iMac", skipping NULL due to config.
    ++[ntdomain] returns noop
    [eap] EAP packet type response id 0 length 9
    [eap] No EAP Start, assuming it's an on-going EAP conversation
    ++[eap] returns updated
    [files] users: Matched entry iMac at line 93
    ++[files] returns ok
    rlm_counter: Entering module authorize code
    rlm_counter: Could not find Check item value pair
    ++[daily] returns noop
    rlm_counter: Entering module authorize code
    rlm_counter: Could not find Check item value pair
    ++[weekly] returns noop
    rlm_counter: Entering module authorize code
    rlm_counter: Could not find Check item value pair
    ++[monthly] returns noop
    rlm_counter: Entering module authorize code
    rlm_counter: Could not find Check item value pair
    ++[forever] returns noop
    rlm_checkval: Item Name: Calling-Station-Id, Value: 6470020d9a60
    rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs
    ++[checkval] returns notfound
    ++[expiration] returns noop
    ++[logintime] returns noop
    [pap] WARNING: Auth-Type already set.  Not setting to PAP
    ++[pap] returns noop
    Found Auth-Type = EAP
    # Executing group from file /usr/local/etc/raddb/sites-enabled/default
    +- entering group authenticate {...}
    [eap] EAP Identity
    [eap] processing type tls
    [tls] Initiate
    [tls] Start returned 1
    ++[eap] returns handled
    Sending Access-Challenge of id 0 to 192.168.1.3 port 32777
    	EAP-Message = 0x010100061520
    	Message-Authenticator = 0x00000000000000000000000000000000
    	State = 0x1382b4531383a10a15b5f944c410db05
    Finished request 0.
    Going to the next request
    Waking up in 4.9 seconds.
    rad_recv: Access-Request packet from host 192.168.1.3 port 32777, id=0, length=258
    Cleaning up request 0 ID 0 with timestamp +19
    	User-Name = "iMac"
    	NAS-IP-Address = 192.168.1.3
    	Called-Station-Id = "c2c1c00e689e"
    	Calling-Station-Id = "6470020d9a60"
    	NAS-Identifier = "c2c1c00e689e"
    	NAS-Port = 55
    	Framed-MTU = 1400
    	State = 0x1382b4531383a10a15b5f944c410db05
    	NAS-Port-Type = Wireless-802.11
    	EAP-Message = 0x0201008015800000007616030100710100006d030151098d55a1e9f1029eddfe94d5826dabc35538e36d55033adea4d9a38fa1d5c100003200ffc00ac009c007c008c014c013c011c012c004c005c002c003c00ec00fc00cc00d002f000500040035000a00330039001601000012000a00080006001700180019000b00020100
    	Message-Authenticator = 0xb38e5665f025282cdd55e467378bc591
    # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
    +- entering group authorize {...}
    ++[preprocess] returns ok
    ++[chap] returns noop
    ++[mschap] returns noop
    ++[digest] returns noop
    [suffix] No '@' in User-Name = "iMac", skipping NULL due to config.
    ++[suffix] returns noop
    [ntdomain] No '\' in User-Name = "iMac", skipping NULL due to config.
    ++[ntdomain] returns noop
    [eap] EAP packet type response id 1 length 128
    [eap] Continuing tunnel setup.
    ++[eap] returns ok
    Found Auth-Type = EAP
    # Executing group from file /usr/local/etc/raddb/sites-enabled/default
    +- entering group authenticate {...}
    [eap] Request found, released from the list
    [eap] EAP/ttls
    [eap] processing type ttls
    [ttls] Authenticate
    [ttls] processing EAP-TLS
      TLS Length 118
    [ttls] Length Included
    [ttls] eaptls_verify returned 11 
    [ttls]     (other): before/accept initialization
    [ttls]     TLS_accept: before/accept initialization
    [ttls] <<< TLS 1.0 Handshake [length 0071], ClientHello  
    [ttls]     TLS_accept: SSLv3 read client hello A
    [ttls] >>> TLS 1.0 Handshake [length 0031], ServerHello  
    [ttls]     TLS_accept: SSLv3 write server hello A
    [ttls] >>> TLS 1.0 Handshake [length 085f], Certificate  
    [ttls]     TLS_accept: SSLv3 write certificate A
    [ttls] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone  
    [ttls]     TLS_accept: SSLv3 write server done A
    [ttls]     TLS_accept: SSLv3 flush data
    [ttls]     TLS_accept: Need to read more data: SSLv3 read client certificate A
    In SSL Handshake Phase 
    In SSL Accept mode  
    [ttls] eaptls_process returned 13 
    ++[eap] returns handled
    Sending Access-Challenge of id 0 to 192.168.1.3 port 32777
    	EAP-Message = 0x0102040015c0000008a316030100310200002d030151098d55570570ae77366b3939b5698ed1b761f404dc558fb4d4ef830f48daf700002f000005ff01000100160301085f0b00085b00085800041c3082041830820300a003020102020102300d06092a864886f70d01010505003073310b300906035504061302495431123010060355040813094c6f6d626172646961310e300c060355040713054372656d61310e300c060355040a13054c41303337311c301a06092a864886f70d010901160d776966694063726e65772e697431123010060355040313094153492043724e6577301e170d3133303133303039313633365a170d32333031323830
    	EAP-Message = 0x39313633365a3074310b300906035504061302495431123010060355040813094c6f6d626172646961310e300c060355040713054372656d61310e300c060355040a13054c41303337311c301a06092a864886f70d010901160d776966694063726e65772e6974311330110603550403130a576946692043724e657730819f300d06092a864886f70d010101050003818d0030818902818100cecf62420d6cecfca457df3fbba025e3a514c5948c50776443cb1a50e685cc14126b369bbb22f401457d3dd19bb629e834cd2797d05ce639e368c9522bd945ea1262ad4524f269261ea78693ce4e670cb1fb6a7956abd0579209e92c2282cf14d2b556a8
    	EAP-Message = 0x8acfe267ccaf7af4079f4fbad8e8be7bec306b1e33e63c1b87663c3b0203010001a38201383082013430090603551d1304023000301106096086480186f8420101040403020640303306096086480186f842010d042616244f70656e53534c2047656e65726174656420536572766572204365727469666963617465301d0603551d0e041604143cc25c57910ca9be7de0a82f2b21d526e46595f930819d0603551d230481953081928014ac3e27e1ee72a134ac1eff279ba44eadc42f8e23a177a4753073310b300906035504061302495431123010060355040813094c6f6d626172646961310e300c060355040713054372656d61310e300c060355
    	EAP-Message = 0x040a13054c41303337311c301a06092a864886f70d010901160d776966694063726e65772e697431123010060355040313094153492043724e657782010030130603551d25040c300a06082b06010505070301300b0603551d0f0404030205a0300d06092a864886f70d01010505000382010100a80d50f89d43d86092a779f387a6c30db24e851178872f2c76e306b7b56bbd73203e98b415d9657e53a1abdebbf93942e241617267856002d0c8af616e3aca1412257c1afbfc5a2af425de35c1022820c0c583dd3ba09453fd30a7ded94ef407eda622d59632628f6e457c0db328909a0d2bb77c2fdec72a973838900404afcf381e06b232934e1736
    	EAP-Message = 0x7e1c99d4d260cf7162e45dd7
    	Message-Authenticator = 0x00000000000000000000000000000000
    	State = 0x1382b4531280a10a15b5f944c410db05
    Finished request 1.
    Going to the next request
    Waking up in 4.9 seconds.
    rad_recv: Access-Request packet from host 192.168.1.3 port 32777, id=0, length=136
    Cleaning up request 1 ID 0 with timestamp +19
    	User-Name = "iMac"
    	NAS-IP-Address = 192.168.1.3
    	Called-Station-Id = "c2c1c00e689e"
    	Calling-Station-Id = "6470020d9a60"
    	NAS-Identifier = "c2c1c00e689e"
    	NAS-Port = 55
    	Framed-MTU = 1400
    	State = 0x1382b4531280a10a15b5f944c410db05
    	NAS-Port-Type = Wireless-802.11
    	EAP-Message = 0x020200061500
    	Message-Authenticator = 0x6578b31271da2ff6dde8d4919c6a41af
    # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
    +- entering group authorize {...}
    ++[preprocess] returns ok
    ++[chap] returns noop
    ++[mschap] returns noop
    ++[digest] returns noop
    [suffix] No '@' in User-Name = "iMac", skipping NULL due to config.
    ++[suffix] returns noop
    [ntdomain] No '\' in User-Name = "iMac", skipping NULL due to config.
    ++[ntdomain] returns noop
    [eap] EAP packet type response id 2 length 6
    [eap] Continuing tunnel setup.
    ++[eap] returns ok
    Found Auth-Type = EAP
    # Executing group from file /usr/local/etc/raddb/sites-enabled/default
    +- entering group authenticate {...}
    [eap] Request found, released from the list
    [eap] EAP/ttls
    [eap] processing type ttls
    [ttls] Authenticate
    [ttls] processing EAP-TLS
    [ttls] Received TLS ACK
    [ttls] ACK handshake fragment handler
    [ttls] eaptls_verify returned 1 
    [ttls] eaptls_process returned 13 
    ++[eap] returns handled
    Sending Access-Challenge of id 0 to 192.168.1.3 port 32777
    	EAP-Message = 0x0103040015c0000008a30b82b8f442dc3b6956820818d6eabd63bd56bb6944b1e31df00d95df4849b318d1951592831170d62fa5abc796faae8d109390db187c9d0eb5f17280bdc395aefc7038c9685029447ce437c2ae8848af7f3efb84902145355a6054d27fcd938e0d8ce4c71199f7c77879b9000436308204323082031aa003020102020100300d06092a864886f70d01010505003073310b300906035504061302495431123010060355040813094c6f6d626172646961310e300c060355040713054372656d61310e300c060355040a13054c41303337311c301a06092a864886f70d010901160d776966694063726e65772e69743112301006
    	EAP-Message = 0x0355040313094153492043724e6577301e170d3133303132393131303333365a170d3233303132373131303333365a3073310b300906035504061302495431123010060355040813094c6f6d626172646961310e300c060355040713054372656d61310e300c060355040a13054c41303337311c301a06092a864886f70d010901160d776966694063726e65772e697431123010060355040313094153492043724e657730820122300d06092a864886f70d01010105000382010f003082010a0282010100c027f09e7af99251a4a481f386f01c0890ec992dafd4eb9daaad18186c49125799411e4d10be48e18be515d6f0b88ec55f78d9af36cee087
    	EAP-Message = 0xaa8a55e19ad3ef23f0963c5db75e69654d9cc8554ab5035c0e884cd57bdc58e7fc0da1257b337034a853b48fcd6afa64500b0fac22c4be2db936e4ecdb7aa84d28aa1d8b8ff7febfdeaf972282628ce9a88deaff369d0394c7d3809d488d1cd31cd392c1ae5cf2b6b6bea354101e025ceb7bd9a41ef62e6c9727eafca242f004631e1f36c0f76c0f7e3c34562c2035957015589b9772101c0b0838f9609b9ffbeb3c068f12dadba6d6eaec42c8ce52f42abc1af7154a5a1f79ce328788301f4596b6c56611caed630203010001a381d03081cd301d0603551d0e04160414ac3e27e1ee72a134ac1eff279ba44eadc42f8e2330819d0603551d23048195
    	EAP-Message = 0x3081928014ac3e27e1ee72a134ac1eff279ba44eadc42f8e23a177a4753073310b300906035504061302495431123010060355040813094c6f6d626172646961310e300c060355040713054372656d61310e300c060355040a13054c41303337311c301a06092a864886f70d010901160d776966694063726e65772e697431123010060355040313094153492043724e6577820100300c0603551d13040530030101ff300d06092a864886f70d010105050003820101004a8160c41cb815ff4d18004e6b5b6577aa1dafae6d2df70468cb60ce283a2a7377e43ae5e94c85a9aeefc0fe39006f44d853511b0a53923b2fd9021331fca457eb2e6ab807bd
    	EAP-Message = 0xb8960c9c801097dd1e941b16
    	Message-Authenticator = 0x00000000000000000000000000000000
    	State = 0x1382b4531181a10a15b5f944c410db05
    Finished request 2.
    Going to the next request
    Waking up in 4.9 seconds.
    rad_recv: Access-Request packet from host 192.168.1.3 port 32777, id=0, length=136
    Cleaning up request 2 ID 0 with timestamp +19
    	User-Name = "iMac"
    	NAS-IP-Address = 192.168.1.3
    	Called-Station-Id = "c2c1c00e689e"
    	Calling-Station-Id = "6470020d9a60"
    	NAS-Identifier = "c2c1c00e689e"
    	NAS-Port = 55
    	Framed-MTU = 1400
    	State = 0x1382b4531181a10a15b5f944c410db05
    	NAS-Port-Type = Wireless-802.11
    	EAP-Message = 0x020300061500
    	Message-Authenticator = 0xb2da3df775ec12ab2444101216280070
    # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
    +- entering group authorize {...}
    ++[preprocess] returns ok
    ++[chap] returns noop
    ++[mschap] returns noop
    ++[digest] returns noop
    [suffix] No '@' in User-Name = "iMac", skipping NULL due to config.
    ++[suffix] returns noop
    [ntdomain] No '\' in User-Name = "iMac", skipping NULL due to config.
    ++[ntdomain] returns noop
    [eap] EAP packet type response id 3 length 6
    [eap] Continuing tunnel setup.
    ++[eap] returns ok
    Found Auth-Type = EAP
    # Executing group from file /usr/local/etc/raddb/sites-enabled/default
    +- entering group authenticate {...}
    [eap] Request found, released from the list
    [eap] EAP/ttls
    [eap] processing type ttls
    [ttls] Authenticate
    [ttls] processing EAP-TLS
    [ttls] Received TLS ACK
    [ttls] ACK handshake fragment handler
    [ttls] eaptls_verify returned 1 
    [ttls] eaptls_process returned 13 
    ++[eap] returns handled
    Sending Access-Challenge of id 0 to 192.168.1.3 port 32777
    	EAP-Message = 0x010400c11580000008a390f514b521b67360c591cc78f7ecd97594a7823a57db3373fd940fd3cc0b47871454e476139cc53356ff2d30133229385a11432d34662a879b24a86e3d7b66f2f78dde1089628b4313c842ddea969da40440d6624a5c936878a6bb52a45745d9738a680b983bec2b70a5ff5a26bb113fa383deaf90199ad05aba595ab4841a72885bd534e0b8e6dcb71ee801c81fb7b191ab6d675094af7420b81075b8a8f5cced9b47e2dab1732a68f759d5497b16030100040e000000
    	Message-Authenticator = 0x00000000000000000000000000000000
    	State = 0x1382b4531086a10a15b5f944c410db05
    Finished request 3.
    Going to the next request
    Waking up in 4.9 seconds.
    rad_recv: Access-Request packet from host 192.168.1.3 port 32777, id=0, length=338
    Cleaning up request 3 ID 0 with timestamp +19
    	User-Name = "iMac"
    	NAS-IP-Address = 192.168.1.3
    	Called-Station-Id = "c2c1c00e689e"
    	Calling-Station-Id = "6470020d9a60"
    	NAS-Identifier = "c2c1c00e689e"
    	NAS-Port = 55
    	Framed-MTU = 1400
    	State = 0x1382b4531086a10a15b5f944c410db05
    	NAS-Port-Type = Wireless-802.11
    	EAP-Message = 0x020400d01580000000c616030100861000008200807519ef6cceff086f5962e26838788737a663c820392d1ac0984721aef30ed723e3121fc67619c5092261418f9e51c6ad7dd13d777cb9b717dcc532289aca026efa1158093f90f83d5605fa62c950ca9a454bdda956f9e2a30dbcbb220d6308c6cf7102a6a3f343f03b282902d5ce3f3b5b08f18045f2fde0a1912d3c3f8474ce1403010001011603010030b3fc54f8577174dbdb756eaed7bb01c4a76dcc243253bd5eaaf4b53aae7786b567ceb9bc6939d26f75bb407a84a441f6
    	Message-Authenticator = 0x1375ab587846a1b863e131ffead4d770
    # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
    +- entering group authorize {...}
    ++[preprocess] returns ok
    ++[chap] returns noop
    ++[mschap] returns noop
    ++[digest] returns noop
    [suffix] No '@' in User-Name = "iMac", skipping NULL due to config.
    ++[suffix] returns noop
    [ntdomain] No '\' in User-Name = "iMac", skipping NULL due to config.
    ++[ntdomain] returns noop
    [eap] EAP packet type response id 4 length 208
    [eap] Continuing tunnel setup.
    ++[eap] returns ok
    Found Auth-Type = EAP
    # Executing group from file /usr/local/etc/raddb/sites-enabled/default
    +- entering group authenticate {...}
    [eap] Request found, released from the list
    [eap] EAP/ttls
    [eap] processing type ttls
    [ttls] Authenticate
    [ttls] processing EAP-TLS
      TLS Length 198
    [ttls] Length Included
    [ttls] eaptls_verify returned 11 
    [ttls] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange  
    [ttls]     TLS_accept: SSLv3 read client key exchange A
    [ttls] <<< TLS 1.0 ChangeCipherSpec [length 0001]  
    [ttls] <<< TLS 1.0 Handshake [length 0010], Finished  
    [ttls]     TLS_accept: SSLv3 read finished A
    [ttls] >>> TLS 1.0 ChangeCipherSpec [length 0001]  
    [ttls]     TLS_accept: SSLv3 write change cipher spec A
    [ttls] >>> TLS 1.0 Handshake [length 0010], Finished  
    [ttls]     TLS_accept: SSLv3 write finished A
    [ttls]     TLS_accept: SSLv3 flush data
    [ttls]     (other): SSL negotiation finished successfully
    SSL Connection Established 
    [ttls] eaptls_process returned 13 
    ++[eap] returns handled
    Sending Access-Challenge of id 0 to 192.168.1.3 port 32777
    	EAP-Message = 0x0105004515800000003b1403010001011603010030deb0819e1dd9d78b553158e57147f6013cb6fb491a52fe3124275b891d43bcbfd5b186690c3d3e7700441a4592e2c979
    	Message-Authenticator = 0x00000000000000000000000000000000
    	State = 0x1382b4531787a10a15b5f944c410db05
    Finished request 4.
    Going to the next request
    Waking up in 4.9 seconds.
    rad_recv: Access-Request packet from host 192.168.1.3 port 32777, id=0, length=273
    Cleaning up request 4 ID 0 with timestamp +19
    	User-Name = "iMac"
    	NAS-IP-Address = 192.168.1.3
    	Called-Station-Id = "c2c1c00e689e"
    	Calling-Station-Id = "6470020d9a60"
    	NAS-Identifier = "c2c1c00e689e"
    	NAS-Port = 55
    	Framed-MTU = 1400
    	State = 0x1382b4531787a10a15b5f944c410db05
    	NAS-Port-Type = Wireless-802.11
    	EAP-Message = 0x0205008f1580000000851703010080e169a44d3e65f0149ef956cc91a1b62133eeaab1da6e23203c5c98320ae38f3d03adf4db9cda266899e118c939b4764a3b571a22d467d4d0986812b0717323d61c91c64c0074eb7efa372c3baf43101d05656f0c0e6a6afc813f544dcf75da09c907b455862201f72fdb7fcaccc99bf00ca852ec36e95e504c054bdc649db15a
    	Message-Authenticator = 0xb013f9209430b2c372e3aeb7f61f9dfc
    # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
    +- entering group authorize {...}
    ++[preprocess] returns ok
    ++[chap] returns noop
    ++[mschap] returns noop
    ++[digest] returns noop
    [suffix] No '@' in User-Name = "iMac", skipping NULL due to config.
    ++[suffix] returns noop
    [ntdomain] No '\' in User-Name = "iMac", skipping NULL due to config.
    ++[ntdomain] returns noop
    [eap] EAP packet type response id 5 length 143
    [eap] Continuing tunnel setup.
    ++[eap] returns ok
    Found Auth-Type = EAP
    # Executing group from file /usr/local/etc/raddb/sites-enabled/default
    +- entering group authenticate {...}
    [eap] Request found, released from the list
    [eap] EAP/ttls
    [eap] processing type ttls
    [ttls] Authenticate
    [ttls] processing EAP-TLS
      TLS Length 133
    [ttls] Length Included
    [ttls] eaptls_verify returned 11 
    [ttls] eaptls_process returned 7 
    [ttls] Session established.  Proceeding to decode tunneled attributes.
    [ttls] Got tunneled request
    	User-Name = "iMac"
    	MS-CHAP-Challenge = 0xcc6298cba8b161bb9d0a4838d5eca2e2
    	MS-CHAP2-Response = 0xb2005c6e16fc1911a9b0edc83554da5ca61300000000000000005ef4841a62476db0ef14b3f8a5cca03e5476d29e76e8ca8b
    	FreeRADIUS-Proxied-To = 127.0.0.1
    [ttls] Sending tunneled request
    	User-Name = "iMac"
    	MS-CHAP-Challenge = 0xcc6298cba8b161bb9d0a4838d5eca2e2
    	MS-CHAP2-Response = 0xb2005c6e16fc1911a9b0edc83554da5ca61300000000000000005ef4841a62476db0ef14b3f8a5cca03e5476d29e76e8ca8b
    	FreeRADIUS-Proxied-To = 127.0.0.1
    	NAS-IP-Address = 192.168.1.3
    	Called-Station-Id = "c2c1c00e689e"
    	Calling-Station-Id = "6470020d9a60"
    	NAS-Identifier = "c2c1c00e689e"
    	NAS-Port = 55
    	Framed-MTU = 1400
    	NAS-Port-Type = Wireless-802.11
    server  {
    # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
    +- entering group authorize {...}
    ++[preprocess] returns ok
    ++[chap] returns noop
    [mschap] Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
    ++[mschap] returns ok
    ++[digest] returns noop
    [suffix] No '@' in User-Name = "iMac", skipping NULL due to config.
    ++[suffix] returns noop
    [ntdomain] No '\' in User-Name = "iMac", skipping NULL due to config.
    ++[ntdomain] returns noop
    [eap] No EAP-Message, not doing EAP
    ++[eap] returns noop
    [files] users: Matched entry iMac at line 93
    ++[files] returns ok
    rlm_counter: Entering module authorize code
    rlm_counter: Could not find Check item value pair
    ++[daily] returns noop
    rlm_counter: Entering module authorize code
    rlm_counter: Could not find Check item value pair
    ++[weekly] returns noop
    rlm_counter: Entering module authorize code
    rlm_counter: Could not find Check item value pair
    ++[monthly] returns noop
    rlm_counter: Entering module authorize code
    rlm_counter: Could not find Check item value pair
    ++[forever] returns noop
    rlm_checkval: Item Name: Calling-Station-Id, Value: 6470020d9a60
    rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs
    ++[checkval] returns notfound
    ++[expiration] returns noop
    ++[logintime] returns noop
    [pap] WARNING: Auth-Type already set.  Not setting to PAP
    ++[pap] returns noop
    Found Auth-Type = MSCHAP
    # Executing group from file /usr/local/etc/raddb/sites-enabled/default
    +- entering group MS-CHAP {...}
    [mschap] Creating challenge hash with username: iMac
    [mschap] Told to do MS-CHAPv2 for iMac with NT-Password
    [mschap] adding MS-CHAPv2 MPPE keys
    ++[mschap] returns ok
    	expand:  -> 
    Login OK: [iMac/<via auth-type="mschap">] (from client DDWRT port 55 cli 6470020d9a60 via TLS tunnel) 
    # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default
    +- entering group post-auth {...}
    ++[exec] returns noop
    } # server 
    [ttls] Got tunneled reply code 2
    	MS-CHAP2-Success = 0xb2533d41314344433146424339424435323734353730343636344643343630383038383943423046354546
    	MS-MPPE-Recv-Key = 0x3ee5a67f518f8b217f447340af5ba72b
    	MS-MPPE-Send-Key = 0x316bd72d945b07ebc91e2b3189cc1851
    	MS-MPPE-Encryption-Policy = 0x00000001
    	MS-MPPE-Encryption-Types = 0x00000006
    [ttls] Got tunneled Access-Accept
    [ttls] Got MS-CHAP2-Success, tunneling it to the client in a challenge.
    ++[eap] returns handled
    Sending Access-Challenge of id 0 to 192.168.1.3 port 32777
    	EAP-Message = 0x0106005f15800000005517030100500d6d01deb451305ab16ef800d9add4426a3c25ee51ba0f9771e0d293d3e68a5e214684d5beb70b054d7079aea5859721ab49e470079163c2d8e0ce358281f662b2325c32c168abcb5e1687b16bd5ec39
    	Message-Authenticator = 0x00000000000000000000000000000000
    	State = 0x1382b4531684a10a15b5f944c410db05
    Finished request 5.
    Going to the next request
    Waking up in 4.9 seconds.
    rad_recv: Access-Request packet from host 192.168.1.3 port 32777, id=0, length=136
    Cleaning up request 5 ID 0 with timestamp +19
    	User-Name = "iMac"
    	NAS-IP-Address = 192.168.1.3
    	Called-Station-Id = "c2c1c00e689e"
    	Calling-Station-Id = "6470020d9a60"
    	NAS-Identifier = "c2c1c00e689e"
    	NAS-Port = 55
    	Framed-MTU = 1400
    	State = 0x1382b4531684a10a15b5f944c410db05
    	NAS-Port-Type = Wireless-802.11
    	EAP-Message = 0x020600061500
    	Message-Authenticator = 0x82131b8787036731112f17082ec2f991
    # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
    +- entering group authorize {...}
    ++[preprocess] returns ok
    ++[chap] returns noop
    ++[mschap] returns noop
    ++[digest] returns noop
    [suffix] No '@' in User-Name = "iMac", skipping NULL due to config.
    ++[suffix] returns noop
    [ntdomain] No '\' in User-Name = "iMac", skipping NULL due to config.
    ++[ntdomain] returns noop
    [eap] EAP packet type response id 6 length 6
    [eap] Continuing tunnel setup.
    ++[eap] returns ok
    Found Auth-Type = EAP
    # Executing group from file /usr/local/etc/raddb/sites-enabled/default
    +- entering group authenticate {...}
    [eap] Request found, released from the list
    [eap] EAP/ttls
    [eap] processing type ttls
    [ttls] Authenticate
    [ttls] processing EAP-TLS
    [ttls] Received TLS ACK
    [ttls] ACK handshake is finished
    [ttls] eaptls_verify returned 3 
    [ttls] eaptls_process returned 3 
    [ttls] Using saved attributes from the original Access-Accept
    [eap] Freeing handler
    ++[eap] returns ok
    	expand:  -> 
    Login OK: [iMac/<via auth-type="EAP">] (from client DDWRT port 55 cli 6470020d9a60) 
    # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default
    +- entering group post-auth {...}
    ++[exec] returns noop
    Sending Access-Accept of id 0 to 192.168.1.3 port 32777
    	MS-MPPE-Recv-Key = 0xacd8f46fa3435add4f44b48f482ae3ca0c6f45def714628188203c1d1381fabd
    	MS-MPPE-Send-Key = 0x9c50355c211a8a7cb426fd13937679181d243de4798118f1ebebee1ecf0697c7
    	EAP-Message = 0x03060004
    	Message-Authenticator = 0x00000000000000000000000000000000
    	User-Name = "iMac"
    Finished request 6.
    Going to the next request
    Waking up in 4.9 seconds.
    Cleaning up request 6 ID 0 with timestamp +19
    Ready to process requests.
    rad_recv: Access-Request packet from host 192.168.1.3 port 32777, id=0, length=121
    	User-Name = "iMac"
    	NAS-IP-Address = 192.168.1.3
    	Called-Station-Id = "c2c1c00e689e"
    	Calling-Station-Id = "6470020d9a60"
    	NAS-Identifier = "c2c1c00e689e"
    	NAS-Port = 55
    	Framed-MTU = 1400
    	NAS-Port-Type = Wireless-802.11
    	EAP-Message = 0x0200000901694d6163
    	Message-Authenticator = 0x26d2daa1b284cba289422cb984790f54
    # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
    +- entering group authorize {...}
    ++[preprocess] returns ok
    ++[chap] returns noop
    ++[mschap] returns noop
    ++[digest] returns noop
    [suffix] No '@' in User-Name = "iMac", skipping NULL due to config.
    ++[suffix] returns noop
    [ntdomain] No '\' in User-Name = "iMac", skipping NULL due to config.
    ++[ntdomain] returns noop
    [eap] EAP packet type response id 0 length 9
    [eap] No EAP Start, assuming it's an on-going EAP conversation
    ++[eap] returns updated
    [files] users: Matched entry iMac at line 93
    ++[files] returns ok
    rlm_counter: Entering module authorize code
    rlm_counter: Could not find Check item value pair
    ++[daily] returns noop
    rlm_counter: Entering module authorize code
    rlm_counter: Could not find Check item value pair
    ++[weekly] returns noop
    rlm_counter: Entering module authorize code
    rlm_counter: Could not find Check item value pair
    ++[monthly] returns noop
    rlm_counter: Entering module authorize code
    rlm_counter: Could not find Check item value pair
    ++[forever] returns noop
    rlm_checkval: Item Name: Calling-Station-Id, Value: 6470020d9a60
    rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs
    ++[checkval] returns notfound
    ++[expiration] returns noop
    ++[logintime] returns noop
    [pap] WARNING: Auth-Type already set.  Not setting to PAP
    ++[pap] returns noop
    Found Auth-Type = EAP
    # Executing group from file /usr/local/etc/raddb/sites-enabled/default
    +- entering group authenticate {...}
    [eap] EAP Identity
    [eap] processing type tls
    [tls] Initiate
    [tls] Start returned 1
    ++[eap] returns handled
    Sending Access-Challenge of id 0 to 192.168.1.3 port 32777
    	EAP-Message = 0x010100061520
    	Message-Authenticator = 0x00000000000000000000000000000000
    	State = 0xa5bdaa33a5bcbf7615f7075b5970b3e6
    Finished request 7.
    Going to the next request
    Waking up in 4.9 seconds.
    rad_recv: Access-Request packet from host 192.168.1.3 port 32777, id=0, length=258
    Cleaning up request 7 ID 0 with timestamp +53
    	User-Name = "iMac"
    	NAS-IP-Address = 192.168.1.3
    	Called-Station-Id = "c2c1c00e689e"
    	Calling-Station-Id = "6470020d9a60"
    	NAS-Identifier = "c2c1c00e689e"
    	NAS-Port = 55
    	Framed-MTU = 1400
    	State = 0xa5bdaa33a5bcbf7615f7075b5970b3e6
    	NAS-Port-Type = Wireless-802.11
    	EAP-Message = 0x0201008015800000007616030100710100006d030151098d77823e23f340fce39737aca017500381c02046d067aa630d5e0dc3331b00003200ffc00ac009c007c008c014c013c011c012c004c005c002c003c00ec00fc00cc00d002f000500040035000a00330039001601000012000a00080006001700180019000b00020100
    	Message-Authenticator = 0x353ad6a41749680aef6eff6fe4cc15e7
    # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
    +- entering group authorize {...}
    ++[preprocess] returns ok
    ++[chap] returns noop
    ++[mschap] returns noop
    ++[digest] returns noop
    [suffix] No '@' in User-Name = "iMac", skipping NULL due to config.
    ++[suffix] returns noop
    [ntdomain] No '\' in User-Name = "iMac", skipping NULL due to config.
    ++[ntdomain] returns noop
    [eap] EAP packet type response id 1 length 128
    [eap] Continuing tunnel setup.
    ++[eap] returns ok
    Found Auth-Type = EAP
    # Executing group from file /usr/local/etc/raddb/sites-enabled/default
    +- entering group authenticate {...}
    [eap] Request found, released from the list
    [eap] EAP/ttls
    [eap] processing type ttls
    [ttls] Authenticate
    [ttls] processing EAP-TLS
      TLS Length 118
    [ttls] Length Included
    [ttls] eaptls_verify returned 11 
    [ttls]     (other): before/accept initialization
    [ttls]     TLS_accept: before/accept initialization
    [ttls] <<< TLS 1.0 Handshake [length 0071], ClientHello  
    [ttls]     TLS_accept: SSLv3 read client hello A
    [ttls] >>> TLS 1.0 Handshake [length 0031], ServerHello  
    [ttls]     TLS_accept: SSLv3 write server hello A
    [ttls] >>> TLS 1.0 Handshake [length 085f], Certificate  
    [ttls]     TLS_accept: SSLv3 write certificate A
    [ttls] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone  
    [ttls]     TLS_accept: SSLv3 write server done A
    [ttls]     TLS_accept: SSLv3 flush data
    [ttls]     TLS_accept: Need to read more data: SSLv3 read client certificate A
    In SSL Handshake Phase 
    In SSL Accept mode  
    [ttls] eaptls_process returned 13 
    ++[eap] returns handled
    Sending Access-Challenge of id 0 to 192.168.1.3 port 32777
    	EAP-Message = 0x0102040015c0000008a316030100310200002d030151098d77ddcce7408b6a341f28e15b5b48b57fa07800e42a10af2c3125cc81cc00002f000005ff01000100160301085f0b00085b00085800041c3082041830820300a003020102020102300d06092a864886f70d01010505003073310b300906035504061302495431123010060355040813094c6f6d626172646961310e300c060355040713054372656d61310e300c060355040a13054c41303337311c301a06092a864886f70d010901160d776966694063726e65772e697431123010060355040313094153492043724e6577301e170d3133303133303039313633365a170d32333031323830
    	EAP-Message = 0x39313633365a3074310b300906035504061302495431123010060355040813094c6f6d626172646961310e300c060355040713054372656d61310e300c060355040a13054c41303337311c301a06092a864886f70d010901160d776966694063726e65772e6974311330110603550403130a576946692043724e657730819f300d06092a864886f70d010101050003818d0030818902818100cecf62420d6cecfca457df3fbba025e3a514c5948c50776443cb1a50e685cc14126b369bbb22f401457d3dd19bb629e834cd2797d05ce639e368c9522bd945ea1262ad4524f269261ea78693ce4e670cb1fb6a7956abd0579209e92c2282cf14d2b556a8
    	EAP-Message = 0x8acfe267ccaf7af4079f4fbad8e8be7bec306b1e33e63c1b87663c3b0203010001a38201383082013430090603551d1304023000301106096086480186f8420101040403020640303306096086480186f842010d042616244f70656e53534c2047656e65726174656420536572766572204365727469666963617465301d0603551d0e041604143cc25c57910ca9be7de0a82f2b21d526e46595f930819d0603551d230481953081928014ac3e27e1ee72a134ac1eff279ba44eadc42f8e23a177a4753073310b300906035504061302495431123010060355040813094c6f6d626172646961310e300c060355040713054372656d61310e300c060355
    	EAP-Message = 0x040a13054c41303337311c301a06092a864886f70d010901160d776966694063726e65772e697431123010060355040313094153492043724e657782010030130603551d25040c300a06082b06010505070301300b0603551d0f0404030205a0300d06092a864886f70d01010505000382010100a80d50f89d43d86092a779f387a6c30db24e851178872f2c76e306b7b56bbd73203e98b415d9657e53a1abdebbf93942e241617267856002d0c8af616e3aca1412257c1afbfc5a2af425de35c1022820c0c583dd3ba09453fd30a7ded94ef407eda622d59632628f6e457c0db328909a0d2bb77c2fdec72a973838900404afcf381e06b232934e1736
    	EAP-Message = 0x7e1c99d4d260cf7162e45dd7
    	Message-Authenticator = 0x00000000000000000000000000000000
    	State = 0xa5bdaa33a4bfbf7615f7075b5970b3e6
    Finished request 8.
    Going to the next request
    Waking up in 4.9 seconds.
    rad_recv: Access-Request packet from host 192.168.1.3 port 32777, id=0, length=136
    Cleaning up request 8 ID 0 with timestamp +53
    	User-Name = "iMac"
    	NAS-IP-Address = 192.168.1.3
    	Called-Station-Id = "c2c1c00e689e"
    	Calling-Station-Id = "6470020d9a60"
    	NAS-Identifier = "c2c1c00e689e"
    	NAS-Port = 55
    	Framed-MTU = 1400
    	State = 0xa5bdaa33a4bfbf7615f7075b5970b3e6
    	NAS-Port-Type = Wireless-802.11
    	EAP-Message = 0x020200061500
    	Message-Authenticator = 0x0deceb8155ceaab4e82ac3791c2f3420
    # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
    +- entering group authorize {...}
    ++[preprocess] returns ok
    ++[chap] returns noop
    ++[mschap] returns noop
    ++[digest] returns noop
    [suffix] No '@' in User-Name = "iMac", skipping NULL due to config.
    ++[suffix] returns noop
    [ntdomain] No '\' in User-Name = "iMac", skipping NULL due to config.
    ++[ntdomain] returns noop
    [eap] EAP packet type response id 2 length 6
    [eap] Continuing tunnel setup.
    ++[eap] returns ok
    Found Auth-Type = EAP
    # Executing group from file /usr/local/etc/raddb/sites-enabled/default
    +- entering group authenticate {...}
    [eap] Request found, released from the list
    [eap] EAP/ttls
    [eap] processing type ttls
    [ttls] Authenticate
    [ttls] processing EAP-TLS
    [ttls] Received TLS ACK
    [ttls] ACK handshake fragment handler
    [ttls] eaptls_verify returned 1 
    [ttls] eaptls_process returned 13 
    ++[eap] returns handled
    Sending Access-Challenge of id 0 to 192.168.1.3 port 32777
    	EAP-Message = 0x0103040015c0000008a30b82b8f442dc3b6956820818d6eabd63bd56bb6944b1e31df00d95df4849b318d1951592831170d62fa5abc796faae8d109390db187c9d0eb5f17280bdc395aefc7038c9685029447ce437c2ae8848af7f3efb84902145355a6054d27fcd938e0d8ce4c71199f7c77879b9000436308204323082031aa003020102020100300d06092a864886f70d01010505003073310b300906035504061302495431123010060355040813094c6f6d626172646961310e300c060355040713054372656d61310e300c060355040a13054c41303337311c301a06092a864886f70d010901160d776966694063726e65772e69743112301006
    	EAP-Message = 0x0355040313094153492043724e6577301e170d3133303132393131303333365a170d3233303132373131303333365a3073310b300906035504061302495431123010060355040813094c6f6d626172646961310e300c060355040713054372656d61310e300c060355040a13054c41303337311c301a06092a864886f70d010901160d776966694063726e65772e697431123010060355040313094153492043724e657730820122300d06092a864886f70d01010105000382010f003082010a0282010100c027f09e7af99251a4a481f386f01c0890ec992dafd4eb9daaad18186c49125799411e4d10be48e18be515d6f0b88ec55f78d9af36cee087
    	EAP-Message = 0xaa8a55e19ad3ef23f0963c5db75e69654d9cc8554ab5035c0e884cd57bdc58e7fc0da1257b337034a853b48fcd6afa64500b0fac22c4be2db936e4ecdb7aa84d28aa1d8b8ff7febfdeaf972282628ce9a88deaff369d0394c7d3809d488d1cd31cd392c1ae5cf2b6b6bea354101e025ceb7bd9a41ef62e6c9727eafca242f004631e1f36c0f76c0f7e3c34562c2035957015589b9772101c0b0838f9609b9ffbeb3c068f12dadba6d6eaec42c8ce52f42abc1af7154a5a1f79ce328788301f4596b6c56611caed630203010001a381d03081cd301d0603551d0e04160414ac3e27e1ee72a134ac1eff279ba44eadc42f8e2330819d0603551d23048195
    	EAP-Message = 0x3081928014ac3e27e1ee72a134ac1eff279ba44eadc42f8e23a177a4753073310b300906035504061302495431123010060355040813094c6f6d626172646961310e300c060355040713054372656d61310e300c060355040a13054c41303337311c301a06092a864886f70d010901160d776966694063726e65772e697431123010060355040313094153492043724e6577820100300c0603551d13040530030101ff300d06092a864886f70d010105050003820101004a8160c41cb815ff4d18004e6b5b6577aa1dafae6d2df70468cb60ce283a2a7377e43ae5e94c85a9aeefc0fe39006f44d853511b0a53923b2fd9021331fca457eb2e6ab807bd
    	EAP-Message = 0xb8960c9c801097dd1e941b16
    	Message-Authenticator = 0x00000000000000000000000000000000
    	State = 0xa5bdaa33a7bebf7615f7075b5970b3e6
    Finished request 9.
    Going to the next request
    Waking up in 4.9 seconds.
    rad_recv: Access-Request packet from host 192.168.1.3 port 32777, id=0, length=136
    Cleaning up request 9 ID 0 with timestamp +53
    	User-Name = "iMac"
    	NAS-IP-Address = 192.168.1.3
    	Called-Station-Id = "c2c1c00e689e"
    	Calling-Station-Id = "6470020d9a60"
    	NAS-Identifier = "c2c1c00e689e"
    	NAS-Port = 55
    	Framed-MTU = 1400
    	State = 0xa5bdaa33a7bebf7615f7075b5970b3e6
    	NAS-Port-Type = Wireless-802.11
    	EAP-Message = 0x020300061500
    	Message-Authenticator = 0x60c86b636fd6ea3523e9a202e489b241
    # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
    +- entering group authorize {...}
    ++[preprocess] returns ok
    ++[chap] returns noop
    ++[mschap] returns noop
    ++[digest] returns noop
    [suffix] No '@' in User-Name = "iMac", skipping NULL due to config.
    ++[suffix] returns noop
    [ntdomain] No '\' in User-Name = "iMac", skipping NULL due to config.
    ++[ntdomain] returns noop
    [eap] EAP packet type response id 3 length 6
    [eap] Continuing tunnel setup.
    ++[eap] returns ok
    Found Auth-Type = EAP
    # Executing group from file /usr/local/etc/raddb/sites-enabled/default
    +- entering group authenticate {...}
    [eap] Request found, released from the list
    [eap] EAP/ttls
    [eap] processing type ttls
    [ttls] Authenticate
    [ttls] processing EAP-TLS
    [ttls] Received TLS ACK
    [ttls] ACK handshake fragment handler
    [ttls] eaptls_verify returned 1 
    [ttls] eaptls_process returned 13 
    ++[eap] returns handled
    Sending Access-Challenge of id 0 to 192.168.1.3 port 32777
    	EAP-Message = 0x010400c11580000008a390f514b521b67360c591cc78f7ecd97594a7823a57db3373fd940fd3cc0b47871454e476139cc53356ff2d30133229385a11432d34662a879b24a86e3d7b66f2f78dde1089628b4313c842ddea969da40440d6624a5c936878a6bb52a45745d9738a680b983bec2b70a5ff5a26bb113fa383deaf90199ad05aba595ab4841a72885bd534e0b8e6dcb71ee801c81fb7b191ab6d675094af7420b81075b8a8f5cced9b47e2dab1732a68f759d5497b16030100040e000000
    	Message-Authenticator = 0x00000000000000000000000000000000
    	State = 0xa5bdaa33a6b9bf7615f7075b5970b3e6
    Finished request 10.
    Going to the next request
    Waking up in 4.9 seconds.
    rad_recv: Access-Request packet from host 192.168.1.3 port 32777, id=0, length=338
    Cleaning up request 10 ID 0 with timestamp +53
    	User-Name = "iMac"
    	NAS-IP-Address = 192.168.1.3
    	Called-Station-Id = "c2c1c00e689e"
    	Calling-Station-Id = "6470020d9a60"
    	NAS-Identifier = "c2c1c00e689e"
    	NAS-Port = 55
    	Framed-MTU = 1400
    	State = 0xa5bdaa33a6b9bf7615f7075b5970b3e6
    	NAS-Port-Type = Wireless-802.11
    	EAP-Message = 0x020400d01580000000c6160301008610000082008069173536bfc7ee7791552aacdda0fd3882cccf197f2b475cdd65eb8914f8ab8745241a58ac414edaac3b7ae66c3b29a53851c104a39706a834cc8d9971218652dff6b445a052bfde4edfab808c5f7d8f5bf218bf9a70413c0379c60c03adaaf3e5e3f3e731be93c4b6b0c778effd2f045b3e80de55328a8b452584c19eb5c7641403010001011603010030e7cf383fbf1575586b46afc7b602b833819a628c3bb5b2b09e6d5185952e72bb11285e2ef0bbfd05b4c59b57b2385414
    	Message-Authenticator = 0xf82c8d3c547ad0eab25ca945056bdcd3
    # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
    +- entering group authorize {...}
    ++[preprocess] returns ok
    ++[chap] returns noop
    ++[mschap] returns noop
    ++[digest] returns noop
    [suffix] No '@' in User-Name = "iMac", skipping NULL due to config.
    ++[suffix] returns noop
    [ntdomain] No '\' in User-Name = "iMac", skipping NULL due to config.
    ++[ntdomain] returns noop
    [eap] EAP packet type response id 4 length 208
    [eap] Continuing tunnel setup.
    ++[eap] returns ok
    Found Auth-Type = EAP
    # Executing group from file /usr/local/etc/raddb/sites-enabled/default
    +- entering group authenticate {...}
    [eap] Request found, released from the list
    [eap] EAP/ttls
    [eap] processing type ttls
    [ttls] Authenticate
    [ttls] processing EAP-TLS
      TLS Length 198
    [ttls] Length Included
    [ttls] eaptls_verify returned 11 
    [ttls] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange  
    [ttls]     TLS_accept: SSLv3 read client key exchange A
    [ttls] <<< TLS 1.0 ChangeCipherSpec [length 0001]  
    [ttls] <<< TLS 1.0 Handshake [length 0010], Finished  
    [ttls]     TLS_accept: SSLv3 read finished A
    [ttls] >>> TLS 1.0 ChangeCipherSpec [length 0001]  
    [ttls]     TLS_accept: SSLv3 write change cipher spec A
    [ttls] >>> TLS 1.0 Handshake [length 0010], Finished  
    [ttls]     TLS_accept: SSLv3 write finished A
    [ttls]     TLS_accept: SSLv3 flush data
    [ttls]     (other): SSL negotiation finished successfully
    SSL Connection Established 
    [ttls] eaptls_process returned 13 
    ++[eap] returns handled
    Sending Access-Challenge of id 0 to 192.168.1.3 port 32777
    	EAP-Message = 0x0105004515800000003b14030100010116030100309f29009a79ccfde28f7ae3a940426ec7d38df955b8c2f612a939f267e2a93664f867d3d23400685f9515bce439da11ca
    	Message-Authenticator = 0x00000000000000000000000000000000
    	State = 0xa5bdaa33a1b8bf7615f7075b5970b3e6
    Finished request 11.
    Going to the next request
    Waking up in 4.9 seconds.
    rad_recv: Access-Request packet from host 192.168.1.3 port 32777, id=0, length=273
    Cleaning up request 11 ID 0 with timestamp +53
    	User-Name = "iMac"
    	NAS-IP-Address = 192.168.1.3
    	Called-Station-Id = "c2c1c00e689e"
    	Calling-Station-Id = "6470020d9a60"
    	NAS-Identifier = "c2c1c00e689e"
    	NAS-Port = 55
    	Framed-MTU = 1400
    	State = 0xa5bdaa33a1b8bf7615f7075b5970b3e6
    	NAS-Port-Type = Wireless-802.11
    	EAP-Message = 0x0205008f15800000008517030100800c5401a9205d3b231283767efe5cab504bbc8ea3bf23a0252e6e2fb0e25c44052167860c7a038ca15d4aff84a641c68de621bfe99c581b25fbe4f206b67fe7479a67e988e7d9266f0a11fa30bc508a77fc41bd132335d8b695eb08719bcece3529a75bdaf74bdad04a9f083fedb6158227293542619d0f7eb74e2973dca89682
    	Message-Authenticator = 0xd746bd69bc1d78c782da3a672584b123
    # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
    +- entering group authorize {...}
    ++[preprocess] returns ok
    ++[chap] returns noop
    ++[mschap] returns noop
    ++[digest] returns noop
    [suffix] No '@' in User-Name = "iMac", skipping NULL due to config.
    ++[suffix] returns noop
    [ntdomain] No '\' in User-Name = "iMac", skipping NULL due to config.
    ++[ntdomain] returns noop
    [eap] EAP packet type response id 5 length 143
    [eap] Continuing tunnel setup.
    ++[eap] returns ok
    Found Auth-Type = EAP
    # Executing group from file /usr/local/etc/raddb/sites-enabled/default
    +- entering group authenticate {...}
    [eap] Request found, released from the list
    [eap] EAP/ttls
    [eap] processing type ttls
    [ttls] Authenticate
    [ttls] processing EAP-TLS
      TLS Length 133
    [ttls] Length Included
    [ttls] eaptls_verify returned 11 
    [ttls] eaptls_process returned 7 
    [ttls] Session established.  Proceeding to decode tunneled attributes.
    [ttls] Got tunneled request
    	User-Name = "iMac"
    	MS-CHAP-Challenge = 0x216e6d7055b6953d0c5c274e8c711562
    	MS-CHAP2-Response = 0x930032134e0db83e0e739dd1f9deab504b8b0000000000000000358813952bcb09e1da295f0db3f0c422c3b62833ea0d27ee
    	FreeRADIUS-Proxied-To = 127.0.0.1
    [ttls] Sending tunneled request
    	User-Name = "iMac"
    	MS-CHAP-Challenge = 0x216e6d7055b6953d0c5c274e8c711562
    	MS-CHAP2-Response = 0x930032134e0db83e0e739dd1f9deab504b8b0000000000000000358813952bcb09e1da295f0db3f0c422c3b62833ea0d27ee
    	FreeRADIUS-Proxied-To = 127.0.0.1
    	NAS-IP-Address = 192.168.1.3
    	Called-Station-Id = "c2c1c00e689e"
    	Calling-Station-Id = "6470020d9a60"
    	NAS-Identifier = "c2c1c00e689e"
    	NAS-Port = 55
    	Framed-MTU = 1400
    	NAS-Port-Type = Wireless-802.11
    server  {
    # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
    +- entering group authorize {...}
    ++[preprocess] returns ok
    ++[chap] returns noop
    [mschap] Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
    ++[mschap] returns ok
    ++[digest] returns noop
    [suffix] No '@' in User-Name = "iMac", skipping NULL due to config.
    ++[suffix] returns noop
    [ntdomain] No '\' in User-Name = "iMac", skipping NULL due to config.
    ++[ntdomain] returns noop
    [eap] No EAP-Message, not doing EAP
    ++[eap] returns noop
    [files] users: Matched entry iMac at line 93
    ++[files] returns ok
    rlm_counter: Entering module authorize code
    rlm_counter: Could not find Check item value pair
    ++[daily] returns noop
    rlm_counter: Entering module authorize code
    rlm_counter: Could not find Check item value pair
    ++[weekly] returns noop
    rlm_counter: Entering module authorize code
    rlm_counter: Could not find Check item value pair
    ++[monthly] returns noop
    rlm_counter: Entering module authorize code
    rlm_counter: Could not find Check item value pair
    ++[forever] returns noop
    rlm_checkval: Item Name: Calling-Station-Id, Value: 6470020d9a60
    rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs
    ++[checkval] returns notfound
    ++[expiration] returns noop
    ++[logintime] returns noop
    [pap] WARNING: Auth-Type already set.  Not setting to PAP
    ++[pap] returns noop
    Found Auth-Type = MSCHAP
    # Executing group from file /usr/local/etc/raddb/sites-enabled/default
    +- entering group MS-CHAP {...}
    [mschap] Creating challenge hash with username: iMac
    [mschap] Told to do MS-CHAPv2 for iMac with NT-Password
    [mschap] adding MS-CHAPv2 MPPE keys
    ++[mschap] returns ok
    	expand:  -> 
    Login OK: [iMac/<via auth-type="mschap">] (from client DDWRT port 55 cli 6470020d9a60 via TLS tunnel) 
    # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default
    +- entering group post-auth {...}
    ++[exec] returns noop
    } # server 
    [ttls] Got tunneled reply code 2
    	MS-CHAP2-Success = 0x93533d39374131363033353637343945314339393946433543413433463645334434433344304433443941
    	MS-MPPE-Recv-Key = 0x05c970907689df9dbe77e699083a3adf
    	MS-MPPE-Send-Key = 0x82c190c2664540b58c0386a3cb0ca4e0
    	MS-MPPE-Encryption-Policy = 0x00000001
    	MS-MPPE-Encryption-Types = 0x00000006
    [ttls] Got tunneled Access-Accept
    [ttls] Got MS-CHAP2-Success, tunneling it to the client in a challenge.
    ++[eap] returns handled
    Sending Access-Challenge of id 0 to 192.168.1.3 port 32777
    	EAP-Message = 0x0106005f1580000000551703010050f9c88cad381982a1f0ae154e0f519e88b6fbcdbd7896333fb06ab6524ae714b6e2731e77747135858c4952f2f2a8c3c5a36c3f4d4d2f7330ff69d11fb10754113cfb05d8bd0983ab6e9ddbd223ba875f
    	Message-Authenticator = 0x00000000000000000000000000000000
    	State = 0xa5bdaa33a0bbbf7615f7075b5970b3e6
    Finished request 12.
    Going to the next request
    Waking up in 4.9 seconds.
    rad_recv: Access-Request packet from host 192.168.1.3 port 32777, id=0, length=136
    Cleaning up request 12 ID 0 with timestamp +53
    	User-Name = "iMac"
    	NAS-IP-Address = 192.168.1.3
    	Called-Station-Id = "c2c1c00e689e"
    	Calling-Station-Id = "6470020d9a60"
    	NAS-Identifier = "c2c1c00e689e"
    	NAS-Port = 55
    	Framed-MTU = 1400
    	State = 0xa5bdaa33a0bbbf7615f7075b5970b3e6
    	NAS-Port-Type = Wireless-802.11
    	EAP-Message = 0x020600061500
    	Message-Authenticator = 0x6c0cd455b83db547049df27c1c4d0f04
    # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
    +- entering group authorize {...}
    ++[preprocess] returns ok
    ++[chap] returns noop
    ++[mschap] returns noop
    ++[digest] returns noop
    [suffix] No '@' in User-Name = "iMac", skipping NULL due to config.
    ++[suffix] returns noop
    [ntdomain] No '\' in User-Name = "iMac", skipping NULL due to config.
    ++[ntdomain] returns noop
    [eap] EAP packet type response id 6 length 6
    [eap] Continuing tunnel setup.
    ++[eap] returns ok
    Found Auth-Type = EAP
    # Executing group from file /usr/local/etc/raddb/sites-enabled/default
    +- entering group authenticate {...}
    [eap] Request found, released from the list
    [eap] EAP/ttls
    [eap] processing type ttls
    [ttls] Authenticate
    [ttls] processing EAP-TLS
    [ttls] Received TLS ACK
    [ttls] ACK handshake is finished
    [ttls] eaptls_verify returned 3 
    [ttls] eaptls_process returned 3 
    [ttls] Using saved attributes from the original Access-Accept
    [eap] Freeing handler
    ++[eap] returns ok
    	expand:  -> 
    Login OK: [iMac/<via auth-type="EAP">] (from client DDWRT port 55 cli 6470020d9a60) 
    # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default
    +- entering group post-auth {...}
    ++[exec] returns noop
    Sending Access-Accept of id 0 to 192.168.1.3 port 32777
    	MS-MPPE-Recv-Key = 0xe9344df21fd77df35a00cb75110bf1d978d4572954c5747f069ccd42fd5ecfaa
    	MS-MPPE-Send-Key = 0xe79c8437ca1b7bf9655c2312af508f4d8f747dd6023456f8049ef7c070844927
    	EAP-Message = 0x03060004
    	Message-Authenticator = 0x00000000000000000000000000000000
    	User-Name = "iMac"
    Finished request 13.
    Going to the next request
    Waking up in 4.9 seconds.
    Cleaning up request 13 ID 0 with timestamp +53
    Ready to process requests.</via></via></via></via> 
    

    I'm still on internet after 20 :o minutes…
    I can't understand wher's the problem...
    Do you understand something?? :)



  • Hmm,

    I am no freeradius log expert but I do not see anything strange…

    But if you say, that the WLAN connection still exists but there is a problem with the IP address then perhaps you need to search somewhere else.
    You can try to add a static IP tor your devices and try again if it then is working.

    Further tyr if this problem exists if both are connected at the same time and if it does not exist when only one device is connected (only your iPad)



  • well.. I changed the security authentication… I use open wifi with the pfsense CaptivePortal... and... tatatadaaa.. same problem!!!!
    the mac can connect to cp and can surf internet for ALL time.. iPhone/iPad after a minute are still connect to the wifi network but can't surf internet... :'(
    than i think is a freeradius2 problem because when I used freeradius there weren't these problems...  :-[

    so.. what can I do? reinstall freeradius2?  ??? ???



  • Can you try to increase:
    "Expiration of EAP-Response / EAP-Request List" to lets say 120s and try again.

    I don't think it is a freeradius problem. perhaps a problem of the supplicant installed on iPad/iPhone
    If the MAC is working with the same settings and other devices do not work - then it is probably not a RADIUS issue.



  • OK, after a hard reset of pfsense and ddwrt now I've understand!! ;D ;D ;D
    Are you good with iptables?
    Into my ddwrt I have 2 network: public(13.3.89.X) and private (192.168.1.X).
    but in both pfsense and ddwrt firewall I have the rule that public network ( with wpa2 enterprise) can't access private network..
    BUT the RADIUS is into the private network!!
    I post an example image  :D```
    https://dl.dropbox.com/u/28376825/foto.JPG

    So, if i put into DDWRT iptables the rule that private network can **only** access to pfsense RADIUS port than It should works..!! Do you know the iptables to do this???  :)


  • Sorry, I do not have any experience with iptables.
    Probably asking google will give you better answers ;)



  • It is a DDWRT Bug..!!
    I discovered that the encryption agent is using the wrong bridge interface.
    Thank You very much  :D
    Now I'll go into DDWRT forum to get help for this Bug  ;)


Log in to reply