I'm doing dd-wrt + freeradius on a debian server.
testing authentication works fine
but when connecting to it from my macbook, freeradius in debug shows
this (looks to be) repeating over and over, with the client never getting authenticated.
any idears?
testing authentication works fine
Code:
# radtest test test 127.0.0.1:1645 1645 secret
Sending Access-Request of id 82 to 127.0.0.1 port 1645
User-Name = "test"
User-Password = "test"
NAS-IP-Address = 255.255.255.255
NAS-Port = 1645
rad_recv: Access-Accept packet from host 127.0.0.1:1645, id=82, length=20
but when connecting to it from my macbook, freeradius in debug shows
Code:
Listening on authentication *:1645
Listening on accounting *:1646
Ready to process requests.
rad_recv: Access-Request packet from host 10.0.0.11:2053, id=0, length=121
User-Name = "test"
NAS-IP-Address = 10.0.0.11
Called-Station-Id = "001217464f3b"
Calling-Station-Id = "001b630a4039"
NAS-Identifier = "001217464f3b"
NAS-Port = 51
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020000090174657374
Message-Authenticator = 0xebd43a7e4d20a3c9c817860c6c1f20fd
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "test", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_eap: EAP packet type response id 0 length 9
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 0
modcall[authorize]: module "files" returns notfound for request 0
radius_xlat: 'test'
rlm_sql (sql): sql_set_user escaped user --> 'test'
radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'test' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 4
radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'test' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'test' ORDER BY id'
radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'test' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql (sql): Released sql socket id: 4
modcall[authorize]: module "sql" returns ok for request 0
modcall: leaving group authorize (returns updated) for request 0
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns handled for request 0
modcall: leaving group authenticate (returns handled) for request 0
Sending Access-Challenge of id 0 to 10.0.0.11 port 2053
EAP-Message = 0x010100061520
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x78d2c504ff946ce6e4395659478cabfe
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.0.0.11:2053, id=0, length=242
User-Name = "test"
NAS-IP-Address = 10.0.0.11
Called-Station-Id = "001217464f3b"
Calling-Station-Id = "001b630a4039"
NAS-Identifier = "001217464f3b"
NAS-Port = 51
Framed-MTU = 1400
State = 0x78d2c504ff946ce6e4395659478cabfe
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0201007015800000006616030100610100005d03014884ee5302fe3b065929b342007f93bb2d7b4af411103789eadeefa162df23b0000036002f000500040035000a000900030008000600320033003800390016001500140013001200110034003a0018001b001a0017001900010100
Message-Authenticator = 0x43888d4898fbc8e74366f9e00b49dcf2
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
modcall[authorize]: module "preprocess" returns ok for request 1
modcall[authorize]: module "chap" returns noop for request 1
modcall[authorize]: module "mschap" returns noop for request 1
rlm_realm: No '@' in User-Name = "test", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 1
rlm_eap: EAP packet type response id 1 length 112
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 1
modcall[authorize]: module "files" returns notfound for request 1
radius_xlat: 'test'
rlm_sql (sql): sql_set_user escaped user --> 'test'
radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'test' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 3
radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'test' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'test' ORDER BY id'
radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'test' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql (sql): Released sql socket id: 3
modcall[authorize]: module "sql" returns ok for request 1
modcall: leaving group authorize (returns updated) for request 1
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1
rlm_eap: Request found, released from the list
rlm_eap: EAP/ttls
rlm_eap: processing type ttls
rlm_eap_ttls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
(other): before/accept initialization
TLS_accept: before/accept initialization
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0061], ClientHello
TLS_accept: SSLv3 read client hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
TLS_accept: SSLv3 write server hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0550], Certificate
TLS_accept: SSLv3 write certificate A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
TLS_accept: SSLv3 write server done A
TLS_accept: SSLv3 flush data
TLS_accept:error in SSLv3 read client certificate A
rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0)
In SSL Handshake Phase
In SSL Accept mode
eaptls_process returned 13
modcall[authenticate]: module "eap" returns handled for request 1
modcall: leaving group authenticate (returns handled) for request 1
Sending Access-Challenge of id 0 to 10.0.0.11 port 2053
EAP-Message = 0x0102040a15c0000005ad160301004a0200004603014884ee52aae8d7f8b5d62be6e0c125a5884b50e4c3c91a83789fc78a4589694d209ea8cb2d64ad373be422a171bb608b42bfa22a917dd173bed3e1ba6eeab4e6d2002f0016030105500b00054c00054900024d30820249308201b2a003020102020101300d06092a864886f70d0101050500305a310b3009060355040613025553310b300906035504081302666c310e300c060355040a130544756d7039310e300c0603550403130564756d7039311e301c06092a864886f70d010901160f61646d696e4064756d70392e6e6574301e170d3038303732313139313330375a170d30393037323131
EAP-Message = 0x39313330375a3062310b3009060355040613025553311330110603550408130a536f6d652d5374617465310e300c060355040a130544756d7039310e300c0603550403130564756d7039311e301c06092a864886f70d010901160f61646d696e4064756d70392e6e657430819f300d06092a864886f70d010101050003818d0030818902818100a746f5d91e44f393c949423593bab3470cf9673604bb26d0e4395c09334e456a0fb50461ab06cc62e611bd14cfce6460018ddde14c596387941b275ffc422436d7eaa187d7654ffcfbd4d06f6be9be5efe111d97946387dce29e5c6b625ff4a78dd10105ac5209557e2ad0cced129ad1f80a4dee2a83
EAP-Message = 0x84f5865f9b769f5f41c70203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101050500038181002b81525557d44a6b74f0ae3feed3ec65b29e704673e588095beeaf0a48923d5d63830158ea2fa56ac6b061ae02511102b712712df8f71ad81417557e24c26ab9144eb684b35eba6576ac587efa00534047e326401768707d03ec60d556c6a3ec1b4a86d1cbd7b985da9e94105ae7ded728dcdf28975b9e9659678459014640330002f6308202f23082025ba0030201020209008ebf92e5f8de1a52300d06092a864886f70d0101050500305a310b3009060355040613025553310b30090603550408
EAP-Message = 0x1302666c310e300c060355040a130544756d7039310e300c0603550403130564756d7039311e301c06092a864886f70d010901160f61646d696e4064756d70392e6e6574301e170d3038303732313139313232325a170d3138303731393139313232325a305a310b3009060355040613025553310b300906035504081302666c310e300c060355040a130544756d7039310e300c0603550403130564756d7039311e301c06092a864886f70d010901160f61646d696e4064756d70392e6e657430819f300d06092a864886f70d010101050003818d0030818902818100dab949c5e6e258d375c8830866e47fd6103cef9db0cd2f7239cd2676c276d875
EAP-Message = 0xa442f5b35302003977c888cbf4b09e86ab8632b33cfa
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x4357b8a1c358bab38bd4f8e73119035a
Finished request 1
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.0.0.11:2053, id=0, length=136
User-Name = "test"
NAS-IP-Address = 10.0.0.11
Called-Station-Id = "001217464f3b"
Calling-Station-Id = "001b630a4039"
NAS-Identifier = "001217464f3b"
NAS-Port = 51
Framed-MTU = 1400
State = 0x4357b8a1c358bab38bd4f8e73119035a
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020200061500
Message-Authenticator = 0xc7ab82cd636b8c3304ac8d8d85f88f68
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
modcall[authorize]: module "preprocess" returns ok for request 2
modcall[authorize]: module "chap" returns noop for request 2
modcall[authorize]: module "mschap" returns noop for request 2
rlm_realm: No '@' in User-Name = "test", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 2
rlm_eap: EAP packet type response id 2 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 2
modcall[authorize]: module "files" returns notfound for request 2
radius_xlat: 'test'
rlm_sql (sql): sql_set_user escaped user --> 'test'
radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'test' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 2
radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'test' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'test' ORDER BY id'
radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'test' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql (sql): Released sql socket id: 2
modcall[authorize]: module "sql" returns ok for request 2
modcall: leaving group authorize (returns updated) for request 2
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 2
rlm_eap: Request found, released from the list
rlm_eap: EAP/ttls
rlm_eap: processing type ttls
rlm_eap_ttls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake fragment handler
eaptls_verify returned 1
eaptls_process returned 13
modcall[authenticate]: module "eap" returns handled for request 2
modcall: leaving group authenticate (returns handled) for request 2
Sending Access-Challenge of id 0 to 10.0.0.11 port 2053
EAP-Message = 0x010301b71580000005ad1efc742f2872808f77825ae98973e18f7601041fc7bec5556480ac830689ea2f60d9ff84bdf8e41e969b82635ebd0b0236dddaf8bb9d6aef58456b2aae1eab63d0078d08783f01589d050203010001a381bf3081bc301d0603551d0e0416041495a9b77d3f41abec9c6c51252b1a10a38b34490f30818c0603551d23048184308181801495a9b77d3f41abec9c6c51252b1a10a38b34490fa15ea45c305a310b3009060355040613025553310b300906035504081302666c310e300c060355040a130544756d7039310e300c0603550403130564756d7039311e301c06092a864886f70d010901160f61646d696e4064756d70
EAP-Message = 0x392e6e65748209008ebf92e5f8de1a52300c0603551d13040530030101ff300d06092a864886f70d0101050500038181006dbb743aa6d7ecdd8505c2843a00a5d26e9c3d6943d6d59f372e1b67a5bc13aa7abe6ba646618aa64bffc550d096d58e0595a265cc259064379417a69618a21874d2502a5999009ff2fd4ad3737c45e3f713ecaf9daf87a002e195602054de1a3809e188ae715b5b6709182a54b4c4f7912f912957550dcb205d16abb8cc7b8216030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xcd19ada89fc1681b5e8405635b92cbe1
Finished request 2
Going to the next request
Waking up in 6 seconds...
this (looks to be) repeating over and over, with the client never getting authenticated.
any idears?