Differences

This shows you the differences between two versions of the page.

Link to this comparison view

80_._x [2012/06/06 12:15] (current)
Line 1: Line 1:
 +====== Securing wi-fi net with EAP/TTLS ======
  
 +This is a very simple cookbook to configure EAP-TTLS with PAP to secure wi-fi LAN.
 +
 +===== Network Map =====
 +
 +(INTERNET) <-> (1.1.1.1) fw (lan:​192.168.1.254) <-> (inet:​192.168.1.253) AP (wlan: 192.168.27.254) <-> (wlan:​192.168.27.111) client
 +
 +===== fw: FreeRadius Config Files =====
 +
 +FreeRadius 1.1.1
 +
 +File **/​etc/​raddb/​radiusd.conf**:​
 +<code bash>
 +prefix = /usr
 +exec_prefix = ${prefix}
 +sysconfdir = /etc
 +localstatedir = /var
 +sbindir = ${exec_prefix}/​sbin
 +logdir = ${localstatedir}/​log/​radius
 +raddbdir = ${sysconfdir}/​raddb
 +radacctdir = ${logdir}/​radacct
 +confdir = ${raddbdir}
 +run_dir = ${localstatedir}/​run/​radiusd
 +log_file = ${logdir}/​radius.log
 +libdir = ${exec_prefix}/​lib
 +pidfile = ${run_dir}/​radiusd.pid
 +max_request_time = 30
 +delete_blocked_requests = no
 +cleanup_delay = 5
 +max_requests = 1024
 +bind_address = 192.168.1.254
 +port = 0
 +hostname_lookups = no
 +allow_core_dumps = no
 +regular_expressions ​    = yes
 +extended_expressions ​   = yes
 +log_stripped_names = no
 +log_auth = no
 +log_auth_badpass = no
 +log_auth_goodpass = no
 +usercollide = no
 +lower_user = no
 +lower_pass = no
 +nospace_user = no
 +nospace_pass = no
 +Checkrad = ${sbindir}/​checkrad
 +security {
 +        max_attributes = 200
 +        reject_delay = 1
 +        status_server = no
 +}
 +
 +proxy_requests ​ = yes
 +$INCLUDE ​ ${confdir}/​proxy.conf
 +$INCLUDE ​ ${confdir}/​clients.conf
 +snmp    = no
 +$INCLUDE ​ ${confdir}/​snmp.conf
 +thread pool {
 +        start_servers = 5
 +        max_servers = 32
 +        min_spare_servers = 3
 +        max_spare_servers = 10
 +        max_requests_per_server = 0
 +}
 +
 +modules {
 +        pap {
 +                encryption_scheme = clear
 +        }
 +
 +        eap {
 +                default_eap_type = ttls
 +                timer_expire ​    = 60
 +                ignore_unknown_eap_types = no
 +
 +                gtc {
 +                        auth_type = PAP
 +                }
 +                tls {
 +                        private_key_password = druvs2systems
 +                        private_key_file = /​etc/​raddb/​certs/​cert-srv.pem
 +                        certificate_file = /​etc/​raddb/​certs/​cert-srv.pem
 +                        CA_file = /​etc/​raddb/​certs/​demoCA/​cacert.pem
 +                        dh_file = /​etc/​raddb/​certs/​dh
 +                        random_file = /​etc/​raddb/​certs/​random
 +                        fragment_size = 1024
 +                        include_length = yes
 +                }
 +                ttls {
 +                        default_eap_type = gtc
 +                        copy_request_to_tunnel = no
 +                        use_tunneled_reply = no
 +                }
 +        }
 +
 +        files {
 +                usersfile = ${confdir}/​users
 +                acctusersfile = ${confdir}/​acct_users
 +                compat = no
 +        }
 +}
 +
 +authorize {
 +        eap
 +        files
 +}
 +authenticate {
 +        eap
 +        Auth-Type PAP {
 +               pap
 +        }
 +}
 +
 +post-proxy {
 +        eap
 +}
 +
 +
 +</​code>​
 +
 +
 +
 +File **/​etc/​raddb/​clients.conf**:​
 +<code bash>
 +client 192.168.1.253/​32 {
 +        secret ​         = SharedSecret99
 +        shortname ​      = localhost
 +}
 +</​code>​
 +
 +File **/​etc/​raddb/​users**:​
 +<code bash>
 +"​testuser" ​     User-Password == "​secret"​
 +</​code>​
 +
 +When launch radius with debug mode **radiusd -X** we have this output:
 +<​file>​
 +Starting - reading configuration files ...
 +reread_config: ​ reading radiusd.conf
 +Config: ​  ​including file: /​etc/​raddb/​proxy.conf
 +Config: ​  ​including file: /​etc/​raddb/​clients.conf
 +Config: ​  ​including file: /​etc/​raddb/​snmp.conf
 + main: prefix = "/​usr"​
 + main: localstatedir = "/​var"​
 + main: logdir = "/​var/​log/​radius"​
 + main: libdir = "/​usr/​lib"​
 + main: radacctdir = "/​var/​log/​radius/​radacct"​
 + main: hostname_lookups = no
 + main: snmp = no
 + main: max_request_time = 30
 + main: cleanup_delay = 5
 + main: max_requests = 1024
 + main: delete_blocked_requests = 0
 + main: port = 0
 + main: allow_core_dumps = no
 + main: log_stripped_names = no
 + main: log_file = "/​var/​log/​radius/​radius.log"​
 + main: log_auth = no
 + main: log_auth_badpass = no
 + main: log_auth_goodpass = no
 + main: pidfile = "/​var/​run/​radiusd/​radiusd.pid"​
 + main: bind_address = 192.168.1.254 IP address [192.168.1.254]
 + main: user = "​(null)"​
 + main: group = "​(null)"​
 + main: usercollide = no
 + main: lower_user = "​no"​
 + main: lower_pass = "​no"​
 + main: nospace_user = "​no"​
 + main: nospace_pass = "​no"​
 + main: checkrad = "/​usr/​sbin/​checkrad"​
 + main: proxy_requests = yes
 + ​proxy:​ retry_delay = 5
 + ​proxy:​ retry_count = 3
 + ​proxy:​ synchronous = no
 + ​proxy:​ default_fallback = yes
 + ​proxy:​ dead_time = 120
 + ​proxy:​ post_proxy_authorize = yes
 + ​proxy:​ wake_all_if_all_dead = no
 + ​security:​ max_attributes = 200
 + ​security:​ reject_delay = 1
 + ​security:​ status_server = no
 + main: debug_level = 0
 +read_config_files: ​ reading dictionary
 +read_config_files: ​ reading naslist
 +Using deprecated naslist file.  Support for this will go away soon.
 +read_config_files: ​ reading clients
 +read_config_files: ​ reading realms
 +radiusd: ​ entering modules setup
 +Module: Library search path is /usr/lib
 +Module: Loaded eap
 + eap: default_eap_type = "​ttls"​
 + eap: timer_expire = 60
 + eap: ignore_unknown_eap_types = no
 + eap: cisco_accounting_username_bug = no
 + gtc: challenge = "​Password:​ "
 + gtc: auth_type = "​PAP"​
 +rlm_eap: Loaded and initialized type gtc
 + tls: rsa_key_exchange = no
 + tls: dh_key_exchange = yes
 + tls: rsa_key_length = 512
 + tls: dh_key_length = 512
 + tls: verify_depth = 0
 + tls: CA_path = "​(null)"​
 + tls: pem_file_type = yes
 + tls: private_key_file = "/​etc/​raddb/​certs/​cert-srv.pem"​
 + tls: certificate_file = "/​etc/​raddb/​certs/​cert-srv.pem"​
 + tls: CA_file = "/​etc/​raddb/​certs/​demoCA/​cacert.pem"​
 + tls: private_key_password = "​druvs2systems"​
 + tls: dh_file = "/​etc/​raddb/​certs/​dh"​
 + tls: random_file = "/​etc/​raddb/​certs/​random"​
 + tls: fragment_size = 1024
 + tls: include_length = yes
 + tls: check_crl = no
 + tls: check_cert_cn = "​(null)"​
 +rlm_eap_tls:​ Loading the certificate file as a chain
 +rlm_eap: Loaded and initialized type tls
 + ttls: default_eap_type = "​gtc"​
 + ttls: copy_request_to_tunnel = no
 + ttls: use_tunneled_reply = no
 +rlm_eap: Loaded and initialized type ttls
 +Module: Instantiated eap (eap)
 +Module: Loaded PAP
 + pap: encryption_scheme = "​clear"​
 +Module: Instantiated pap (pap)
 +Module: Loaded files
 + ​files:​ usersfile = "/​etc/​raddb/​users"​
 + ​files:​ acctusersfile = "/​etc/​raddb/​acct_users"​
 + ​files:​ preproxy_usersfile = "/​etc/​raddb/​preproxy_users"​
 + ​files:​ compat = "​no"​
 +Module: Instantiated files (files)
 +Listening on authentication 192.168.1.254:​1812
 +Listening on accounting 192.168.1.254:​1813
 +Ready to process requests.
 +</​file>​
 +
 +===== Client Configuration =====
 +
 +The client is a linux box with wpa_supplicant.
 +
 +WPA supplicant configuration file **/​etc/​wpa_supplicant.conf**: ​
 +<code bash>
 +network={
 +ssid="​ymbi"​
 +proto=WPA
 +key_mgmt=WPA-EAP
 +pairwise=TKIP
 +group=TKIP
 +eap=TTLS
 +ca_cert="/​etc/​cert/​demoCA/​cacert.pem"​
 +client_cert="/​etc/​cert/​cert-clt.pem"​
 +private_key="/​etc/​cert/​cert-clt.p12"​
 +private_key_passwd="​passwordofkeyfile"​
 +
 +identity="​testuser"​
 +password="​secret"​
 +}
 +</​code>​
 +
 +Now we try tu run wpa_supplicant with debug output: \\
 +**# wpa_supplicant -iwlan0 -c/​etc/​wpa_supplicant.conf -w -Dndiswrapper**
 +<​file>​
 +Trying to associate with 00:​18:​39:​bf:​d4:​81 (SSID='​ymbi'​ freq=2437 MHz)
 +Associated with 00:​18:​39:​bf:​d4:​81
 +CTRL-EVENT-EAP-STARTED EAP authentication started
 +OpenSSL: pending error: error:​0D07803A:​asn1 encoding
 +routines:​ASN1_ITEM_EX_D2I:​nested asn1 error
 +OpenSSL: pending error: error:​140C800D:​SSL
 +routines:​SSL_use_certificate_file:​ASN1 lib
 +OpenSSL: pending error: error:​140CB009:​SSL
 +routines:​SSL_use_PrivateKey_file:​PEM lib
 +CTRL-EVENT-EAP-METHOD EAP method 21 (TTLS) selected
 +CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
 +WPA: Key negotiation completed with 00:​18:​39:​bf:​d4:​81 [PTK=TKIP
 +GTK=TKIP]
 +CTRL-EVENT-CONNECTED - Connection to 00:​18:​39:​bf:​d4:​81 completed (auth)
 +</​file>​
 +
 +===== Debug ouput of radius =====
 +
 +<​file>​
 +rad_recv: Access-Request packet from host 192.168.1.253:​2049,​ id=0,
 +length=129
 +        User-Name = "​testuser"​
 +        NAS-IP-Address = 192.168.1.253
 +        Called-Station-Id = "​001839bfd481"​
 +        Calling-Station-Id = "​009096a365ec"​
 +        NAS-Identifier = "​001839bfd481"​
 +        NAS-Port = 42
 +        Framed-MTU = 1400
 +        NAS-Port-Type = Wireless-802.11
 +        EAP-Message = 0x0200000d017465737475736572
 +        Message-Authenticator = 0xeee5396011aad1c468c591d4ca65d012
 +  Processing the authorize section of radiusd.conf
 +modcall: entering group authorize for request 0
 +  rlm_eap: EAP packet type response id 0 length 13
 +  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
 +  modcall[authorize]:​ module "​eap"​ returns updated for request 0
 +    users: Matched entry testuser at line 1
 +  modcall[authorize]:​ module "​files"​ returns ok for request 0
 +modcall: leaving group authorize (returns updated) for request 0
 +  rad_check_password: ​ Found Auth-Type EAP
 +auth: type "​EAP"​
 +  Processing the authenticate section of radiusd.conf
 +modcall: entering group authenticate for request 0
 +  rlm_eap: EAP Identity
 +  rlm_eap: processing type tls
 +  rlm_eap_tls:​ Initiate
 +  rlm_eap_tls:​ Start returned 1
 +  modcall[authenticate]:​ module "​eap"​ returns handled for request 0
 +modcall: leaving group authenticate (returns handled) for request 0
 +Sending Access-Challenge of id 0 to 192.168.1.253 port 2049
 +        EAP-Message = 0x010100061520
 +        Message-Authenticator = 0x00000000000000000000000000000000
 +        State = 0x21182ca541e9335a66f8b91266e2e5a3
 +Finished request 0
 +Going to the next request
 +--- Walking the entire request list ---
 +Waking up in 6 seconds...
 +rad_recv: Access-Request packet from host 192.168.1.253:​2049,​ id=0,
 +length=242
 +        User-Name = "​testuser"​
 +        NAS-IP-Address = 192.168.1.253
 +        Called-Station-Id = "​001839bfd481"​
 +        Calling-Station-Id = "​009096a365ec"​
 +        NAS-Identifier = "​001839bfd481"​
 +        NAS-Port = 42
 +        Framed-MTU = 1400
 +        State = 0x21182ca541e9335a66f8b91266e2e5a3
 +        NAS-Port-Type = Wireless-802.11
 +        EAP-Message =
 +0x0201006c150016030100610100005d030144f963994bb3b5b6843d1ffb980f1dd90664779d88fa0d45e592b349d0c4a2b000003600390038003500160013000a00330032002f0007006600050004006300620061001500120009006500640060001400110008000600030100
 +        Message-Authenticator = 0x37bd3d6c73d7d196d9ffd4125fa7520f
 +  Processing the authorize section of radiusd.conf
 +modcall: entering group authorize for request 1
 +  rlm_eap: EAP packet type response id 1 length 108
 +  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
 +  modcall[authorize]:​ module "​eap"​ returns updated for request 1
 +    users: Matched entry testuser at line 1
 +  modcall[authorize]:​ module "​files"​ returns ok for request 1
 +modcall: leaving group authorize (returns updated) for request 1
 +  rad_check_password: ​ Found Auth-Type EAP
 +auth: type "​EAP"​
 +  Processing the authenticate section of radiusd.conf
 +modcall: entering group authenticate for request 1
 +  rlm_eap: Request found, released from the list
 +  rlm_eap: EAP/ttls
 +  rlm_eap: processing type ttls
 +  rlm_eap_ttls:​ Authenticate
 +  rlm_eap_tls:​ processing TLS
 +  eaptls_verify returned 7
 +  rlm_eap_tls:​ Done initial handshake
 +    (other): before/​accept initialization
 +    TLS_accept: before/​accept initialization
 +  rlm_eap_tls:​ <<<​ TLS 1.0 Handshake [length 0061], ClientHello
 +    TLS_accept: SSLv3 read client hello A
 +  rlm_eap_tls:​ >>>​ TLS 1.0 Handshake [length 004a], ServerHello
 +    TLS_accept: SSLv3 write server hello A
 +  rlm_eap_tls:​ >>>​ TLS 1.0 Handshake [length 069f], Certificate
 +    TLS_accept: SSLv3 write certificate A
 +  rlm_eap_tls:​ >>>​ TLS 1.0 Handshake [length 010d], ServerKeyExchange
 +    TLS_accept: SSLv3 write key exchange A
 +  rlm_eap_tls:​ >>>​ TLS 1.0 Handshake [length 0004], ServerHelloDone
 +    TLS_accept: SSLv3 write server done A
 +    TLS_accept: SSLv3 flush data
 +    TLS_accept:​error in SSLv3 read client certificate A
 +In SSL Handshake Phase
 +In SSL Accept mode
 +  eaptls_process returned 13
 +  modcall[authenticate]:​ module "​eap"​ returns handled for request 1
 +modcall: leaving group authenticate (returns handled) for request 1
 +Sending Access-Challenge of id 0 to 192.168.1.253 port 2049
 +        EAP-Message =
 +0x0102040a15c00000080e160301004a02000046030144f963990894dce46a385ae5d10e6c63b9ec7ec31021cde5ee21da67d6876c2020969cced1cf79f958c9a4099552b16b0f57e7df5a5bded193933d0a6095d03c42003900160301069f0b00069b0006980002cc308202c830820231a003020102020102300d06092a864886f70d010104050030819d310b3009060355040613024341311230100603550408130942617263656c6f6e613111300f06035504071308436f726e656c6c6131163014060355040a130d44525556532053797374656d73310b3009060355040b13026630311a301806035504031311436c69656e74207769666920647275
 +        EAP-Message =
 +0x76733126302406092a864886f70d01090116176f72696f6c4064727576732d73797374656d732e636f6d301e170d3036303132353230353030385a170d3037303132353230353030385a30819c310b3009060355040613024341311230100603550408130942617263656c6f6e613111300f06035504071308436f726e656c6c6131163014060355040a130d44525556532053797374656d73310b3009060355040b13026630311930170603550403131043412064727576732073797374656d733126302406092a864886f70d01090116176f72696f6c4064727576732d73797374656d732e636f6d30819f300d06092a864886f70d01010105000381
 +        EAP-Message =
 +0x8d0030818902818100ca75d0502d1fcc9a98659a215fd56bc988c9456cbbed6652c09e06c871164172109ae52ce14e6e28bac61e65f28fdd38ae40206d429ee272d851c1be1c999c3f46afb67b816ed39b0d31248289b2fd19793ac00c68da96bb5e68436fee8accd7ac931a3ab53d3e17a9bed9fa65757753e66ea9ba1c3fdcd2424fbc99aca980370203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101040500038181002e9c93dcfcda12811599b13551965a35afb4e26feb98756a38f24b7da903bc3fc9a287846af47f6116f9792911770d9182fc56cc9c0c302ff99535e01fc3578fc285d9
 +        EAP-Message =
 +0xed279fb00cf4c23b60f95eded17bff4b645dcb0fd3c84719fb8a31be52f093be7f82874c68dd1706fdc4b40cf1d6eceec354cc352051690938d8e28f450003c6308203c23082032ba003020102020900f950691baf0e3e16300d06092a864886f70d010104050030819d310b3009060355040613024341311230100603550408130942617263656c6f6e613111300f06035504071308436f726e656c6c6131163014060355040a130d44525556532053797374656d73310b3009060355040b13026630311a301806035504031311436c69656e7420776966692064727576733126302406092a864886f70d01090116176f72696f6c4064727576732d73
 +        EAP-Message = 0x797374656d732e636f6d301e170d3036303132353230
 +        Message-Authenticator = 0x00000000000000000000000000000000
 +        State = 0x12ac64c530bb647d09b3f01125f34fb0
 +Finished request 1
 +Going to the next request
 +Waking up in 6 seconds...
 +rad_recv: Access-Request packet from host 192.168.1.253:​2049,​ id=0,
 +length=140
 +        User-Name = "​testuser"​
 +        NAS-IP-Address = 192.168.1.253
 +        Called-Station-Id = "​001839bfd481"​
 +        Calling-Station-Id = "​009096a365ec"​
 +        NAS-Identifier = "​001839bfd481"​
 +        NAS-Port = 42
 +        Framed-MTU = 1400
 +        State = 0x12ac64c530bb647d09b3f01125f34fb0
 +        NAS-Port-Type = Wireless-802.11
 +        EAP-Message = 0x020200061500
 +        Message-Authenticator = 0x29ccd4e00a0946e81b116a2204e47dcc
 +  Processing the authorize section of radiusd.conf
 +modcall: entering group authorize for request 2
 +  rlm_eap: EAP packet type response id 2 length 6
 +  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
 +  modcall[authorize]:​ module "​eap"​ returns updated for request 2
 +    users: Matched entry testuser at line 1
 +  modcall[authorize]:​ module "​files"​ returns ok for request 2
 +modcall: leaving group authorize (returns updated) for request 2
 +  rad_check_password: ​ Found Auth-Type EAP
 +auth: type "​EAP"​
 +  Processing the authenticate section of radiusd.conf
 +modcall: entering group authenticate for request 2
 +  rlm_eap: Request found, released from the list
 +  rlm_eap: EAP/ttls
 +  rlm_eap: processing type ttls
 +  rlm_eap_ttls:​ Authenticate
 +  rlm_eap_tls:​ processing TLS
 +rlm_eap_tls:​ Received EAP-TLS ACK message
 +  rlm_eap_tls:​ ack handshake fragment handler
 +  eaptls_verify returned 1
 +  eaptls_process returned 13
 +  modcall[authenticate]:​ module "​eap"​ returns handled for request 2
 +modcall: leaving group authenticate (returns handled) for request 2
 +Sending Access-Challenge of id 0 to 192.168.1.253 port 2049
 +        EAP-Message =
 +0x0103040a15c00000080e353030365a170d3136303132333230353030365a30819d310b3009060355040613024341311230100603550408130942617263656c6f6e613111300f06035504071308436f726e656c6c6131163014060355040a130d44525556532053797374656d73310b3009060355040b13026630311a301806035504031311436c69656e7420776966692064727576733126302406092a864886f70d01090116176f72696f6c4064727576732d73797374656d732e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100b95b5417dddca78cffb8aebf8fde0c552069265a1676426d09f02e00ff588663d6b8
 +        EAP-Message =
 +0x5b96436030129f8faeb9676b3fb6dcf645e28677431d9eedd301fdcb195f9c4e3d69ccdcc87c3995df378bb01a7dabdd05d5875d888d46056c971c33eca8e6f9d91068518693d67ca813e58a4922897edfbcb0cb1ad18e0a09f7f46894070203010001a382010630820102301d0603551d0e0416041474c62db92bf47efc071c41018111e3e5e32aa50e3081d20603551d230481ca3081c7801474c62db92bf47efc071c41018111e3e5e32aa50ea181a3a481a030819d310b3009060355040613024341311230100603550408130942617263656c6f6e613111300f06035504071308436f726e656c6c6131163014060355040a130d44525556532053
 +        EAP-Message =
 +0x797374656d73310b3009060355040b13026630311a301806035504031311436c69656e7420776966692064727576733126302406092a864886f70d01090116176f72696f6c4064727576732d73797374656d732e636f6d820900f950691baf0e3e16300c0603551d13040530030101ff300d06092a864886f70d0101040500038181001ed1a0326268e23341f45fe0d1ac5e7a0dd08763838d53c1d90a8d71245e0aba46a68fe376e576f7dc3d4188ff72e71cfd9b1bda2b8b20ffcea988a65f5fb9296ebcadefc30fdb60e95f07d0b88124d9fd40debaa83b316818064bbe2f4a57edc0964efa3fa85ea4bedc8c4d5c23c46f9033162edd9d5805920d
 +        EAP-Message =
 +0x3d50555c1047160301010d0c0001090040d4e5200ad631ef8e2e8fccb0f3cb8c9f9cde60256c57b678151215ed3d218a4e8e5ba535b88f5fd8dd06a4d4789d79128e9d8d1758ada473c1253e820e9d95a300010200407b1811b1c240010d6d0f006b977786e6a0e482fd1d0149fb32c5341131b27e4ad185e4f87bf0fb9fa34cbf20d30fc4731dbf23be3d1e8ef0ded34e75ea47ad6300804a4c5849a91145aaa406e73887c7afb669171a4fc757d77a4800ac6220f51238e157241cfaaa5b464945a497fb01ccb51d5676deae0c48cbb810a2dff763fc7b09f948432ffc346788373d6e7c667b54c75073c6798accbd4a465960439eaff6dfae9dd6e2
 +        EAP-Message = 0xfffca21e7f20b1e3019625cb55180331e4aae00c74c1
 +        Message-Authenticator = 0x00000000000000000000000000000000
 +        State = 0xec9855d26368dcc0a19d5c7603762c6c
 +Finished request 2
 +Going to the next request
 +Waking up in 6 seconds...
 +rad_recv: Access-Request packet from host 192.168.1.253:​2049,​ id=0,
 +length=140
 +        User-Name = "​testuser"​
 +        NAS-IP-Address = 192.168.1.253
 +        Called-Station-Id = "​001839bfd481"​
 +        Calling-Station-Id = "​009096a365ec"​
 +        NAS-Identifier = "​001839bfd481"​
 +        NAS-Port = 42
 +        Framed-MTU = 1400
 +        State = 0xec9855d26368dcc0a19d5c7603762c6c
 +        NAS-Port-Type = Wireless-802.11
 +        EAP-Message = 0x020300061500
 +        Message-Authenticator = 0x8e9fc5b99c088bb76d6bff199f5a5ed1
 +  Processing the authorize section of radiusd.conf
 +modcall: entering group authorize for request 3
 +  rlm_eap: EAP packet type response id 3 length 6
 +  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
 +  modcall[authorize]:​ module "​eap"​ returns updated for request 3
 +    users: Matched entry testuser at line 1
 +  modcall[authorize]:​ module "​files"​ returns ok for request 3
 +modcall: leaving group authorize (returns updated) for request 3
 +  rad_check_password: ​ Found Auth-Type EAP
 +auth: type "​EAP"​
 +  Processing the authenticate section of radiusd.conf
 +modcall: entering group authenticate for request 3
 +  rlm_eap: Request found, released from the list
 +  rlm_eap: EAP/ttls
 +  rlm_eap: processing type ttls
 +  rlm_eap_ttls:​ Authenticate
 +  rlm_eap_tls:​ processing TLS
 +rlm_eap_tls:​ Received EAP-TLS ACK message
 +  rlm_eap_tls:​ ack handshake fragment handler
 +  eaptls_verify returned 1
 +  eaptls_process returned 13
 +  modcall[authenticate]:​ module "​eap"​ returns handled for request 3
 +modcall: leaving group authenticate (returns handled) for request 3
 +Sending Access-Challenge of id 0 to 192.168.1.253 port 2049
 +        EAP-Message = 0x0104001815800000080e20cd7349f716030100040e000000
 +        Message-Authenticator = 0x00000000000000000000000000000000
 +        State = 0x74f0f317d1e6515d0e08de153e7585b5
 +Finished request 3
 +Going to the next request
 +Waking up in 6 seconds...
 +rad_recv: Access-Request packet from host 192.168.1.253:​2049,​ id=0,
 +length=274
 +        User-Name = "​testuser"​
 +        NAS-IP-Address = 192.168.1.253
 +        Called-Station-Id = "​001839bfd481"​
 +        Calling-Station-Id = "​009096a365ec"​
 +        NAS-Identifier = "​001839bfd481"​
 +        NAS-Port = 42
 +        Framed-MTU = 1400
 +        State = 0x74f0f317d1e6515d0e08de153e7585b5
 +        NAS-Port-Type = Wireless-802.11
 +        EAP-Message =
 +0x0204008c150016030100461000004200406a306957e94709b5329f4fef619d08070850b8a1a497b1d323d0ec3678954a7e3ac6cba9940583aedd8cd622a6b0afd84e537d05b3377cae21aab6b904bab8eb1403010001011603010030a3afca3f1defb9b613af40bff506261a52f97d6df30a9e62702bfc295f8589dea32cc126282236d73928f31472e1da27
 +        Message-Authenticator = 0x74bee9bfe2b8e4b724d2954862405b17
 +  Processing the authorize section of radiusd.conf
 +modcall: entering group authorize for request 4
 +  rlm_eap: EAP packet type response id 4 length 140
 +  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
 +  modcall[authorize]:​ module "​eap"​ returns updated for request 4
 +    users: Matched entry testuser at line 1
 +  modcall[authorize]:​ module "​files"​ returns ok for request 4
 +modcall: leaving group authorize (returns updated) for request 4
 +  rad_check_password: ​ Found Auth-Type EAP
 +auth: type "​EAP"​
 +  Processing the authenticate section of radiusd.conf
 +modcall: entering group authenticate for request 4
 +  rlm_eap: Request found, released from the list
 +  rlm_eap: EAP/ttls
 +  rlm_eap: processing type ttls
 +  rlm_eap_ttls:​ Authenticate
 +  rlm_eap_tls:​ processing TLS
 +  eaptls_verify returned 7
 +  rlm_eap_tls:​ Done initial handshake
 +  rlm_eap_tls:​ <<<​ TLS 1.0 Handshake [length 0046], ClientKeyExchange
 +    TLS_accept: SSLv3 read client key exchange A
 +  rlm_eap_tls:​ <<<​ TLS 1.0 ChangeCipherSpec [length 0001]
 +  rlm_eap_tls:​ <<<​ TLS 1.0 Handshake [length 0010], Finished
 +    TLS_accept: SSLv3 read finished A
 +  rlm_eap_tls:​ >>>​ TLS 1.0 ChangeCipherSpec [length 0001]
 +    TLS_accept: SSLv3 write change cipher spec A
 +  rlm_eap_tls:​ >>>​ TLS 1.0 Handshake [length 0010], Finished
 +    TLS_accept: SSLv3 write finished A
 +    TLS_accept: SSLv3 flush data
 +    (other): SSL negotiation finished successfully
 +SSL Connection Established
 +  eaptls_process returned 13
 +  modcall[authenticate]:​ module "​eap"​ returns handled for request 4
 +modcall: leaving group authenticate (returns handled) for request 4
 +Sending Access-Challenge of id 0 to 192.168.1.253 port 2049
 +        EAP-Message =
 +0x0105004515800000003b14030100010116030100305c7ade06311b72ffb6ee34f58e3045f96e98b6d21c4274b513542c2270e9d6b0f46a8231b70471c17d5e44193001c0e0
 +        Message-Authenticator = 0x00000000000000000000000000000000
 +        State = 0xd47040ab18b10619471de9cccf19268e
 +Finished request 4
 +Going to the next request
 +Waking up in 6 seconds...
 +rad_recv: Access-Request packet from host 192.168.1.253:​2049,​ id=0,
 +length=230
 +        User-Name = "​testuser"​
 +        NAS-IP-Address = 192.168.1.253
 +        Called-Station-Id = "​001839bfd481"​
 +        Calling-Station-Id = "​009096a365ec"​
 +        NAS-Identifier = "​001839bfd481"​
 +        NAS-Port = 42
 +        Framed-MTU = 1400
 +        State = 0xd47040ab18b10619471de9cccf19268e
 +        NAS-Port-Type = Wireless-802.11
 +        EAP-Message =
 +0x020500601500170301002080f833d632ed6b6db2e546c61ec3a9bcb03ad2bb400d4065ebcdcef8369c313a1703010030544963e7a4c65456f1c07ca60baf6997fc8780b459f979353aa222806431d767564b7a9e56454fc37f73d383de22e38d
 +        Message-Authenticator = 0x9d57d285158cea3f520c61f70b494356
 +  Processing the authorize section of radiusd.conf
 +modcall: entering group authorize for request 5
 +  rlm_eap: EAP packet type response id 5 length 96
 +  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
 +  modcall[authorize]:​ module "​eap"​ returns updated for request 5
 +    users: Matched entry testuser at line 1
 +  modcall[authorize]:​ module "​files"​ returns ok for request 5
 +modcall: leaving group authorize (returns updated) for request 5
 +  rad_check_password: ​ Found Auth-Type EAP
 +auth: type "​EAP"​
 +  Processing the authenticate section of radiusd.conf
 +modcall: entering group authenticate for request 5
 +  rlm_eap: Request found, released from the list
 +  rlm_eap: EAP/ttls
 +  rlm_eap: processing type ttls
 +  rlm_eap_ttls:​ Authenticate
 +  rlm_eap_tls:​ processing TLS
 +  eaptls_verify returned 7
 +  rlm_eap_tls:​ Done initial handshake
 +  eaptls_process returned 7
 +  rlm_eap_ttls:​ Session established. ​ Proceeding to decode tunneled
 +attributes.
 +  TTLS: Got tunneled request
 +        EAP-Message = 0x0205000d017465737475736572
 +        FreeRADIUS-Proxied-To = 127.0.0.1
 +  TTLS: Got tunneled identity of testuser
 +  TTLS: Setting default EAP type for tunneled EAP session.
 +  TTLS: Sending tunneled request
 +        EAP-Message = 0x0205000d017465737475736572
 +        FreeRADIUS-Proxied-To = 127.0.0.1
 +        User-Name = "​testuser"​
 +  Processing the authorize section of radiusd.conf
 +modcall: entering group authorize for request 5
 +  rlm_eap: EAP packet type response id 5 length 13
 +  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
 +  modcall[authorize]:​ module "​eap"​ returns updated for request 5
 +    users: Matched entry testuser at line 1
 +  modcall[authorize]:​ module "​files"​ returns ok for request 5
 +modcall: leaving group authorize (returns updated) for request 5
 +  rad_check_password: ​ Found Auth-Type EAP
 +auth: type "​EAP"​
 +  Processing the authenticate section of radiusd.conf
 +modcall: entering group authenticate for request 5
 +  rlm_eap: EAP Identity
 +  rlm_eap: processing type gtc
 +  modcall[authenticate]:​ module "​eap"​ returns handled for request 5
 +modcall: leaving group authenticate (returns handled) for request 5
 +  TTLS: Got tunneled reply RADIUS code 11
 +        EAP-Message = 0x0106000f0650617373776f72643a20
 +        Message-Authenticator = 0x00000000000000000000000000000000
 +        State = 0x7483fff7bbbda2819fabed3436521707
 +  TTLS: Got tunneled Access-Challenge
 +  modcall[authenticate]:​ module "​eap"​ returns handled for request 5
 +modcall: leaving group authenticate (returns handled) for request 5
 +Sending Access-Challenge of id 0 to 192.168.1.253 port 2049
 +        EAP-Message =
 +0x0106006415800000005a17030100206b1cf1e2a1e2158735a57447c681de391dfcf092b1351b10899076ec92799fe81703010030b777d90ae1ceb35bd526231cf8dcf42ab213ccce63c75f9ad707ee338b18b091d8873f47db22320ac244d486497d341a
 +        Message-Authenticator = 0x00000000000000000000000000000000
 +        State = 0x84af535b759debdba1ca077c27856ed1
 +Finished request 5
 +Going to the next request
 +Waking up in 6 seconds...
 +rad_recv: Access-Request packet from host 192.168.1.253:​2049,​ id=0,
 +length=230
 +        User-Name = "​testuser"​
 +        NAS-IP-Address = 192.168.1.253
 +        Called-Station-Id = "​001839bfd481"​
 +        Calling-Station-Id = "​009096a365ec"​
 +        NAS-Identifier = "​001839bfd481"​
 +        NAS-Port = 42
 +        Framed-MTU = 1400
 +        State = 0x84af535b759debdba1ca077c27856ed1
 +        NAS-Port-Type = Wireless-802.11
 +        EAP-Message =
 +0x0206006015001703010020bc268ee2898714c93524893ede7786b9b04df170e995785b90a9a60e8636c2bd1703010030e7e8fd5b1f56171c498c926fc69888387be70fea1b7b633fc28ddfd9866e43114e27f6148e76226e533f48b97576d9c9
 +        Message-Authenticator = 0x53958e76e1d55accf242e40af246ff8f
 +  Processing the authorize section of radiusd.conf
 +modcall: entering group authorize for request 6
 +  rlm_eap: EAP packet type response id 6 length 96
 +  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
 +  modcall[authorize]:​ module "​eap"​ returns updated for request 6
 +    users: Matched entry testuser at line 1
 +  modcall[authorize]:​ module "​files"​ returns ok for request 6
 +modcall: leaving group authorize (returns updated) for request 6
 +  rad_check_password: ​ Found Auth-Type EAP
 +auth: type "​EAP"​
 +  Processing the authenticate section of radiusd.conf
 +modcall: entering group authenticate for request 6
 +  rlm_eap: Request found, released from the list
 +  rlm_eap: EAP/ttls
 +  rlm_eap: processing type ttls
 +  rlm_eap_ttls:​ Authenticate
 +  rlm_eap_tls:​ processing TLS
 +  eaptls_verify returned 7
 +  rlm_eap_tls:​ Done initial handshake
 +  eaptls_process returned 7
 +  rlm_eap_ttls:​ Session established. ​ Proceeding to decode tunneled
 +attributes.
 +  TTLS: Got tunneled request
 +        EAP-Message = 0x0206000b06736563726574
 +        FreeRADIUS-Proxied-To = 127.0.0.1
 +  TTLS: Adding old state with 74 83
 +  TTLS: Sending tunneled request
 +        EAP-Message = 0x0206000b06736563726574
 +        FreeRADIUS-Proxied-To = 127.0.0.1
 +        User-Name = "​testuser"​
 +        State = 0x7483fff7bbbda2819fabed3436521707
 +  Processing the authorize section of radiusd.conf
 +modcall: entering group authorize for request 6
 +  rlm_eap: EAP packet type response id 6 length 11
 +  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
 +  modcall[authorize]:​ module "​eap"​ returns updated for request 6
 +    users: Matched entry testuser at line 1
 +  modcall[authorize]:​ module "​files"​ returns ok for request 6
 +modcall: leaving group authorize (returns updated) for request 6
 +  rad_check_password: ​ Found Auth-Type EAP
 +auth: type "​EAP"​
 +  Processing the authenticate section of radiusd.conf
 +modcall: entering group authenticate for request 6
 +  rlm_eap: Request found, released from the list
 +  rlm_eap: EAP/gtc
 +  rlm_eap: processing type gtc
 +  Processing the authenticate section of radiusd.conf
 +modcall: entering group PAP for request 6
 +rlm_pap: login attempt by "​testuser"​ with password secret
 +rlm_pap: Using password "​secret"​ for user testuser authentication.
 +rlm_pap: Using clear text password.
 +rlm_pap: User authenticated succesfully
 +  modcall[authenticate]:​ module "​pap"​ returns ok for request 6
 +modcall: leaving group PAP (returns ok) for request 6
 +  rlm_eap_gtc:​ Everything is OK.
 +  rlm_eap: Freeing handler
 +  modcall[authenticate]:​ module "​eap"​ returns ok for request 6
 +modcall: leaving group authenticate (returns ok) for request 6
 +  TTLS: Got tunneled reply RADIUS code 2
 +        EAP-Message = 0x03060004
 +        Message-Authenticator = 0x00000000000000000000000000000000
 +        User-Name = "​testuser"​
 +  TTLS: Got tunneled Access-Accept
 +  rlm_eap: Freeing handler
 +  TTLS: Freeing handler for user testuser
 +  modcall[authenticate]:​ module "​eap"​ returns ok for request 6
 +modcall: leaving group authenticate (returns ok) for request 6
 +Sending Access-Accept of id 0 to 192.168.1.253 port 2049
 +        MS-MPPE-Recv-Key =
 +0x12b314a97cb067d593c25c0395ee246852caf129258cf0a00d25b7a5b9343e50
 +        MS-MPPE-Send-Key =
 +0x78bd0fe823f947ea326d25d576313556a477394a7fedaeb66351ff51ddc041b2
 +        EAP-Message = 0x03060004
 +        Message-Authenticator = 0x00000000000000000000000000000000
 +        User-Name = "​testuser"​
 +Finished request 6
 +Going to the next request
 +Waking up in 6 seconds...
 +--- Walking the entire request list ---
 +Cleaning up request 6 ID 0 with timestamp 44f96399
 +Nothing to do.  Sleeping until we see a request.
 +</​file>​
 +
 +
 +===== Wireless interface aspect after authentication =====
 +
 +<code bash>
 +# iwconfig wlan0
 +
 +wlan0     IEEE 802.11g ​ ESSID:"​ymbi"​
 +          Mode:​Managed ​ Frequency:​2.437 GHz  Access Point:
 +00:​18:​39:​BF:​D4:​81
 +          Bit Rate=54 Mb/s   ​Tx-Power:​25 dBm
 +          RTS thr:2347 B   ​Fragment thr:2346 B
 +          Encryption
 +key:​A761-2CB0-936F-CCEB-591A-F18C-6ABF-89E5-73E8-347F-6D96-9121-279C-54FC-24AF-088D
 +          Power Management:​off
 +          Link Quality:​0 ​ Signal level:​0 ​ Noise level:0
 +          Rx invalid nwid:​0 ​ Rx invalid crypt:​0 ​ Rx invalid frag:0
 +          Tx excessive retries:​0 ​ Invalid misc:​0 ​  ​Missed beacon:0
 +</​code>​