Securing wi-fi net with EAP/TTLS
This is a very simple cookbook to configure EAP-TTLS with PAP to secure wi-fi LAN.
Network Map
(INTERNET) ↔ (1.1.1.1) fw (lan:192.168.1.254) ↔ (inet:192.168.1.253) AP (wlan: 192.168.27.254) ↔ (wlan:192.168.27.111) client
fw: FreeRadius Config Files
FreeRadius 1.1.1
File /etc/raddb/radiusd.conf:
prefix = /usr exec_prefix = ${prefix} sysconfdir = /etc localstatedir = /var sbindir = ${exec_prefix}/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct confdir = ${raddbdir} run_dir = ${localstatedir}/run/radiusd log_file = ${logdir}/radius.log libdir = ${exec_prefix}/lib pidfile = ${run_dir}/radiusd.pid max_request_time = 30 delete_blocked_requests = no cleanup_delay = 5 max_requests = 1024 bind_address = 192.168.1.254 port = 0 hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes log_stripped_names = no log_auth = no log_auth_badpass = no log_auth_goodpass = no usercollide = no lower_user = no lower_pass = no nospace_user = no nospace_pass = no Checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = no } proxy_requests = yes $INCLUDE ${confdir}/proxy.conf $INCLUDE ${confdir}/clients.conf snmp = no $INCLUDE ${confdir}/snmp.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { pap { encryption_scheme = clear } eap { default_eap_type = ttls timer_expire = 60 ignore_unknown_eap_types = no gtc { auth_type = PAP } tls { private_key_password = druvs2systems private_key_file = /etc/raddb/certs/cert-srv.pem certificate_file = /etc/raddb/certs/cert-srv.pem CA_file = /etc/raddb/certs/demoCA/cacert.pem dh_file = /etc/raddb/certs/dh random_file = /etc/raddb/certs/random fragment_size = 1024 include_length = yes } ttls { default_eap_type = gtc copy_request_to_tunnel = no use_tunneled_reply = no } } files { usersfile = ${confdir}/users acctusersfile = ${confdir}/acct_users compat = no } } authorize { eap files } authenticate { eap Auth-Type PAP { pap } } post-proxy { eap }
File /etc/raddb/clients.conf:
client 192.168.1.253/32 { secret = SharedSecret99 shortname = localhost }
File /etc/raddb/users:
"testuser" User-Password == "secret"
When launch radius with debug mode radiusd -X we have this output:
Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/radius" main: libdir = "/usr/lib" main: radacctdir = "/var/log/radius/radacct" main: hostname_lookups = no main: snmp = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/run/radiusd/radiusd.pid" main: bind_address = 192.168.1.254 IP address [192.168.1.254] main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib Module: Loaded eap eap: default_eap_type = "ttls" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/etc/raddb/certs/cert-srv.pem" tls: certificate_file = "/etc/raddb/certs/cert-srv.pem" tls: CA_file = "/etc/raddb/certs/demoCA/cacert.pem" tls: private_key_password = "druvs2systems" tls: dh_file = "/etc/raddb/certs/dh" tls: random_file = "/etc/raddb/certs/random" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "(null)" rlm_eap_tls: Loading the certificate file as a chain rlm_eap: Loaded and initialized type tls ttls: default_eap_type = "gtc" ttls: copy_request_to_tunnel = no ttls: use_tunneled_reply = no rlm_eap: Loaded and initialized type ttls Module: Instantiated eap (eap) Module: Loaded PAP pap: encryption_scheme = "clear" Module: Instantiated pap (pap) Module: Loaded files files: usersfile = "/etc/raddb/users" files: acctusersfile = "/etc/raddb/acct_users" files: preproxy_usersfile = "/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Listening on authentication 192.168.1.254:1812 Listening on accounting 192.168.1.254:1813 Ready to process requests.
Client Configuration
The client is a linux box with wpa_supplicant.
WPA supplicant configuration file /etc/wpa_supplicant.conf:
network={ ssid="ymbi" proto=WPA key_mgmt=WPA-EAP pairwise=TKIP group=TKIP eap=TTLS ca_cert="/etc/cert/demoCA/cacert.pem" client_cert="/etc/cert/cert-clt.pem" private_key="/etc/cert/cert-clt.p12" private_key_passwd="passwordofkeyfile" identity="testuser" password="secret" }
Now we try tu run wpa_supplicant with debug output:
# wpa_supplicant -iwlan0 -c/etc/wpa_supplicant.conf -w -Dndiswrapper
Trying to associate with 00:18:39:bf:d4:81 (SSID='ymbi' freq=2437 MHz) Associated with 00:18:39:bf:d4:81 CTRL-EVENT-EAP-STARTED EAP authentication started OpenSSL: pending error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error OpenSSL: pending error: error:140C800D:SSL routines:SSL_use_certificate_file:ASN1 lib OpenSSL: pending error: error:140CB009:SSL routines:SSL_use_PrivateKey_file:PEM lib CTRL-EVENT-EAP-METHOD EAP method 21 (TTLS) selected CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully WPA: Key negotiation completed with 00:18:39:bf:d4:81 [PTK=TKIP GTK=TKIP] CTRL-EVENT-CONNECTED - Connection to 00:18:39:bf:d4:81 completed (auth)
Debug ouput of radius
rad_recv: Access-Request packet from host 192.168.1.253:2049, id=0,
length=129
User-Name = "testuser"
NAS-IP-Address = 192.168.1.253
Called-Station-Id = "001839bfd481"
Calling-Station-Id = "009096a365ec"
NAS-Identifier = "001839bfd481"
NAS-Port = 42
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0200000d017465737475736572
Message-Authenticator = 0xeee5396011aad1c468c591d4ca65d012
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
rlm_eap: EAP packet type response id 0 length 13
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 0
users: Matched entry testuser at line 1
modcall[authorize]: module "files" returns ok for request 0
modcall: leaving group authorize (returns updated) for request 0
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns handled for request 0
modcall: leaving group authenticate (returns handled) for request 0
Sending Access-Challenge of id 0 to 192.168.1.253 port 2049
EAP-Message = 0x010100061520
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x21182ca541e9335a66f8b91266e2e5a3
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.1.253:2049, id=0,
length=242
User-Name = "testuser"
NAS-IP-Address = 192.168.1.253
Called-Station-Id = "001839bfd481"
Calling-Station-Id = "009096a365ec"
NAS-Identifier = "001839bfd481"
NAS-Port = 42
Framed-MTU = 1400
State = 0x21182ca541e9335a66f8b91266e2e5a3
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x0201006c150016030100610100005d030144f963994bb3b5b6843d1ffb980f1dd90664779d88fa0d45e592b349d0c4a2b000003600390038003500160013000a00330032002f0007006600050004006300620061001500120009006500640060001400110008000600030100
Message-Authenticator = 0x37bd3d6c73d7d196d9ffd4125fa7520f
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
rlm_eap: EAP packet type response id 1 length 108
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 1
users: Matched entry testuser at line 1
modcall[authorize]: module "files" returns ok for request 1
modcall: leaving group authorize (returns updated) for request 1
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1
rlm_eap: Request found, released from the list
rlm_eap: EAP/ttls
rlm_eap: processing type ttls
rlm_eap_ttls: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
(other): before/accept initialization
TLS_accept: before/accept initialization
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0061], ClientHello
TLS_accept: SSLv3 read client hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
TLS_accept: SSLv3 write server hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 069f], Certificate
TLS_accept: SSLv3 write certificate A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 010d], ServerKeyExchange
TLS_accept: SSLv3 write key exchange A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
TLS_accept: SSLv3 write server done A
TLS_accept: SSLv3 flush data
TLS_accept:error in SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
eaptls_process returned 13
modcall[authenticate]: module "eap" returns handled for request 1
modcall: leaving group authenticate (returns handled) for request 1
Sending Access-Challenge of id 0 to 192.168.1.253 port 2049
EAP-Message =
0x0102040a15c00000080e160301004a02000046030144f963990894dce46a385ae5d10e6c63b9ec7ec31021cde5ee21da67d6876c2020969cced1cf79f958c9a4099552b16b0f57e7df5a5bded193933d0a6095d03c42003900160301069f0b00069b0006980002cc308202c830820231a003020102020102300d06092a864886f70d010104050030819d310b3009060355040613024341311230100603550408130942617263656c6f6e613111300f06035504071308436f726e656c6c6131163014060355040a130d44525556532053797374656d73310b3009060355040b13026630311a301806035504031311436c69656e74207769666920647275
EAP-Message =
0x76733126302406092a864886f70d01090116176f72696f6c4064727576732d73797374656d732e636f6d301e170d3036303132353230353030385a170d3037303132353230353030385a30819c310b3009060355040613024341311230100603550408130942617263656c6f6e613111300f06035504071308436f726e656c6c6131163014060355040a130d44525556532053797374656d73310b3009060355040b13026630311930170603550403131043412064727576732073797374656d733126302406092a864886f70d01090116176f72696f6c4064727576732d73797374656d732e636f6d30819f300d06092a864886f70d01010105000381
EAP-Message =
0x8d0030818902818100ca75d0502d1fcc9a98659a215fd56bc988c9456cbbed6652c09e06c871164172109ae52ce14e6e28bac61e65f28fdd38ae40206d429ee272d851c1be1c999c3f46afb67b816ed39b0d31248289b2fd19793ac00c68da96bb5e68436fee8accd7ac931a3ab53d3e17a9bed9fa65757753e66ea9ba1c3fdcd2424fbc99aca980370203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101040500038181002e9c93dcfcda12811599b13551965a35afb4e26feb98756a38f24b7da903bc3fc9a287846af47f6116f9792911770d9182fc56cc9c0c302ff99535e01fc3578fc285d9
EAP-Message =
0xed279fb00cf4c23b60f95eded17bff4b645dcb0fd3c84719fb8a31be52f093be7f82874c68dd1706fdc4b40cf1d6eceec354cc352051690938d8e28f450003c6308203c23082032ba003020102020900f950691baf0e3e16300d06092a864886f70d010104050030819d310b3009060355040613024341311230100603550408130942617263656c6f6e613111300f06035504071308436f726e656c6c6131163014060355040a130d44525556532053797374656d73310b3009060355040b13026630311a301806035504031311436c69656e7420776966692064727576733126302406092a864886f70d01090116176f72696f6c4064727576732d73
EAP-Message = 0x797374656d732e636f6d301e170d3036303132353230
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x12ac64c530bb647d09b3f01125f34fb0
Finished request 1
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.1.253:2049, id=0,
length=140
User-Name = "testuser"
NAS-IP-Address = 192.168.1.253
Called-Station-Id = "001839bfd481"
Calling-Station-Id = "009096a365ec"
NAS-Identifier = "001839bfd481"
NAS-Port = 42
Framed-MTU = 1400
State = 0x12ac64c530bb647d09b3f01125f34fb0
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020200061500
Message-Authenticator = 0x29ccd4e00a0946e81b116a2204e47dcc
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
rlm_eap: EAP packet type response id 2 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 2
users: Matched entry testuser at line 1
modcall[authorize]: module "files" returns ok for request 2
modcall: leaving group authorize (returns updated) for request 2
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 2
rlm_eap: Request found, released from the list
rlm_eap: EAP/ttls
rlm_eap: processing type ttls
rlm_eap_ttls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake fragment handler
eaptls_verify returned 1
eaptls_process returned 13
modcall[authenticate]: module "eap" returns handled for request 2
modcall: leaving group authenticate (returns handled) for request 2
Sending Access-Challenge of id 0 to 192.168.1.253 port 2049
EAP-Message =
0x0103040a15c00000080e353030365a170d3136303132333230353030365a30819d310b3009060355040613024341311230100603550408130942617263656c6f6e613111300f06035504071308436f726e656c6c6131163014060355040a130d44525556532053797374656d73310b3009060355040b13026630311a301806035504031311436c69656e7420776966692064727576733126302406092a864886f70d01090116176f72696f6c4064727576732d73797374656d732e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100b95b5417dddca78cffb8aebf8fde0c552069265a1676426d09f02e00ff588663d6b8
EAP-Message =
0x5b96436030129f8faeb9676b3fb6dcf645e28677431d9eedd301fdcb195f9c4e3d69ccdcc87c3995df378bb01a7dabdd05d5875d888d46056c971c33eca8e6f9d91068518693d67ca813e58a4922897edfbcb0cb1ad18e0a09f7f46894070203010001a382010630820102301d0603551d0e0416041474c62db92bf47efc071c41018111e3e5e32aa50e3081d20603551d230481ca3081c7801474c62db92bf47efc071c41018111e3e5e32aa50ea181a3a481a030819d310b3009060355040613024341311230100603550408130942617263656c6f6e613111300f06035504071308436f726e656c6c6131163014060355040a130d44525556532053
EAP-Message =
0x797374656d73310b3009060355040b13026630311a301806035504031311436c69656e7420776966692064727576733126302406092a864886f70d01090116176f72696f6c4064727576732d73797374656d732e636f6d820900f950691baf0e3e16300c0603551d13040530030101ff300d06092a864886f70d0101040500038181001ed1a0326268e23341f45fe0d1ac5e7a0dd08763838d53c1d90a8d71245e0aba46a68fe376e576f7dc3d4188ff72e71cfd9b1bda2b8b20ffcea988a65f5fb9296ebcadefc30fdb60e95f07d0b88124d9fd40debaa83b316818064bbe2f4a57edc0964efa3fa85ea4bedc8c4d5c23c46f9033162edd9d5805920d
EAP-Message =
0x3d50555c1047160301010d0c0001090040d4e5200ad631ef8e2e8fccb0f3cb8c9f9cde60256c57b678151215ed3d218a4e8e5ba535b88f5fd8dd06a4d4789d79128e9d8d1758ada473c1253e820e9d95a300010200407b1811b1c240010d6d0f006b977786e6a0e482fd1d0149fb32c5341131b27e4ad185e4f87bf0fb9fa34cbf20d30fc4731dbf23be3d1e8ef0ded34e75ea47ad6300804a4c5849a91145aaa406e73887c7afb669171a4fc757d77a4800ac6220f51238e157241cfaaa5b464945a497fb01ccb51d5676deae0c48cbb810a2dff763fc7b09f948432ffc346788373d6e7c667b54c75073c6798accbd4a465960439eaff6dfae9dd6e2
EAP-Message = 0xfffca21e7f20b1e3019625cb55180331e4aae00c74c1
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xec9855d26368dcc0a19d5c7603762c6c
Finished request 2
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.1.253:2049, id=0,
length=140
User-Name = "testuser"
NAS-IP-Address = 192.168.1.253
Called-Station-Id = "001839bfd481"
Calling-Station-Id = "009096a365ec"
NAS-Identifier = "001839bfd481"
NAS-Port = 42
Framed-MTU = 1400
State = 0xec9855d26368dcc0a19d5c7603762c6c
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020300061500
Message-Authenticator = 0x8e9fc5b99c088bb76d6bff199f5a5ed1
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 3
rlm_eap: EAP packet type response id 3 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 3
users: Matched entry testuser at line 1
modcall[authorize]: module "files" returns ok for request 3
modcall: leaving group authorize (returns updated) for request 3
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 3
rlm_eap: Request found, released from the list
rlm_eap: EAP/ttls
rlm_eap: processing type ttls
rlm_eap_ttls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake fragment handler
eaptls_verify returned 1
eaptls_process returned 13
modcall[authenticate]: module "eap" returns handled for request 3
modcall: leaving group authenticate (returns handled) for request 3
Sending Access-Challenge of id 0 to 192.168.1.253 port 2049
EAP-Message = 0x0104001815800000080e20cd7349f716030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x74f0f317d1e6515d0e08de153e7585b5
Finished request 3
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.1.253:2049, id=0,
length=274
User-Name = "testuser"
NAS-IP-Address = 192.168.1.253
Called-Station-Id = "001839bfd481"
Calling-Station-Id = "009096a365ec"
NAS-Identifier = "001839bfd481"
NAS-Port = 42
Framed-MTU = 1400
State = 0x74f0f317d1e6515d0e08de153e7585b5
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x0204008c150016030100461000004200406a306957e94709b5329f4fef619d08070850b8a1a497b1d323d0ec3678954a7e3ac6cba9940583aedd8cd622a6b0afd84e537d05b3377cae21aab6b904bab8eb1403010001011603010030a3afca3f1defb9b613af40bff506261a52f97d6df30a9e62702bfc295f8589dea32cc126282236d73928f31472e1da27
Message-Authenticator = 0x74bee9bfe2b8e4b724d2954862405b17
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 4
rlm_eap: EAP packet type response id 4 length 140
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 4
users: Matched entry testuser at line 1
modcall[authorize]: module "files" returns ok for request 4
modcall: leaving group authorize (returns updated) for request 4
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 4
rlm_eap: Request found, released from the list
rlm_eap: EAP/ttls
rlm_eap: processing type ttls
rlm_eap_ttls: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange
TLS_accept: SSLv3 read client key exchange A
rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001]
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 read finished A
rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001]
TLS_accept: SSLv3 write change cipher spec A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 write finished A
TLS_accept: SSLv3 flush data
(other): SSL negotiation finished successfully
SSL Connection Established
eaptls_process returned 13
modcall[authenticate]: module "eap" returns handled for request 4
modcall: leaving group authenticate (returns handled) for request 4
Sending Access-Challenge of id 0 to 192.168.1.253 port 2049
EAP-Message =
0x0105004515800000003b14030100010116030100305c7ade06311b72ffb6ee34f58e3045f96e98b6d21c4274b513542c2270e9d6b0f46a8231b70471c17d5e44193001c0e0
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xd47040ab18b10619471de9cccf19268e
Finished request 4
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.1.253:2049, id=0,
length=230
User-Name = "testuser"
NAS-IP-Address = 192.168.1.253
Called-Station-Id = "001839bfd481"
Calling-Station-Id = "009096a365ec"
NAS-Identifier = "001839bfd481"
NAS-Port = 42
Framed-MTU = 1400
State = 0xd47040ab18b10619471de9cccf19268e
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x020500601500170301002080f833d632ed6b6db2e546c61ec3a9bcb03ad2bb400d4065ebcdcef8369c313a1703010030544963e7a4c65456f1c07ca60baf6997fc8780b459f979353aa222806431d767564b7a9e56454fc37f73d383de22e38d
Message-Authenticator = 0x9d57d285158cea3f520c61f70b494356
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 5
rlm_eap: EAP packet type response id 5 length 96
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 5
users: Matched entry testuser at line 1
modcall[authorize]: module "files" returns ok for request 5
modcall: leaving group authorize (returns updated) for request 5
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 5
rlm_eap: Request found, released from the list
rlm_eap: EAP/ttls
rlm_eap: processing type ttls
rlm_eap_ttls: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_ttls: Session established. Proceeding to decode tunneled
attributes.
TTLS: Got tunneled request
EAP-Message = 0x0205000d017465737475736572
FreeRADIUS-Proxied-To = 127.0.0.1
TTLS: Got tunneled identity of testuser
TTLS: Setting default EAP type for tunneled EAP session.
TTLS: Sending tunneled request
EAP-Message = 0x0205000d017465737475736572
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "testuser"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 5
rlm_eap: EAP packet type response id 5 length 13
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 5
users: Matched entry testuser at line 1
modcall[authorize]: module "files" returns ok for request 5
modcall: leaving group authorize (returns updated) for request 5
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 5
rlm_eap: EAP Identity
rlm_eap: processing type gtc
modcall[authenticate]: module "eap" returns handled for request 5
modcall: leaving group authenticate (returns handled) for request 5
TTLS: Got tunneled reply RADIUS code 11
EAP-Message = 0x0106000f0650617373776f72643a20
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x7483fff7bbbda2819fabed3436521707
TTLS: Got tunneled Access-Challenge
modcall[authenticate]: module "eap" returns handled for request 5
modcall: leaving group authenticate (returns handled) for request 5
Sending Access-Challenge of id 0 to 192.168.1.253 port 2049
EAP-Message =
0x0106006415800000005a17030100206b1cf1e2a1e2158735a57447c681de391dfcf092b1351b10899076ec92799fe81703010030b777d90ae1ceb35bd526231cf8dcf42ab213ccce63c75f9ad707ee338b18b091d8873f47db22320ac244d486497d341a
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x84af535b759debdba1ca077c27856ed1
Finished request 5
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.1.253:2049, id=0,
length=230
User-Name = "testuser"
NAS-IP-Address = 192.168.1.253
Called-Station-Id = "001839bfd481"
Calling-Station-Id = "009096a365ec"
NAS-Identifier = "001839bfd481"
NAS-Port = 42
Framed-MTU = 1400
State = 0x84af535b759debdba1ca077c27856ed1
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x0206006015001703010020bc268ee2898714c93524893ede7786b9b04df170e995785b90a9a60e8636c2bd1703010030e7e8fd5b1f56171c498c926fc69888387be70fea1b7b633fc28ddfd9866e43114e27f6148e76226e533f48b97576d9c9
Message-Authenticator = 0x53958e76e1d55accf242e40af246ff8f
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 6
rlm_eap: EAP packet type response id 6 length 96
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 6
users: Matched entry testuser at line 1
modcall[authorize]: module "files" returns ok for request 6
modcall: leaving group authorize (returns updated) for request 6
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 6
rlm_eap: Request found, released from the list
rlm_eap: EAP/ttls
rlm_eap: processing type ttls
rlm_eap_ttls: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_ttls: Session established. Proceeding to decode tunneled
attributes.
TTLS: Got tunneled request
EAP-Message = 0x0206000b06736563726574
FreeRADIUS-Proxied-To = 127.0.0.1
TTLS: Adding old state with 74 83
TTLS: Sending tunneled request
EAP-Message = 0x0206000b06736563726574
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "testuser"
State = 0x7483fff7bbbda2819fabed3436521707
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 6
rlm_eap: EAP packet type response id 6 length 11
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 6
users: Matched entry testuser at line 1
modcall[authorize]: module "files" returns ok for request 6
modcall: leaving group authorize (returns updated) for request 6
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 6
rlm_eap: Request found, released from the list
rlm_eap: EAP/gtc
rlm_eap: processing type gtc
Processing the authenticate section of radiusd.conf
modcall: entering group PAP for request 6
rlm_pap: login attempt by "testuser" with password secret
rlm_pap: Using password "secret" for user testuser authentication.
rlm_pap: Using clear text password.
rlm_pap: User authenticated succesfully
modcall[authenticate]: module "pap" returns ok for request 6
modcall: leaving group PAP (returns ok) for request 6
rlm_eap_gtc: Everything is OK.
rlm_eap: Freeing handler
modcall[authenticate]: module "eap" returns ok for request 6
modcall: leaving group authenticate (returns ok) for request 6
TTLS: Got tunneled reply RADIUS code 2
EAP-Message = 0x03060004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "testuser"
TTLS: Got tunneled Access-Accept
rlm_eap: Freeing handler
TTLS: Freeing handler for user testuser
modcall[authenticate]: module "eap" returns ok for request 6
modcall: leaving group authenticate (returns ok) for request 6
Sending Access-Accept of id 0 to 192.168.1.253 port 2049
MS-MPPE-Recv-Key =
0x12b314a97cb067d593c25c0395ee246852caf129258cf0a00d25b7a5b9343e50
MS-MPPE-Send-Key =
0x78bd0fe823f947ea326d25d576313556a477394a7fedaeb66351ff51ddc041b2
EAP-Message = 0x03060004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "testuser"
Finished request 6
Going to the next request
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 6 ID 0 with timestamp 44f96399
Nothing to do. Sleeping until we see a request.
Wireless interface aspect after authentication
# iwconfig wlan0 wlan0 IEEE 802.11g ESSID:"ymbi" Mode:Managed Frequency:2.437 GHz Access Point: 00:18:39:BF:D4:81 Bit Rate=54 Mb/s Tx-Power:25 dBm RTS thr:2347 B Fragment thr:2346 B Encryption key:A761-2CB0-936F-CCEB-591A-F18C-6ABF-89E5-73E8-347F-6D96-9121-279C-54FC-24AF-088D Power Management:off Link Quality:0 Signal level:0 Noise level:0 Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0 Tx excessive retries:0 Invalid misc:0 Missed beacon:0