freeradius eap-tls

[banzay]

Здравствуйте. Вот случилось поднимать freeradius. С ним вопросов нет, работает. В частности работает в связке с pptp и вполне нормально работает eap-peap. Но вот eap-tls поднять до сих пор не удалось.
Вводные такие:
OpenSUSE 11.1 2.6.27.45-0.1-default x86_64.
freeradius 2.1.8-1.1
openssl 0.9.8h-28.15.1.
клиенты ХР sp3 и 7
Основным руководством было вот это http://www.ixbt.com/comm/prac-wpa-eap_3.shtml
с поправками на время написания сего руководства.
Сертификаты создавал с помощью инструментов freeradius из папки /etc/raddb/certs.
На клиентскую машину установлены CA и клиентский сертификат.
При попытке авторизации freeradius выдаёт вот такой вывод:

Код:

rad_recv: Access-Request packet from host 192.168.10.110 port 1128, id=64, length=154 User-Name = "rum-test-user" NAS-IP-Address = 192.168.10.110 NAS-Identifier = "P2302HWUDLP1" Framed-MTU = 1496 Called-Station-Id = "00-19-cb-6f-97-6c:marafon_co" Calling-Station-Id = "00-21-91-1d-f2-a3" NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020100120172756d2d746573742d75736572 Message-Authenticator = 0x266862e846693f09ac29bebfcf7b4ae6 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "rum-test-user", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 18 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop [sql] expand: %{User-Name} -> rum-test-user [sql] sql_set_user escaped user --> 'rum-test-user' rlm_sql (sql): Reserving sql socket id: 3 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'rum-test-user' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'rum-test-user' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'rum-test-user' ORDER BY priority rlm_sql (sql): Released sql socket id: 3 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 64 to 192.168.10.110 port 1128 EAP-Message = 0x0102001604101e41320351a20b5cce33b95a9dad1463 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x8e62bf098e60bb934eac56150a84d601 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.10.110 port 1128, id=65, length=160 User-Name = "rum-test-user" NAS-IP-Address = 192.168.10.110 NAS-Identifier = "P2302HWUDLP1" Framed-MTU = 1496 Called-Station-Id = "00-19-cb-6f-97-6c:marafon_co" Calling-Station-Id = "00-21-91-1d-f2-a3" NAS-Port-Type = Wireless-802.11 EAP-Message = 0x02020006030d State = 0x8e62bf098e60bb934eac56150a84d601 Message-Authenticator = 0x117f221a5c5ad4d0d7983016340106c2 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "rum-test-user", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop [sql] expand: %{User-Name} -> rum-test-user [sql] sql_set_user escaped user --> 'rum-test-user' rlm_sql (sql): Reserving sql socket id: 2 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'rum-test-user' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'rum-test-user' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'rum-test-user' ORDER BY priority rlm_sql (sql): Released sql socket id: 2 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/tls [eap] processing type tls [tls] Requiring client certificate [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 65 to 192.168.10.110 port 1128 EAP-Message = 0x010300060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x8e62bf098f61b2934eac56150a84d601 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.10.110 port 1128, id=66, length=234 User-Name = "rum-test-user" NAS-IP-Address = 192.168.10.110 NAS-Identifier = "P2302HWUDLP1" Framed-MTU = 1496 Called-Station-Id = "00-19-cb-6f-97-6c:marafon_co" Calling-Station-Id = "00-21-91-1d-f2-a3" NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020300500d800000004616030100410100003d03014bd179fe2c573cfe2aa4db977f1e9843febb 8372f8ccfa4631ebadf647c50fac00001600040005000a0009006400620003000600130012006301 0 0 State = 0x8e62bf098f61b2934eac56150a84d601 Message-Authenticator = 0xf520ea07dac4248fe22be095285f2a64 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "rum-test-user", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 80 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop [sql] expand: %{User-Name} -> rum-test-user [sql] sql_set_user escaped user --> 'rum-test-user' rlm_sql (sql): Reserving sql socket id: 1 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'rum-test-user' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'rum-test-user' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'rum-test-user' ORDER BY priority rlm_sql (sql): Released sql socket id: 1 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS TLS Length 70 [tls] Length Included [tls] eaptls_verify returned 11 [tls] (other): before/accept initialization [tls] TLS_accept: before/accept initialization [tls] <<< TLS 1.0 Handshake [length 0041], ClientHello [tls] TLS_accept: SSLv3 read client hello A [tls] >>> TLS 1.0 Handshake [length 002a], ServerHello [tls] TLS_accept: SSLv3 write server hello A [tls] >>> TLS 1.0 Handshake [length 083d], Certificate [tls] TLS_accept: SSLv3 write certificate A [tls] >>> TLS 1.0 Handshake [length 009d], CertificateRequest [tls] TLS_accept: SSLv3 write certificate request A [tls] TLS_accept: SSLv3 flush data [tls] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 66 to 192.168.10.110 port 1128 EAP-Message = 0x010404000dc000000913160301002a0200002603014bd17a01b8119691985b53f5073c4df2062d 9e74a095ec13a106a18ebc5f856a00000400160301083d0b0008390008360003a03082039c308202 8 4a003020102020101300d06092a864886f70d010104050030818a310b30090603550406130252553 1 0f300d060355040813064d6f73636f77310f300d060355040713064d6f73636f7731153013060355 0 40a130c4d617261666f6e20496e632e3122302006092a864886f70d010901161361646d696e406c6 5 676769726f6e692e636f6d311e301c06035504031315436572746966696361746520417574686f72 6 97479301e170d3130303432 EAP-Message = 0x333039333332305a170d3131303432333039333332305a307f310b300906035504061302525531 0f300d060355040813064d6f73636f7731153013060355040a130c4d617261666f6e20496e632e31 2 430220603550403131b4b61736869726b61205365727665722043657274696669636174653122302 0 06092a864886f70d010901161361646d696e406c65676765726f6e692e636f6d30820122300d0609 2 a864886f70d01010105000382010f003082010a0282010100bae009fb4d4e81300376c6671e53951 8 674205563e482eb3d776275122067945eb5cf3fa40e3eaa9bdba5f717f9c252a095f743155febbff 7 fe5e36ee42a039165016e81 EAP-Message = 0xdbffb9f60220d1b41ec6a63685e2d7ab45878a487df65635507c7d7c8411237f1f1a3addc7fe37 a0cde3df53c304d62fc7ebecc5a1ebef30dcd8c77d572ca31b4c5a7a9d27097ba858a1f4c35ebdb4 f b314391ec1ec259eb3f2edf368cb32b4871a82572bd7098fdbc5a846f52a60240efbb68c73f9a695 2 e0910e5960dff21ff36a5963f6fd19bb0aee93e4d710c0fc4e2ac2208128dc6cc0c28782c38b32a5 d 6afa49ef7a1357926f310db9a76f623f9cf7d903098b8311dc9fe2d0203010001a31730153013060 3 551d25040c300a06082b06010505070301300d06092a864886f70d01010405000382010100642fa4 3 8cb633d47dade4ccc6a655c EAP-Message = 0x970aa13c81f7b3e2186d9c73858321a6a5314b8e96923f6cb03d6b549ef93379d8e72f77e8da47 3550bf40b3872e86da50ae721d74acc94e2894f9654a63a20160bc3422562fcfabfa0bfc0dc4d9bc b 951135db368f91480272fe3db1a7f6ffcd42ee75ad4dffc8312e5c644b3382026b8fe3ec11f37c0c a 398b6170bf8ebff86e7f034cfe3fb2c4010495bc144c8e998e4d21396a5c434b6cb23bbc71808cd0 4 9a1d86234053665108329c792f0db4377ff748d94d2308bc171ea21d3d4a888a41d8d1a041520e8c a f1019601cc8fad7a305e1ea95d9918f2fb58f7ca6615d13443c1605376d0e2bf5b9857598d1314df 0 004903082048c30820374a0 EAP-Message = 0x03020102020900c4e98ac486 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x8e62bf098c66b2934eac56150a84d601 Finished request 2. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 192.168.10.110 port 1128, id=67, length=160 User-Name = "rum-test-user" NAS-IP-Address = 192.168.10.110 NAS-Identifier = "P2302HWUDLP1" Framed-MTU = 1496 Called-Station-Id = "00-19-cb-6f-97-6c:marafon_co" Calling-Station-Id = "00-21-91-1d-f2-a3" NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020400060d00 State = 0x8e62bf098c66b2934eac56150a84d601 Message-Authenticator = 0x39c93643f903a38601593cccec7c1e3b +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "rum-test-user", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop [sql] expand: %{User-Name} -> rum-test-user [sql] sql_set_user escaped user --> 'rum-test-user' rlm_sql (sql): Reserving sql socket id: 0 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'rum-test-user' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'rum-test-user' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'rum-test-user' ORDER BY priority rlm_sql (sql): Released sql socket id: 0 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] Received TLS ACK [tls] ACK handshake fragment handler [tls] eaptls_verify returned 1 [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 67 to 192.168.10.110 port 1128 EAP-Message = 0x010504000dc000000913cc4f79300d06092a864886f70d010105050030818a310b300906035504 0613025255310f300d060355040813064d6f73636f77310f300d060355040713064d6f73636f7731 1 53013060355040a130c4d617261666f6e20496e632e3122302006092a864886f70d0109011613616 4 6d696e406c65676769726f6e692e636f6d311e301c06035504031315436572746966696361746520 4 17574686f72697479301e170d3130303432333039323833345a170d3131303432333039323833345 a 30818a310b3009060355040613025255310f300d060355040813064d6f73636f77310f300d060355 0 40713064d6f73636f773115 EAP-Message = 0x3013060355040a130c4d617261666f6e20496e632e3122302006092a864886f70d010901161361 646d696e406c65676769726f6e692e636f6d311e301c060355040313154365727469666963617465 2 0417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a02820 1 0100d9beb0b07948dfe0cacb1bdbe863153e0a4b69aaf2046df6ce1dcc7c9736941bfa07c27c40d7 3 52df4be185ada85fca46d3ac7f3abe6a23d203a76cf681df2b7999c29c7a563ce028832861a49b61 c 63164997cf432daa4ea04731e4afbbca44c428c454ffd784c787be84ddd1d0a6f9021250b803c9ca 3 83490eb60e6ec1beec6bb11 EAP-Message = 0xbff5d115f6c94d0be3db6d01a5da64e9cac2bcefc6a09416b60ef1702bccef54e114f02cb5a94f 944dac762de28a9bab415262d1db5454233a1b1a51e3b2662321a3775937ad084738207726d4a47c a 17661472737ad0ef6a449269fa75db8b980aea272b6aebd5828d7d2397c857a22c507d57bc480cdf c 08721087110203010001a381f23081ef301d0603551d0e041604140fa9348074160e93bb27a9e116 3 d64291b1a70ff3081bf0603551d230481b73081b480140fa9348074160e93bb27a9e1163d64291b1 a 70ffa18190a4818d30818a310b3009060355040613025255310f300d060355040813064d6f73636f 7 7310f300d06035504071306 EAP-Message = 0x4d6f73636f7731153013060355040a130c4d617261666f6e20496e632e3122302006092a864886 f70d010901161361646d696e406c65676769726f6e692e636f6d311e301c06035504031315436572 7 46966696361746520417574686f72697479820900c4e98ac486cc4f79300c0603551d13040530030 1 01ff300d06092a864886f70d0101050500038201010041d56a5b67424e690c4a2c58deddabd94c33 a 00e3f283d8c4db26de1791d20d1f68b6c40a30bb818a15dea10358082ec3ceca5073c9b7dbe842d6 6 0f9d5a44e5dba5002805586438860fdfaa1964a8ac22f4ff3b267ff81db83bb4f42749bcfcacf058 0 f74e213033b0687af2dd6d1 EAP-Message = 0xce5e079c318187ec490e8ef5 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x8e62bf098d67b2934eac56150a84d601 Finished request 3. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 192.168.10.110 port 1128, id=68, length=160 User-Name = "rum-test-user" NAS-IP-Address = 192.168.10.110 NAS-Identifier = "P2302HWUDLP1" Framed-MTU = 1496 Called-Station-Id = "00-19-cb-6f-97-6c:marafon_co" Calling-Station-Id = "00-21-91-1d-f2-a3" NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020500060d00 State = 0x8e62bf098d67b2934eac56150a84d601 Message-Authenticator = 0x7e2f29a029e94c088bd274a032f44eca +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "rum-test-user", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop [sql] expand: %{User-Name} -> rum-test-user [sql] sql_set_user escaped user --> 'rum-test-user' rlm_sql (sql): Reserving sql socket id: 4 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'rum-test-user' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'rum-test-user' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'rum-test-user' ORDER BY priority rlm_sql (sql): Released sql socket id: 4 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] Received TLS ACK [tls] ACK handshake fragment handler [tls] eaptls_verify returned 1 [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 68 to 192.168.10.110 port 1128 EAP-Message = 0x010601310d8000000913df1953b20a7da13eeff93761256c9dc853d071eae09d95f9c807b388a3 b84e3b4f4e7b08148ed417ee807eddfab480117e4cc68d80b9180e3db4dd195cb8f1d27478c7b4c4 9 9ddb08e63ea6a47bcea5b3b0d422249bf4112df85cead93656bd843566ff4ca347a795f735348410 0 0a1f63ab0ac500c3e94eb40eb24c567ce7d242b4bd0d2c160301009d0d00009503010240008f008d 3 0818a310b3009060355040613025255310f300d060355040813064d6f73636f77310f300d0603550 4 0713064d6f73636f7731153013060355040a130c4d617261666f6e20496e632e3122302006092a86 4 886f70d010901161361646d EAP-Message = 0x696e406c65676769726f6e692e636f6d311e301c06035504031315436572746966696361746520 417574686f726974790e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x8e62bf098a64b2934eac56150a84d601 Finished request 4. Going to the next request Waking up in 4.7 seconds. Cleaning up request 0 ID 64 with timestamp +20 Cleaning up request 1 ID 65 with timestamp +20 Waking up in 0.1 seconds. Cleaning up request 2 ID 66 with timestamp +20 Cleaning up request 3 ID 67 with timestamp +20 Cleaning up request 4 ID 68 with timestamp +20

Из этого всего я понимаю что есть проблемы с чтением сертификатов. в часности вот это:

Код: Выделить всё

[tls]     TLS_accept: Need to read more data: SSLv3 read client certificate A

Мысли такие:
Похоже на то что сертификат не правильный или супликант неверно работает с freeradius.
Вся информация в инете по этому поводу сильно устарела... и ничего внятного по этой проблеме я не нашёл.

Вопрос такой:
Кому удалось поднять всё это? Какими руководствами пользовались? Какие версии пакетов были установлены? Как генерировали сертификаты...

Бьюсь с этой проблемой уже неделю, но света в конце тонеля не видно. Где то есть принципиальная ошибка... или несовместимость.
Если нужны дополнительные сведения пишите что надо... - незамедлительно выложу.

[sash-kan]

я бы рекомендовал с этим моментом для начала разобраться:

[suffix] No '@' in User-Name = "rum-test-user", looking up realm NULL
[suffix] No such realm "NULL"

сертификаты есть сертификаты. как там можно без конкретного realm-а обойтись? (это просто размышление, я не специалист в этой области).

[banzay]

я бы рекомендовал с этим моментом для начала разобраться:

[suffix] No '@' in User-Name = "rum-test-user", looking up realm NULL
[suffix] No such realm "NULL"

сертификаты есть сертификаты. как там можно без конкретного ralm-а обойтись? (это просто размышление, я не специалист в этой области).

добавил в proxy.conf такую штуку

Код: Выделить всё

realm DEFAULT {
        type            = radius
        authhost        = LOCAL
        accthost        = LOCAL
}

В общем ничего не изменилось
вывод radiusd -X

Код: Выделить всё

main {
        user = "radiusd"
        group = "radiusd"
        allow_core_dumps = no
}
including dictionary file /etc/raddb/dictionary
main {
        prefix = "/usr"
        localstatedir = "/var"
        logdir = "/var/log/radius"
        libdir = "/usr/lib64/freeradius"
        radacctdir = "/var/log/radius/radacct"
        hostname_lookups = no
        max_request_time = 30
        cleanup_delay = 5
        max_requests = 1024
        pidfile = "/var/run/radiusd/radiusd.pid"
        checkrad = "/usr/sbin/checkrad"
        debug_level = 0
        proxy_requests = yes
 log {
        stripped_names = no
        auth = no
        auth_badpass = no
        auth_goodpass = no
 }
 security {
        max_attributes = 200
        reject_delay = 1
        status_server = yes
 }
}
radiusd: #### Loading Realms and Home Servers ####
 proxy server {
        retry_delay = 5
        retry_count = 3
        default_fallback = no
        dead_time = 120
        wake_all_if_all_dead = no
 }
 home_server localhost {
        ipaddr = 127.0.0.1
        port = 1812
        type = "auth"
        secret = "testing123"
        response_window = 20
        max_outstanding = 65536
        require_message_authenticator = no
        zombie_period = 40
        status_check = "status-server"
        ping_interval = 30
        check_interval = 30
        num_answers_to_alive = 3
        num_pings_to_alive = 3
        revive_interval = 120
        status_check_timeout = 4
        irt = 2
        mrt = 16
        mrc = 5
        mrd = 30
 }
 home_server_pool my_auth_failover {
        type = fail-over
        home_server = localhost
 }
 realm example.com {
        auth_pool = my_auth_failover
 }
 realm LOCAL {
 }
 realm DEFAULT {
        authhost = LOCAL
        accthost = LOCAL
 }
radiusd: #### Loading Clients ####
 client localhost {
        ipaddr = 127.0.0.1
        require_message_authenticator = no
        secret = "[htygjl,th`im"
        shortname = "localhost"
        nastype = "other"
 }
 client 93.188.124.115 {
        require_message_authenticator = no
        secret = "123@321"
        shortname = "sklad_ap"
        nastype = "other"
 }
radiusd: #### Instantiating modules ####
 instantiate {
 Module: Linked to module rlm_exec
 Module: Instantiating exec
  exec {
        wait = no
        input_pairs = "request"
        shell_escape = yes
  }
 Module: Linked to module rlm_expr
 Module: Instantiating expr
 Module: Linked to module rlm_expiration
 Module: Instantiating expiration
  expiration {
        reply-message = "Password Has Expired  "
  }
 Module: Linked to module rlm_logintime
 Module: Instantiating logintime
  logintime {
        reply-message = "You are calling outside your allowed timespan  "
        minimum-timeout = 60
  }
 }
radiusd: #### Loading Virtual Servers ####
server inner-tunnel {
 modules {
 Module: Checking authenticate {...} for more modules to load
 Module: Linked to module rlm_pap
 Module: Instantiating pap
  pap {
        encryption_scheme = "auto"
        auto_header = no
  }
 Module: Linked to module rlm_chap
 Module: Instantiating chap
 Module: Linked to module rlm_mschap
 Module: Instantiating mschap
  mschap {
        use_mppe = yes
        require_encryption = no
        require_strong = no
        with_ntdomain_hack = no
  }
 Module: Linked to module rlm_unix
 Module: Instantiating unix
  unix {
        radwtmp = "/var/log/radius/radwtmp"
  }
 Module: Linked to module rlm_eap
 Module: Instantiating eap
  eap {
        default_eap_type = "tls"
        timer_expire = 60
        ignore_unknown_eap_types = no
        cisco_accounting_username_bug = no
        max_sessions = 4096
  }
 Module: Linked to sub-module rlm_eap_md5
 Module: Instantiating eap-md5
 Module: Linked to sub-module rlm_eap_leap
 Module: Instantiating eap-leap
 Module: Linked to sub-module rlm_eap_gtc
 Module: Instantiating eap-gtc
   gtc {
        challenge = "Password: "
        auth_type = "PAP"
   }
 Module: Linked to sub-module rlm_eap_tls
 Module: Instantiating eap-tls
   tls {
        rsa_key_exchange = no
        dh_key_exchange = yes
        rsa_key_length = 512
        dh_key_length = 512
        verify_depth = 0
        pem_file_type = yes
        private_key_file = "/etc/raddb/certs/server.pem"
        certificate_file = "/etc/raddb/certs/server.pem"
        CA_file = "/etc/raddb/certs/ca.pem"
        private_key_password = "dzogroup"
        dh_file = "/etc/raddb/certs/dh"
        random_file = "/etc/raddb/certs/random"
        fragment_size = 1024
        include_length = yes
        check_crl = no
        check_cert_cn = "%{User-Name}"
        cipher_list = "DEFAULT"
        make_cert_command = "/etc/raddb/certs/bootstrap"
    cache {
        enable = no
        lifetime = 24
        max_entries = 255
    }
   }
 Module: Linked to sub-module rlm_eap_ttls
 Module: Instantiating eap-ttls
   ttls {
        default_eap_type = "md5"
        copy_request_to_tunnel = no
        use_tunneled_reply = no
        virtual_server = "inner-tunnel"
        include_length = yes
   }
 Module: Linked to sub-module rlm_eap_peap
 Module: Instantiating eap-peap
   peap {
        default_eap_type = "mschapv2"
        copy_request_to_tunnel = no
        use_tunneled_reply = no
        proxy_tunneled_request_as_eap = yes
        virtual_server = "inner-tunnel"
   }
 Module: Linked to sub-module rlm_eap_mschapv2
 Module: Instantiating eap-mschapv2
   mschapv2 {
        with_ntdomain_hack = no
   }
 Module: Checking authorize {...} for more modules to load
 Module: Linked to module rlm_realm
 Module: Instantiating suffix
  realm suffix {
        format = "suffix"
        delimiter = "@"
        ignore_default = no
        ignore_null = no
  }
 Module: Linked to module rlm_files
 Module: Instantiating files
  files {
        usersfile = "/etc/raddb/users"
        acctusersfile = "/etc/raddb/acct_users"
        preproxy_usersfile = "/etc/raddb/preproxy_users"
        compat = "no"
  }
 Module: Linked to module rlm_sql
 Module: Instantiating sql
  sql {
        driver = "rlm_sql_mysql"
        server = "localhost"
        port = ""
        login = "radius"
        password = "dzogroup"
        radius_db = "radius"
        read_groups = yes
        sqltrace = no
        sqltracefile = "/var/log/radius/sqltrace.sql"
        readclients = yes
        deletestalesessions = yes
        num_sql_socks = 5
        lifetime = 0
        max_queries = 0
        sql_user_name = "%{User-Name}"
        default_user_profile = ""
        nas_query = "SELECT id, nasname, shortname, type, secret FROM nas"
        authorize_check_query = "SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY id"
        authorize_reply_query = "SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '%{SQL-User-Name}'           ORDER BY id"
        authorize_group_check_query = "SELECT id, groupname, attribute,           Value, op           FROM radgroupcheck           WHERE groupname = '%{Sql-Group}'           ORDER BY id"
        authorize_group_reply_query = "SELECT id, groupname, attribute,           value, op           FROM radgroupreply           WHERE groupname = '%{Sql-Group}'           ORDER BY id"
        accounting_onoff_query = "          UPDATE radacct           SET              acctstoptime       =  '%S',              acctsessiontime    =  unix_timestamp('%S') -                                    unix_timestamp(acctstarttime),              acctterminatecause =  '%{Acct-Terminate-Cause}',              acctstopdelay      =  %{%{Acct-Delay-Time}:-0}           WHERE acctstoptime IS NULL           AND nasipaddress      =  '%{NAS-IP-Address}'           AND acctstarttime     <= '%S'"
        accounting_update_query = "           UPDATE radacct           SET              framedipaddress = '%{Framed-IP-Address}',              acctsessiontime     = '%{Acct-Session-Time}',              acctinputoctets     = '%{%{Acct-Input-Gigawords}:-0}'  << 32 |                                    '%{%{Acct-Input-Octets}:-0}',              acctoutputoctets    = '%{%{Acct-Output-Gigawords}:-0}' << 32 |                                    '%{%{Acct-Output-Octets}:-0}'           WHERE acctsessionid = '%{Acct-Session-Id}'           AND username        = '%{SQL-User-Name}'           AND nasipaddress    = '%{NAS-IP-Address}'"
        accounting_update_query_alt = "           INSERT INTO radacct             (acctsessionid,    acctuniqueid,      username,              realm,            nasipaddress,      nasportid,              nasporttype,      acctstarttime,     acctsessiontime,              acctauthentic,    connectinfo_start, acctinputoctets,              acctoutputoctets, calledstationid,   callingstationid,              servicetype,      framedprotocol,    framedipaddress,              acctstartdelay,   xascendsessionsvrkey)           VALUES             ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',              '%{SQL-User-Name}',              '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}',              '%{NAS-Port-Type}',              DATE_SUB('%S',                       INTERVAL (%{%{Acct-Session-Time}:-0} +                                 %{%{Acct-Delay-Time}:-0}) SECOND),                       '%{Acct-Session-Time}',              '%{Acct-Authentic}', '',              '%{%{Acct-Input-Gigawords}:-0}' << 32 |              '%{%{Acct-Input-Octets}:-0}',              '%{%{Acct-Output-Gigawords}:-0}' << 32 |              '%{%{Acct-Output-Octets}:-0}',              '%{Called-Station-Id}', '%{Calling-Station-Id}',              '%{Service-Type}', '%{Framed-Protocol}',              '%{Framed-IP-Address}',              '0', '%{X-Ascend-Session-Svr-Key}')"
        accounting_start_query = "           INSERT INTO radacct             (acctsessionid,    acctuniqueid,     username,              realm,            nasipaddress,     nasportid,              nasporttype,      acctstarttime,    acctstoptime,              acctsessiontime,  acctauthentic,    connectinfo_start,              connectinfo_stop, acctinputoctets,  acctoutputoctets,              calledstationid,  callingstationid, acctterminatecause,              servicetype,      framedprotocol,   framedipaddress,              acctstartdelay,   acctstopdelay,    xascendsessionsvrkey)           VALUES             ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',              '%{SQL-User-Name}',              '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}',              '%{NAS-Port-Type}', '%S', NULL,              '0', '%{Acct-Authentic}', '%{Connect-Info}',              '', '0', '0',              '%{Called-Station-Id}', '%{Calling-Station-Id}', '',              '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}',              '%{%{Acct-Delay-Time}:-0}', '0', '%{X-Ascend-Session-Svr-Key}')"
        accounting_start_query_alt = "           UPDATE radacct SET              acctstarttime     = '%S',              acctstartdelay    = '%{%{Acct-Delay-Time}:-0}',              connectinfo_start = '%{Connect-Info}'           WHERE acctsessionid  = '%{Acct-Session-Id}'           AND username         = '%{SQL-User-Name}'           AND nasipaddress     = '%{NAS-IP-Address}'"
        accounting_stop_query = "           UPDATE radacct SET              acctstoptime       = '%S',              acctsessiontime    = '%{Acct-Session-Time}',              acctinputoctets    = '%{%{Acct-Input-Gigawords}:-0}' << 32 |                                   '%{%{Acct-Input-Octets}:-0}',              acctoutputoctets   = '%{%{Acct-Output-Gigawords}:-0}' << 32 |                                   '%{%{Acct-Output-Octets}:-0}',              acctterminatecause = '%{Acct-Terminate-Cause}',              acctstopdelay      = '%{%{Acct-Delay-Time}:-0}',              connectinfo_stop   = '%{Connect-Info}'           WHERE acctsessionid   = '%{Acct-Session-Id}'           AND username          = '%{SQL-User-Name}'           AND nasipaddress      = '%{NAS-IP-Address}'"
        accounting_stop_query_alt = "           INSERT INTO radacct             (acctsessionid, acctuniqueid, username,              realm, nasipaddress, nasportid,              nasporttype, acctstarttime, acctstoptime,              acctsessiontime, acctauthentic, connectinfo_start,              connectinfo_stop, acctinputoctets, acctoutputoctets,              calledstationid, callingstationid, acctterminatecause,              servicetype, framedprotocol, framedipaddress,              acctstartdelay, acctstopdelay)           VALUES             ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',              '%{SQL-User-Name}',              '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}',              '%{NAS-Port-Type}',              DATE_SUB('%S',                  INTERVAL (%{%{Acct-Session-Time}:-0} +                  %{%{Acct-Delay-Time}:-0}) SECOND),              '%S', '%{Acct-Session-Time}', '%{Acct-Authentic}', '',              '%{Connect-Info}',              '%{%{Acct-Input-Gigawords}:-0}' << 32 |              '%{%{Acct-Input-Octets}:-0}',              '%{%{Acct-Output-Gigawords}:-0}' << 32 |              '%{%{Acct-Output-Octets}:-0}',              '%{Called-Station-Id}', '%{Calling-Station-Id}',              '%{Acct-Terminate-Cause}',              '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}',              '0', '%{%{Acct-Delay-Time}:-0}')"
        group_membership_query = "SELECT groupname           FROM radusergroup           WHERE username = '%{SQL-User-Name}'           ORDER BY priority"
        connect_failure_retry_delay = 60
        simul_count_query = ""
        simul_verify_query = "SELECT radacctid, acctsessionid, username,                                nasipaddress, nasportid, framedipaddress,                                callingstationid, framedprotocol                                FROM radacct                                WHERE username = '%{SQL-User-Name}'                                AND acctstoptime IS NULL"
        postauth_query = "INSERT INTO radpostauth                           (username, pass, reply, authdate)                           VALUES (                           '%{User-Name}',                           '%{%{User-Password}:-%{Chap-Password}}',                           '%{reply:Packet-Type}', '%S')"
        safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
  }
rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
rlm_sql (sql): Attempting to connect to radius@localhost:/radius
rlm_sql (sql): starting 0
rlm_sql (sql): Attempting to connect rlm_sql_mysql #0
rlm_sql_mysql: Starting connect to MySQL server for #0
rlm_sql (sql): Connected new DB handle, #0
rlm_sql (sql): starting 1
rlm_sql (sql): Attempting to connect rlm_sql_mysql #1
rlm_sql_mysql: Starting connect to MySQL server for #1
rlm_sql (sql): Connected new DB handle, #1
rlm_sql (sql): starting 2
rlm_sql (sql): Attempting to connect rlm_sql_mysql #2
rlm_sql_mysql: Starting connect to MySQL server for #2
rlm_sql (sql): Connected new DB handle, #2
rlm_sql (sql): starting 3
rlm_sql (sql): Attempting to connect rlm_sql_mysql #3
rlm_sql_mysql: Starting connect to MySQL server for #3
rlm_sql (sql): Connected new DB handle, #3
rlm_sql (sql): starting 4
rlm_sql (sql): Attempting to connect rlm_sql_mysql #4
rlm_sql_mysql: Starting connect to MySQL server for #4
rlm_sql (sql): Connected new DB handle, #4
rlm_sql (sql): Processing generate_sql_clients
rlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname, shortname, type, secret FROM nas
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql (sql): Read entry nasname=192.168.10.110,shortname=test_wifi,secret=123
rlm_sql (sql): Adding client 192.168.10.110 (test_wifi, server=<none>) to clients list
rlm_sql (sql): Released sql socket id: 4
 Module: Checking session {...} for more modules to load
 Module: Linked to module rlm_radutmp
 Module: Instantiating radutmp
  radutmp {
        filename = "/var/log/radius/radutmp"
        username = "%{User-Name}"
        case_sensitive = yes
        check_with_nas = yes
        perm = 384
        callerid = yes
  }
 Module: Checking post-proxy {...} for more modules to load
 Module: Checking post-auth {...} for more modules to load
 Module: Linked to module rlm_attr_filter
 Module: Instantiating attr_filter.access_reject
  attr_filter attr_filter.access_reject {
        attrsfile = "/etc/raddb/attrs.access_reject"
        key = "%{User-Name}"
  }
 } # modules
} # server
server {
 modules {
 Module: Checking authenticate {...} for more modules to load
 Module: Checking authorize {...} for more modules to load
 Module: Linked to module rlm_preprocess
 Module: Instantiating preprocess
  preprocess {
        huntgroups = "/etc/raddb/huntgroups"
        hints = "/etc/raddb/hints"
        with_ascend_hack = no
        ascend_channels_per_line = 23
        with_ntdomain_hack = no
        with_specialix_jetstream_hack = no
        with_cisco_vsa_hack = no
        with_alvarion_vsa_hack = no
  }
 Module: Checking preacct {...} for more modules to load
 Module: Linked to module rlm_acct_unique
 Module: Instantiating acct_unique
  acct_unique {
        key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
  }
 Module: Checking accounting {...} for more modules to load
 Module: Linked to module rlm_detail
 Module: Instantiating detail
  detail {
        detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
        header = "%t"
        detailperm = 384
        dirperm = 493
        locking = no
        log_packet_header = no
  }
 Module: Instantiating attr_filter.accounting_response
  attr_filter attr_filter.accounting_response {
        attrsfile = "/etc/raddb/attrs.accounting_response"
        key = "%{User-Name}"
  }
 Module: Checking session {...} for more modules to load
 Module: Checking post-proxy {...} for more modules to load
 Module: Checking post-auth {...} for more modules to load
 } # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
        type = "auth"
        ipaddr = *
        port = 0
}
listen {
        type = "acct"
        ipaddr = *
        port = 0
}
listen {
        type = "control"
 listen {
        socket = "/var/run/radiusd/radiusd.sock"
 }
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /var/run/radiusd/radiusd.sock
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.10.110 port 1128, id=130, length=154
        User-Name = "rum-test-user"
        NAS-IP-Address = 192.168.10.110
        NAS-Identifier = "P2302HWUDLP1"
        Framed-MTU = 1496
        Called-Station-Id = "00-19-cb-6f-97-6c:marafon_co"
        Calling-Station-Id = "00-21-91-1d-f2-a3"
        NAS-Port-Type = Wireless-802.11
        EAP-Message = 0x020100120172756d2d746573742d75736572
        Message-Authenticator = 0x0a2364e6129cf57127a9241f7ed3a47b
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "rum-test-user", looking up realm NULL
[suffix] Found realm "DEFAULT"
[suffix] Adding Stripped-User-Name = "rum-test-user"
[suffix] Adding Realm = "DEFAULT"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 1 length 18
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
[sql]   expand: %{User-Name} -> rum-test-user
[sql] sql_set_user escaped user --> 'rum-test-user'
rlm_sql (sql): Reserving sql socket id: 3
[sql]   expand: SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = 'rum-test-user'           ORDER BY id
[sql] User found in radcheck table
[sql]   expand: SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radreply           WHERE username = 'rum-test-user'           ORDER BY id
[sql]   expand: SELECT groupname           FROM radusergroup           WHERE username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT groupname           FROM radusergroup           WHERE username = 'rum-test-user'           ORDER BY priority
rlm_sql (sql): Released sql socket id: 3
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Requiring client certificate
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 130 to 192.168.10.110 port 1128
        EAP-Message = 0x010200060d20
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xfa6bfc0dfa69f18fa0dab4178bf970f2
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.10.110 port 1128, id=131, length=234
        User-Name = "rum-test-user"
        NAS-IP-Address = 192.168.10.110
        NAS-Identifier = "P2302HWUDLP1"
        Framed-MTU = 1496
        Called-Station-Id = "00-19-cb-6f-97-6c:marafon_co"
        Calling-Station-Id = "00-21-91-1d-f2-a3"
        NAS-Port-Type = Wireless-802.11
        EAP-Message = 0x020200500d800000004616030100410100003d03014bd56d726c52a8298275adc8146d0bbdd008
31b223af688c6b4cf0eab3813e5600001600040005000a0009006400620003000600130012006301
0
0
        State = 0xfa6bfc0dfa69f18fa0dab4178bf970f2
        Message-Authenticator = 0x810a8d9a74e769586063e7798705434b
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "rum-test-user", looking up realm NULL
[suffix] Found realm "DEFAULT"
[suffix] Adding Stripped-User-Name = "rum-test-user"
[suffix] Adding Realm = "DEFAULT"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 2 length 80
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
[sql]   expand: %{User-Name} -> rum-test-user
[sql] sql_set_user escaped user --> 'rum-test-user'
rlm_sql (sql): Reserving sql socket id: 2
[sql]   expand: SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = 'rum-test-user'           ORDER BY id
[sql] User found in radcheck table
[sql]   expand: SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radreply           WHERE username = 'rum-test-user'           ORDER BY id
[sql]   expand: SELECT groupname           FROM radusergroup           WHERE username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT groupname           FROM radusergroup           WHERE username = 'rum-test-user'           ORDER BY priority
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
  TLS Length 70
[tls] Length Included
[tls] eaptls_verify returned 11
[tls]     (other): before/accept initialization
[tls]     TLS_accept: before/accept initialization
[tls] <<< TLS 1.0 Handshake [length 0041], ClientHello
[tls]     TLS_accept: SSLv3 read client hello A
[tls] >>> TLS 1.0 Handshake [length 002a], ServerHello
[tls]     TLS_accept: SSLv3 write server hello A
[tls] >>> TLS 1.0 Handshake [length 083d], Certificate
[tls]     TLS_accept: SSLv3 write certificate A
[tls] >>> TLS 1.0 Handshake [length 009d], CertificateRequest
[tls]     TLS_accept: SSLv3 write certificate request A
[tls]     TLS_accept: SSLv3 flush data
[tls]     TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[tls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 131 to 192.168.10.110 port 1128
        EAP-Message = 0x010304000dc000000913160301002a0200002603014bd56d850f6ee8d783347012d15ddc0615b8
98c8979c25218fa585df4e9dd30000000400160301083d0b0008390008360003a03082039c308202
8
4a003020102020101300d06092a864886f70d010104050030818a310b30090603550406130252553
1
0f300d060355040813064d6f73636f77310f300d060355040713064d6f73636f7731153013060355
0
40a130c4d617261666f6e20496e632e3122302006092a864886f70d010901161361646d696e406c6
5
676769726f6e692e636f6d311e301c06035504031315436572746966696361746520417574686f72
6
97479301e170d3130303432
        EAP-Message = 0x363130323332305a170d3131303432363130323332305a307f310b300906035504061302525531
0f300d060355040813064d6f73636f7731153013060355040a130c4d617261666f6e20496e632e31
2
430220603550403131b4b61736869726b61205365727665722043657274696669636174653122302
0
06092a864886f70d010901161361646d696e406c65676765726f6e692e636f6d30820122300d0609
2
a864886f70d01010105000382010f003082010a0282010100d2743e0c153551489ae67b97c9afe79
f
a5ca51fd99d6d3f009666e6f217459f1436348be6b44ce709014dd9cd57d77f6505525dd16800620
6
5f97b86c40c61ad93559ceb
        EAP-Message = 0xc6709699ac59436d781a51505d8094735f929f2ebcb7d491e23850be3399c1e6d3da162995da04
e563d84088f2c707871438efe9e9f2afb091b3c5c71be10741565dfdb59960bbb76c2a55e96e9ae7
b
15f113b1eebaca1947f0c2c9b648a6bd87b549fd899e054f95df40fc36d566912ef73b25b4f01bf4
8
5042a48e4c3d7c8679c5d21f0ec1ac63ffad0cd3b73c25f43bf9846d6aa3f3b9ae6c000dd38ed4ff
c
6efc0210ca84f0305cf66b7d92d7bc6ea288829a86f71216ec632730203010001a31730153013060
3
551d25040c300a06082b06010505070301300d06092a864886f70d010104050003820101002a67d1
4
74e392386a513b7132afa99
        EAP-Message = 0x15b0d34c0598245aa432dc5d9c3200aec72a21ce9081d66c627443311f448e050f0b58f08bcd54
4ee8a5299540594a7be5fcb346d9f5d34692d138039242795d099b8dbef2a48fba773e5e1bc4242a
9
98e06b7d47c31c10ba5fcde427fb13089895f13afd5ee03ef59f0d3355b4aca0cbf408679e20091d
2
d64639217f8e8641d90a63041f08b257ae270c990e6c037b3195bcc0c22be41339cb8c5d49a26ac5
3
53aef4c2cc3031931a2753b0dd1aea1f77d22ed77553ca896e0406551d7e7cc5401bafb909ce4f37
e
d6a959f1ea090aa7472513c1626dbb3d187f18b1455c8276f4ac5ff94c1cedac630b2f760d743a69
0
004903082048c30820374a0
        EAP-Message = 0x03020102020900f4fb86f922
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xfa6bfc0dfb68f18fa0dab4178bf970f2
Finished request 1.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 192.168.10.110 port 1128, id=132, length=160
        User-Name = "rum-test-user"
        NAS-IP-Address = 192.168.10.110
        NAS-Identifier = "P2302HWUDLP1"
        Framed-MTU = 1496
        Called-Station-Id = "00-19-cb-6f-97-6c:marafon_co"
        Calling-Station-Id = "00-21-91-1d-f2-a3"
        NAS-Port-Type = Wireless-802.11
        EAP-Message = 0x020300060d00
        State = 0xfa6bfc0dfb68f18fa0dab4178bf970f2
        Message-Authenticator = 0x1ce4d355c2d1bd10e8dbca6894f0f41e
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "rum-test-user", looking up realm NULL
[suffix] Found realm "DEFAULT"
[suffix] Adding Stripped-User-Name = "rum-test-user"
[suffix] Adding Realm = "DEFAULT"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 3 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
[sql]   expand: %{User-Name} -> rum-test-user
[sql] sql_set_user escaped user --> 'rum-test-user'
rlm_sql (sql): Reserving sql socket id: 1
[sql]   expand: SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = 'rum-test-user'           ORDER BY id
[sql] User found in radcheck table
[sql]   expand: SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radreply           WHERE username = 'rum-test-user'           ORDER BY id
[sql]   expand: SELECT groupname           FROM radusergroup           WHERE username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT groupname           FROM radusergroup           WHERE username = 'rum-test-user'           ORDER BY priority
rlm_sql (sql): Released sql socket id: 1
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] Received TLS ACK
[tls] ACK handshake fragment handler
[tls] eaptls_verify returned 1
[tls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 132 to 192.168.10.110 port 1128
        EAP-Message = 0x010404000dc000000913eed63f300d06092a864886f70d010105050030818a310b300906035504
0613025255310f300d060355040813064d6f73636f77310f300d060355040713064d6f73636f7731
1
53013060355040a130c4d617261666f6e20496e632e3122302006092a864886f70d0109011613616
4
6d696e406c65676769726f6e692e636f6d311e301c06035504031315436572746966696361746520
4
17574686f72697479301e170d3130303432363130323332305a170d3131303432363130323332305
a
30818a310b3009060355040613025255310f300d060355040813064d6f73636f77310f300d060355
0
40713064d6f73636f773115
        EAP-Message = 0x3013060355040a130c4d617261666f6e20496e632e3122302006092a864886f70d010901161361
646d696e406c65676769726f6e692e636f6d311e301c060355040313154365727469666963617465
2
0417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a02820
1
0100da8fd40aeb4560ee62d7eb400eecf0c034167abda18131a194f8e4b8e0d8471346ad56b25556
e
dcce80f5ba5117165896858972b923010fb858dcd37fe0f3878e3b7095a1608a9ae4fd8de93e530b
5
7ac0250207326313a79193cd5549bf0bda3132ebc1b1aea087416e3b0884774eed403a8a806d99fd
7
373f49d61a81d176a04c12f
        EAP-Message = 0xa475d7a3175a4324a5fdb9873715f5386f464136cf308ee7435ffa7fe207b9ef4019d53fac9f90
5d12a89c6809ea6065c2c1bf3805b865e19fc35c72540d29a25753f281bb645d2dcbfdce2c6a39db
d
f9f1aa81d1a3882bf3e1825a335c64e4e8f2c8124c02eaea370aa2b36b5c0200cd6ccb71a0ea0d92
9
e6107391f30203010001a381f23081ef301d0603551d0e04160414dfd68eab4fa00f66cd48f48630
3
8e1ddb486ae473081bf0603551d230481b73081b48014dfd68eab4fa00f66cd48f4863038e1ddb48
6
ae47a18190a4818d30818a310b3009060355040613025255310f300d060355040813064d6f73636f
7
7310f300d06035504071306
        EAP-Message = 0x4d6f73636f7731153013060355040a130c4d617261666f6e20496e632e3122302006092a864886
f70d010901161361646d696e406c65676769726f6e692e636f6d311e301c06035504031315436572
7
46966696361746520417574686f72697479820900f4fb86f922eed63f300c0603551d13040530030
1
01ff300d06092a864886f70d010105050003820101005c5a3fa5c4fd74e5671536d5e8b4ab5c85f6
2
fa617929dd6eedd858d7a9e806ac7f22cee6183e59b77640ec928104fad4edf31028512dd996274b
1
771bf97fb57456ef7924969ad583043ce60031826892759f266566661932ebe991b385e31b132c8f
2
a5cb92b281f187076082537
        EAP-Message = 0x46f1ccd6dac69324f35a3974
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xfa6bfc0df86ff18fa0dab4178bf970f2
Finished request 2.
Going to the next request
Waking up in 4.7 seconds.
rad_recv: Access-Request packet from host 192.168.10.110 port 1128, id=133, length=160
        User-Name = "rum-test-user"
        NAS-IP-Address = 192.168.10.110
        NAS-Identifier = "P2302HWUDLP1"
        Framed-MTU = 1496
        Called-Station-Id = "00-19-cb-6f-97-6c:marafon_co"
        Calling-Station-Id = "00-21-91-1d-f2-a3"
        NAS-Port-Type = Wireless-802.11
        EAP-Message = 0x020400060d00
        State = 0xfa6bfc0df86ff18fa0dab4178bf970f2
        Message-Authenticator = 0x53eb2ecc060bd66f7ed9239f03bd3d40
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "rum-test-user", looking up realm NULL
[suffix] Found realm "DEFAULT"
[suffix] Adding Stripped-User-Name = "rum-test-user"
[suffix] Adding Realm = "DEFAULT"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 4 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
[sql]   expand: %{User-Name} -> rum-test-user
[sql] sql_set_user escaped user --> 'rum-test-user'
rlm_sql (sql): Reserving sql socket id: 0
[sql]   expand: SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = 'rum-test-user'           ORDER BY id
[sql] User found in radcheck table
[sql]   expand: SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radreply           WHERE username = 'rum-test-user'           ORDER BY id
[sql]   expand: SELECT groupname           FROM radusergroup           WHERE username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT groupname           FROM radusergroup           WHERE username = 'rum-test-user'           ORDER BY priority
rlm_sql (sql): Released sql socket id: 0
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] Received TLS ACK
[tls] ACK handshake fragment handler
[tls] eaptls_verify returned 1
[tls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 133 to 192.168.10.110 port 1128
        EAP-Message = 0x010501310d80000009131eb75a11467ab259e13055cdc68fce91bdab9e600eab0ba98f97fa7489
a89a48272714e95c8a2af676d0175a63602b8c21cd43bcb3be995bcc44942f93374dce622151291f
c
98e57a3b4db78292c04b86f3b8f2d3fb9a158ca6e9ef48fb8320296561b48712445fdad04028d99d
2
344399b66dba6ff9e587c45c16bdad5aa0867d26021ea1160301009d0d00009503010240008f008d
3
0818a310b3009060355040613025255310f300d060355040813064d6f73636f77310f300d0603550
4
0713064d6f73636f7731153013060355040a130c4d617261666f6e20496e632e3122302006092a86
4
886f70d010901161361646d
        EAP-Message = 0x696e406c65676769726f6e692e636f6d311e301c06035504031315436572746966696361746520
417574686f726974790e000000
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xfa6bfc0df96ef18fa0dab4178bf970f2
Finished request 3.
Going to the next request
Waking up in 4.7 seconds.
Cleaning up request 0 ID 130 with timestamp +26
Waking up in 0.1 seconds.
Cleaning up request 1 ID 131 with timestamp +26
Cleaning up request 2 ID 132 with timestamp +26
Cleaning up request 3 ID 133 with timestamp +26
Ready to process requests.

[sash-kan]

просто соображения по поводу этого куска:

[tls] eaptls_verify returned 11
[tls]     (other): before/accept initialization
[tls]     TLS_accept: before/accept initialization
[tls] <<< TLS 1.0 Handshake [length 0041], ClientHello  
[tls]     TLS_accept: SSLv3 read client hello A
[tls] >>> TLS 1.0 Handshake [length 002a], ServerHello  
[tls]     TLS_accept: SSLv3 write server hello A
[tls] >>> TLS 1.0 Handshake [length 083d], Certificate  
[tls]     TLS_accept: SSLv3 write certificate A
[tls] >>> TLS 1.0 Handshake [length 009d], CertificateRequest  
[tls]     TLS_accept: SSLv3 write certificate request A
[tls]     TLS_accept: SSLv3 flush data
[tls]     TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode  
[tls] eaptls_process returned 13

если я правильно понимаю, от клиента поступило clienthello. дальше сервер посылает три запроса — а в ответ тишина. жалко, в логе нет пометок времени. я подозреваю, там длинный интервал ожидания присутствует. посмотрите tshark-ом, что там в этот момент творится. может, действительно пакеты не доходят.

[banzay]

просто соображения по поводу этого куска:

[tls] eaptls_verify returned 11
[tls]     (other): before/accept initialization
[tls]     TLS_accept: before/accept initialization
[tls] <<< TLS 1.0 Handshake [length 0041], ClientHello  
[tls]     TLS_accept: SSLv3 read client hello A
[tls] >>> TLS 1.0 Handshake [length 002a], ServerHello  
[tls]     TLS_accept: SSLv3 write server hello A
[tls] >>> TLS 1.0 Handshake [length 083d], Certificate  
[tls]     TLS_accept: SSLv3 write certificate A
[tls] >>> TLS 1.0 Handshake [length 009d], CertificateRequest  
[tls]     TLS_accept: SSLv3 write certificate request A
[tls]     TLS_accept: SSLv3 flush data
[tls]     TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode  
[tls] eaptls_process returned 13

если я правильно понимаю, от клиента поступило clienthello. дальше сервер посылает три запроса — а в ответ тишина. жалко, в логе нет пометок времени. я подозреваю, там длинный интервал ожидания присутствует. посмотрите tshark-ом, что там в этот момент творится. может, действительно пакеты не доходят.

Тут хитрость, даже при eap-peap есть такой вывод TLS но там всё работает, при всём при том где то встречал упоминание что этот вывод нормальная работа TLS в freeradius тут что то другое, пожалуй выложу удачный коннект с EAP-PEAP там всё это видно.

Код: Выделить всё

Ready to process requests.
rad_recv: Access-Request packet from host 192.168.10.110 port 1128, id=89, length=144
        User-Name = "rum-vlad"
        NAS-IP-Address = 192.168.10.110
        NAS-Identifier = "P2302HWUDLP1"
        Framed-MTU = 1496
        Called-Station-Id = "00-19-cb-6f-97-6c:marafon_co"
        Calling-Station-Id = "00-21-91-1d-f2-a3"
        NAS-Port-Type = Wireless-802.11
        EAP-Message = 0x0201000d0172756d2d766c6164
        Message-Authenticator = 0x8efa8bfa0073e39b8dba62c73e7f8754
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "rum-vlad", looking up realm NULL
[suffix] Found realm "DEFAULT"
[suffix] Adding Stripped-User-Name = "rum-vlad"
[suffix] Adding Realm = "DEFAULT"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[ntdomain] Request already proxied.  Ignoring.
++[ntdomain] returns ok
[eap] EAP packet type response id 1 length 13
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
[sql]   expand: %{User-Name} -> rum-vlad
[sql] sql_set_user escaped user --> 'rum-vlad'
rlm_sql (sql): Reserving sql socket id: 4
[sql]   expand: SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = 'rum-vlad'           ORDER BY id
[sql] User found in radcheck table
[sql]   expand: SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radreply           WHERE username = 'rum-vlad'           ORDER BY id
[sql]   expand: SELECT groupname           FROM radusergroup           WHERE username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT groupname           FROM radusergroup           WHERE username = 'rum-vlad'           ORDER BY priority
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Requiring client certificate
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 89 to 192.168.10.110 port 1128
        EAP-Message = 0x010200060d20
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x83d52bc583d7261d78d8a602594b9f66
Finished request 11.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.10.110 port 1128, id=90, length=155
        User-Name = "rum-vlad"
        NAS-IP-Address = 192.168.10.110
        NAS-Identifier = "P2302HWUDLP1"
        Framed-MTU = 1496
        Called-Station-Id = "00-19-cb-6f-97-6c:marafon_co"
        Calling-Station-Id = "00-21-91-1d-f2-a3"
        NAS-Port-Type = Wireless-802.11
        EAP-Message = 0x020200060319
        State = 0x83d52bc583d7261d78d8a602594b9f66
        Message-Authenticator = 0xf449f4f5af18328f0f69cb01661ea289
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "rum-vlad", looking up realm NULL
[suffix] Found realm "DEFAULT"
[suffix] Adding Stripped-User-Name = "rum-vlad"
[suffix] Adding Realm = "DEFAULT"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[ntdomain] Request already proxied.  Ignoring.
++[ntdomain] returns ok
[eap] EAP packet type response id 2 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
[sql]   expand: %{User-Name} -> rum-vlad
[sql] sql_set_user escaped user --> 'rum-vlad'
rlm_sql (sql): Reserving sql socket id: 3
[sql]   expand: SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = 'rum-vlad'           ORDER BY id
[sql] User found in radcheck table
[sql]   expand: SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radreply           WHERE username = 'rum-vlad'           ORDER BY id
[sql]   expand: SELECT groupname           FROM radusergroup           WHERE username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT groupname           FROM radusergroup           WHERE username = 'rum-vlad'           ORDER BY priority
rlm_sql (sql): Released sql socket id: 3
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/peap
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 90 to 192.168.10.110 port 1128
        EAP-Message = 0x010300061920
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x83d52bc582d6321d78d8a602594b9f66
Finished request 12.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.10.110 port 1128, id=91, length=229
        User-Name = "rum-vlad"
        NAS-IP-Address = 192.168.10.110
        NAS-Identifier = "P2302HWUDLP1"
        Framed-MTU = 1496
        Called-Station-Id = "00-19-cb-6f-97-6c:marafon_co"
        Calling-Station-Id = "00-21-91-1d-f2-a3"
        NAS-Port-Type = Wireless-802.11
        EAP-Message = 0x0203005019800000004616030100410100003d03014bd5a015ddb9ee785d156bf810a5a19e4454
7e88fddfff8f36c100f1c105e21600001600040005000a0009006400620003000600130012006301
0
0
        State = 0x83d52bc582d6321d78d8a602594b9f66
        Message-Authenticator = 0xf02d06ebbbc50c9106be3d1c133c6245
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "rum-vlad", looking up realm NULL
[suffix] Found realm "DEFAULT"
[suffix] Adding Stripped-User-Name = "rum-vlad"
[suffix] Adding Realm = "DEFAULT"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[ntdomain] Request already proxied.  Ignoring.
++[ntdomain] returns ok
[eap] EAP packet type response id 3 length 80
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
  TLS Length 70
[peap] Length Included
[peap] eaptls_verify returned 11
[peap]     (other): before/accept initialization
[peap]     TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 0041], ClientHello
[peap]     TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 002a], ServerHello
[peap]     TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 083d], Certificate
[peap]     TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap]     TLS_accept: SSLv3 write server done A
[peap]     TLS_accept: SSLv3 flush data
[peap]     TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 91 to 192.168.10.110 port 1128
        EAP-Message = 0x0104040019c00000087a160301002a0200002603014bd5a01633cdded364a2207bcf29a61854fb
7c307cba254b55d8b8afa38524aa00000400160301083d0b0008390008360003a03082039c308202
8
4a003020102020101300d06092a864886f70d010104050030818a310b30090603550406130252553
1
0f300d060355040813064d6f73636f77310f300d060355040713064d6f73636f7731153013060355
0
40a130c4d617261666f6e20496e632e3122302006092a864886f70d010901161361646d696e406c6
5
676769726f6e692e636f6d311e301c06035504031315436572746966696361746520417574686f72
6
97479301e170d3130303432
        EAP-Message = 0x363130323332305a170d3131303432363130323332305a307f310b300906035504061302525531
0f300d060355040813064d6f73636f7731153013060355040a130c4d617261666f6e20496e632e31
2
430220603550403131b4b61736869726b61205365727665722043657274696669636174653122302
0
06092a864886f70d010901161361646d696e406c65676765726f6e692e636f6d30820122300d0609
2
a864886f70d01010105000382010f003082010a0282010100d2743e0c153551489ae67b97c9afe79
f
a5ca51fd99d6d3f009666e6f217459f1436348be6b44ce709014dd9cd57d77f6505525dd16800620
6
5f97b86c40c61ad93559ceb
        EAP-Message = 0xc6709699ac59436d781a51505d8094735f929f2ebcb7d491e23850be3399c1e6d3da162995da04
e563d84088f2c707871438efe9e9f2afb091b3c5c71be10741565dfdb59960bbb76c2a55e96e9ae7
b
15f113b1eebaca1947f0c2c9b648a6bd87b549fd899e054f95df40fc36d566912ef73b25b4f01bf4
8
5042a48e4c3d7c8679c5d21f0ec1ac63ffad0cd3b73c25f43bf9846d6aa3f3b9ae6c000dd38ed4ff
c
6efc0210ca84f0305cf66b7d92d7bc6ea288829a86f71216ec632730203010001a31730153013060
3
551d25040c300a06082b06010505070301300d06092a864886f70d010104050003820101002a67d1
4
74e392386a513b7132afa99
        EAP-Message = 0x15b0d34c0598245aa432dc5d9c3200aec72a21ce9081d66c627443311f448e050f0b58f08bcd54
4ee8a5299540594a7be5fcb346d9f5d34692d138039242795d099b8dbef2a48fba773e5e1bc4242a
9
98e06b7d47c31c10ba5fcde427fb13089895f13afd5ee03ef59f0d3355b4aca0cbf408679e20091d
2
d64639217f8e8641d90a63041f08b257ae270c990e6c037b3195bcc0c22be41339cb8c5d49a26ac5
3
53aef4c2cc3031931a2753b0dd1aea1f77d22ed77553ca896e0406551d7e7cc5401bafb909ce4f37
e
d6a959f1ea090aa7472513c1626dbb3d187f18b1455c8276f4ac5ff94c1cedac630b2f760d743a69
0
004903082048c30820374a0
        EAP-Message = 0x03020102020900f4fb86f922
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x83d52bc581d1321d78d8a602594b9f66
Finished request 13.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 192.168.10.110 port 1128, id=92, length=155
        User-Name = "rum-vlad"
        NAS-IP-Address = 192.168.10.110
        NAS-Identifier = "P2302HWUDLP1"
        Framed-MTU = 1496
        Called-Station-Id = "00-19-cb-6f-97-6c:marafon_co"
        Calling-Station-Id = "00-21-91-1d-f2-a3"
        NAS-Port-Type = Wireless-802.11
        EAP-Message = 0x020400061900
        State = 0x83d52bc581d1321d78d8a602594b9f66
        Message-Authenticator = 0xf2f43536ef82184b667e4788e4a7cba6
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "rum-vlad", looking up realm NULL
[suffix] Found realm "DEFAULT"
[suffix] Adding Stripped-User-Name = "rum-vlad"
[suffix] Adding Realm = "DEFAULT"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[ntdomain] Request already proxied.  Ignoring.
++[ntdomain] returns ok
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 92 to 192.168.10.110 port 1128
        EAP-Message = 0x010503fc1940eed63f300d06092a864886f70d010105050030818a310b30090603550406130252
55310f300d060355040813064d6f73636f77310f300d060355040713064d6f73636f773115301306
0
355040a130c4d617261666f6e20496e632e3122302006092a864886f70d010901161361646d696e4
0
6c65676769726f6e692e636f6d311e301c0603550403131543657274696669636174652041757468
6
f72697479301e170d3130303432363130323332305a170d3131303432363130323332305a30818a3
1
0b3009060355040613025255310f300d060355040813064d6f73636f77310f300d06035504071306
4
d6f73636f77311530130603
        EAP-Message = 0x55040a130c4d617261666f6e20496e632e3122302006092a864886f70d010901161361646d696e
406c65676769726f6e692e636f6d311e301c06035504031315436572746966696361746520417574
6
86f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100da8
f
d40aeb4560ee62d7eb400eecf0c034167abda18131a194f8e4b8e0d8471346ad56b25556edcce80f
5
ba5117165896858972b923010fb858dcd37fe0f3878e3b7095a1608a9ae4fd8de93e530b57ac0250
2
07326313a79193cd5549bf0bda3132ebc1b1aea087416e3b0884774eed403a8a806d99fd7373f49d
6
1a81d176a04c12fa475d7a3
        EAP-Message = 0x175a4324a5fdb9873715f5386f464136cf308ee7435ffa7fe207b9ef4019d53fac9f905d12a89c
6809ea6065c2c1bf3805b865e19fc35c72540d29a25753f281bb645d2dcbfdce2c6a39dbdf9f1aa8
1
d1a3882bf3e1825a335c64e4e8f2c8124c02eaea370aa2b36b5c0200cd6ccb71a0ea0d929e610739
1
f30203010001a381f23081ef301d0603551d0e04160414dfd68eab4fa00f66cd48f4863038e1ddb4
8
6ae473081bf0603551d230481b73081b48014dfd68eab4fa00f66cd48f4863038e1ddb486ae47a18
1
90a4818d30818a310b3009060355040613025255310f300d060355040813064d6f73636f77310f30
0
d060355040713064d6f7363
        EAP-Message = 0x6f7731153013060355040a130c4d617261666f6e20496e632e3122302006092a864886f70d0109
01161361646d696e406c65676769726f6e692e636f6d311e301c0603550403131543657274696669
6
361746520417574686f72697479820900f4fb86f922eed63f300c0603551d13040530030101ff300
d
06092a864886f70d010105050003820101005c5a3fa5c4fd74e5671536d5e8b4ab5c85f62fa61792
9
dd6eedd858d7a9e806ac7f22cee6183e59b77640ec928104fad4edf31028512dd996274b1771bf97
f
b57456ef7924969ad583043ce60031826892759f266566661932ebe991b385e31b132c8f2a5cb92b
2
81f18707608253746f1ccd6
        EAP-Message = 0xdac69324f35a3974
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x83d52bc580d0321d78d8a602594b9f66
Finished request 14.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 192.168.10.110 port 1128, id=93, length=155
        User-Name = "rum-vlad"
        NAS-IP-Address = 192.168.10.110
        NAS-Identifier = "P2302HWUDLP1"
        Framed-MTU = 1496
        Called-Station-Id = "00-19-cb-6f-97-6c:marafon_co"
        Calling-Station-Id = "00-21-91-1d-f2-a3"
        NAS-Port-Type = Wireless-802.11
        EAP-Message = 0x020500061900
        State = 0x83d52bc580d0321d78d8a602594b9f66
        Message-Authenticator = 0x12fe65c7ab2ae7100e2a117acad42e94
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "rum-vlad", looking up realm NULL
[suffix] Found realm "DEFAULT"
[suffix] Adding Stripped-User-Name = "rum-vlad"
[suffix] Adding Realm = "DEFAULT"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[ntdomain] Request already proxied.  Ignoring.
++[ntdomain] returns ok
[eap] EAP packet type response id 5 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 93 to 192.168.10.110 port 1128
        EAP-Message = 0x0106009419001eb75a11467ab259e13055cdc68fce91bdab9e600eab0ba98f97fa7489a89a4827
2714e95c8a2af676d0175a63602b8c21cd43bcb3be995bcc44942f93374dce622151291fc98e57a3
b
4db78292c04b86f3b8f2d3fb9a158ca6e9ef48fb8320296561b48712445fdad04028d99d2344399b
6
6dba6ff9e587c45c16bdad5aa0867d26021ea116030100040e000000
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x83d52bc587d3321d78d8a602594b9f66
Finished request 15.
Going to the next request
Waking up in 4.7 seconds.
rad_recv: Access-Request packet from host 192.168.10.110 port 1128, id=94, length=471
        User-Name = "rum-vlad"
        NAS-IP-Address = 192.168.10.110
        NAS-Identifier = "P2302HWUDLP1"
        Framed-MTU = 1496
        Called-Station-Id = "00-19-cb-6f-97-6c:marafon_co"
        Calling-Station-Id = "00-21-91-1d-f2-a3"
        NAS-Port-Type = Wireless-802.11
        EAP-Message = 0x02060140198000000136160301010610000102010082050a245177a5581a4d86f62a082553fdd7
1d7a7950d208958570de15151f6b20de2367bdcb7ef80ae5bf524a4a0e97b89bb69201908d1c4ec3
b
b96e8976fd9c5480bb5f761f3802e1944ca8b8d1b33363d35a8ed9222b1f20b2eacb23001c7786f3
f
625d44e7a3120f65f1f10b12f41e3474bed63083374493824174aa097117440a8740013cbaf815a4
8
528e0c7d3c468eca4393b0bf3ded5159e179be015f0f5461188ae5105ea5c8085f287e59f24fba4d
2
0e1f0436dfcba949b6b5c19ed6f5c80a652c9deebedbe99bdc402f2db4ab7c46d7dfcd23633348c8
2
42b13159b6f0abea2953baf
        EAP-Message = 0x19ebb21c105245e182a5b8225a93d5cb65b13aa618a770d614030100010116030100207ed9f3ff
3e7a51449264abdf569637819ae0410d05a7ae4e44a9e1d71d0f86c1
        State = 0x83d52bc587d3321d78d8a602594b9f66
        Message-Authenticator = 0xa0828eb2a8d423d34950225da4b936f9
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "rum-vlad", looking up realm NULL
[suffix] Found realm "DEFAULT"
[suffix] Adding Stripped-User-Name = "rum-vlad"
[suffix] Adding Realm = "DEFAULT"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[ntdomain] Request already proxied.  Ignoring.
++[ntdomain] returns ok
[eap] EAP packet type response id 6 length 253
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
  TLS Length 310
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange
[peap]     TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap]     TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap]     TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap]     TLS_accept: SSLv3 write finished A
[peap]     TLS_accept: SSLv3 flush data
[peap]     (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 94 to 192.168.10.110 port 1128
        EAP-Message = 0x0107003119001403010001011603010020843d35c5470c46b6ec71b06891b0851e621334518ef6
b15adb3f27819678ce8a
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x83d52bc586d2321d78d8a602594b9f66
Finished request 16.
Going to the next request
Waking up in 4.7 seconds.
rad_recv: Access-Request packet from host 192.168.10.110 port 1128, id=95, length=155
        User-Name = "rum-vlad"
        NAS-IP-Address = 192.168.10.110
        NAS-Identifier = "P2302HWUDLP1"
        Framed-MTU = 1496
        Called-Station-Id = "00-19-cb-6f-97-6c:marafon_co"
        Calling-Station-Id = "00-21-91-1d-f2-a3"
        NAS-Port-Type = Wireless-802.11
        EAP-Message = 0x020700061900
        State = 0x83d52bc586d2321d78d8a602594b9f66
        Message-Authenticator = 0xb3a6fe7dbb3b9d75e2749341d31f8923
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "rum-vlad", looking up realm NULL
[suffix] Found realm "DEFAULT"
[suffix] Adding Stripped-User-Name = "rum-vlad"
[suffix] Adding Realm = "DEFAULT"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[ntdomain] Request already proxied.  Ignoring.
++[ntdomain] returns ok
[eap] EAP packet type response id 7 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
++[eap] returns handled
Sending Access-Challenge of id 95 to 192.168.10.110 port 1128
        EAP-Message = 0x010800201900170301001572f621ab8de50387b08c9931dca013c8f71b4e511c
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x83d52bc585dd321d78d8a602594b9f66
Finished request 17.
Going to the next request
Waking up in 4.7 seconds.
rad_recv: Access-Request packet from host 192.168.10.110 port 1128, id=96, length=185
        User-Name = "rum-vlad"
        NAS-IP-Address = 192.168.10.110
        NAS-Identifier = "P2302HWUDLP1"
        Framed-MTU = 1496
        Called-Station-Id = "00-19-cb-6f-97-6c:marafon_co"
        Calling-Station-Id = "00-21-91-1d-f2-a3"
        NAS-Port-Type = Wireless-802.11
        EAP-Message = 0x02080024190017030100196abf9b4018d88a0343d775648710792395e71ef1cdd5dfbe0a
        State = 0x83d52bc585dd321d78d8a602594b9f66
        Message-Authenticator = 0x4ec7413544cc265ae635dc91762ec2e6
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "rum-vlad", looking up realm NULL
[suffix] Found realm "DEFAULT"
[suffix] Adding Stripped-User-Name = "rum-vlad"
[suffix] Adding Realm = "DEFAULT"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[ntdomain] Request already proxied.  Ignoring.
++[ntdomain] returns ok
[eap] EAP packet type response id 8 length 36
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Identity - rum-vlad
[peap] Got tunneled request
        EAP-Message = 0x0208000d0172756d2d766c6164
server  {
  PEAP: Got tunneled identity of rum-vlad
  PEAP: Setting default EAP type for tunneled EAP session.
  PEAP: Setting User-Name to rum-vlad
Sending tunneled request
        EAP-Message = 0x0208000d0172756d2d766c6164
        FreeRADIUS-Proxied-To = 127.0.0.1
        User-Name = "rum-vlad"
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "rum-vlad", looking up realm NULL
[suffix] Found realm "DEFAULT"
[suffix] Adding Stripped-User-Name = "rum-vlad"
[suffix] Adding Realm = "DEFAULT"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
++[control] returns ok
[eap] EAP packet type response id 8 length 13
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[sql]   expand: %{User-Name} -> rum-vlad
[sql] sql_set_user escaped user --> 'rum-vlad'
rlm_sql (sql): Reserving sql socket id: 2
[sql]   expand: SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = 'rum-vlad'           ORDER BY id
[sql] User found in radcheck table
[sql]   expand: SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radreply           WHERE username = 'rum-vlad'           ORDER BY id
[sql]   expand: SELECT groupname           FROM radusergroup           WHERE username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT groupname           FROM radusergroup           WHERE username = 'rum-vlad'           ORDER BY priority
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
        EAP-Message = 0x010900221a0109001d1020ed45dbb371424008b47626520b698972756d2d766c6164
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xecacd6bbeca5ccf049367f2a8fbb44bf
[peap] Got tunneled reply RADIUS code 11
        EAP-Message = 0x010900221a0109001d1020ed45dbb371424008b47626520b698972756d2d766c6164
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xecacd6bbeca5ccf049367f2a8fbb44bf
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 96 to 192.168.10.110 port 1128
        EAP-Message = 0x010900391900170301002e3acdd6cd9a0e63353cd5b939184d91787a80d782f90a52f2e1448320
78eb4ef50035eda137b175c7e5dc46135dde
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x83d52bc584dc321d78d8a602594b9f66
Finished request 18.
Going to the next request
Waking up in 4.6 seconds.
rad_recv: Access-Request packet from host 192.168.10.110 port 1128, id=97, length=239
        User-Name = "rum-vlad"
        NAS-IP-Address = 192.168.10.110
        NAS-Identifier = "P2302HWUDLP1"
        Framed-MTU = 1496
        Called-Station-Id = "00-19-cb-6f-97-6c:marafon_co"
        Calling-Station-Id = "00-21-91-1d-f2-a3"
        NAS-Port-Type = Wireless-802.11
        EAP-Message = 0x0209005a1900170301004f02ceef62680a4e1497c6dba3444e015a2e19f2e493a905f7e877bed5
abacdba6d601eb53d1b81ee2441c1440388e602d75b30d844c6c3e5a809da95aeebd0ff984849d57
0
6c6701a5984ab1e2e8d8a
        State = 0x83d52bc584dc321d78d8a602594b9f66
        Message-Authenticator = 0x0ce80ddb7f91317eb9c1f1934dbaa2af
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "rum-vlad", looking up realm NULL
[suffix] Found realm "DEFAULT"
[suffix] Adding Stripped-User-Name = "rum-vlad"
[suffix] Adding Realm = "DEFAULT"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[ntdomain] Request already proxied.  Ignoring.
++[ntdomain] returns ok
[eap] EAP packet type response id 9 length 90
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] EAP type mschapv2
[peap] Got tunneled request
        EAP-Message = 0x020900431a0209003e3108bc474c03b51ab27389892c6f487d660000000000000000300558a5b5
80c9f9c55c9f9cf6cdcf15197341a431a7b4d70072756d2d766c6164
server  {
  PEAP: Setting User-Name to rum-vlad
Sending tunneled request
        EAP-Message = 0x020900431a0209003e3108bc474c03b51ab27389892c6f487d660000000000000000300558a5b5
80c9f9c55c9f9cf6cdcf15197341a431a7b4d70072756d2d766c6164
        FreeRADIUS-Proxied-To = 127.0.0.1
        User-Name = "rum-vlad"
        State = 0xecacd6bbeca5ccf049367f2a8fbb44bf
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "rum-vlad", looking up realm NULL
[suffix] Found realm "DEFAULT"
[suffix] Adding Stripped-User-Name = "rum-vlad"
[suffix] Adding Realm = "DEFAULT"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
++[control] returns ok
[eap] EAP packet type response id 9 length 67
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[sql]   expand: %{User-Name} -> rum-vlad
[sql] sql_set_user escaped user --> 'rum-vlad'
rlm_sql (sql): Reserving sql socket id: 1
[sql]   expand: SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = 'rum-vlad'           ORDER BY id
[sql] User found in radcheck table
[sql]   expand: SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radreply           WHERE username = 'rum-vlad'           ORDER BY id
[sql]   expand: SELECT groupname           FROM radusergroup           WHERE username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT groupname           FROM radusergroup           WHERE username = 'rum-vlad'           ORDER BY priority
rlm_sql (sql): Released sql socket id: 1
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] Told to do MS-CHAPv2 for rum-vlad with NT-Password
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
MSCHAP Success
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
        EAP-Message = 0x010a00331a0309002e533d34444536433036413333353335374131373337353933444139393942
343342393536334245353739
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xecacd6bbeda6ccf049367f2a8fbb44bf
[peap] Got tunneled reply RADIUS code 11
        EAP-Message = 0x010a00331a0309002e533d34444536433036413333353335374131373337353933444139393942
343342393536334245353739
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xecacd6bbeda6ccf049367f2a8fbb44bf
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 97 to 192.168.10.110 port 1128
        EAP-Message = 0x010a004a1900170301003fe6ac6a54dd90e5178963dc482423557d57495904a8ad4a51b63a1fd0
6b5ce69f6768051634f8eb818f4694d84d849c7cc645b5f92e8c0ad1b44813d6ff8f09
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x83d52bc58bdf321d78d8a602594b9f66
Finished request 19.
Going to the next request
Waking up in 4.6 seconds.
rad_recv: Access-Request packet from host 192.168.10.110 port 1128, id=98, length=178
        User-Name = "rum-vlad"
        NAS-IP-Address = 192.168.10.110
        NAS-Identifier = "P2302HWUDLP1"
        Framed-MTU = 1496
        Called-Station-Id = "00-19-cb-6f-97-6c:marafon_co"
        Calling-Station-Id = "00-21-91-1d-f2-a3"
        NAS-Port-Type = Wireless-802.11
        EAP-Message = 0x020a001d19001703010012605f9565b5e1eff494d7f76ec25815e8fb19
        State = 0x83d52bc58bdf321d78d8a602594b9f66
        Message-Authenticator = 0xa82e1d1a2e1f1fbefe8d7aa6468529bc
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "rum-vlad", looking up realm NULL
[suffix] Found realm "DEFAULT"
[suffix] Adding Stripped-User-Name = "rum-vlad"
[suffix] Adding Realm = "DEFAULT"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[ntdomain] Request already proxied.  Ignoring.
++[ntdomain] returns ok
[eap] EAP packet type response id 10 length 29
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] EAP type mschapv2
[peap] Got tunneled request
        EAP-Message = 0x020a00061a03
server  {
  PEAP: Setting User-Name to rum-vlad
Sending tunneled request
        EAP-Message = 0x020a00061a03
        FreeRADIUS-Proxied-To = 127.0.0.1
        User-Name = "rum-vlad"
        State = 0xecacd6bbeda6ccf049367f2a8fbb44bf
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "rum-vlad", looking up realm NULL
[suffix] Found realm "DEFAULT"
[suffix] Adding Stripped-User-Name = "rum-vlad"
[suffix] Adding Realm = "DEFAULT"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
++[control] returns ok
[eap] EAP packet type response id 10 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[sql]   expand: %{User-Name} -> rum-vlad
[sql] sql_set_user escaped user --> 'rum-vlad'
rlm_sql (sql): Reserving sql socket id: 0
[sql]   expand: SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = 'rum-vlad'           ORDER BY id
[sql] User found in radcheck table
[sql]   expand: SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radreply           WHERE username = 'rum-vlad'           ORDER BY id
[sql]   expand: SELECT groupname           FROM radusergroup           WHERE username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT groupname           FROM radusergroup           WHERE username = 'rum-vlad'           ORDER BY priority
rlm_sql (sql): Released sql socket id: 0
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[eap] Freeing handler
++[eap] returns ok
+- entering group post-auth {...}
[sql]   expand: %{User-Name} -> rum-vlad
[sql] sql_set_user escaped user --> 'rum-vlad'
[sql]   expand: %{User-Password} ->
[sql]   ... expanding second conditional
[sql]   expand: %{Chap-Password} ->
[sql]   expand: INSERT INTO radpostauth                           (username, pass, reply, authdate)                           VALUES (                           '%{User-Name}',                           '%{%{User-Password}:-%{Chap-Password}}',                           '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth                           (username, pass, reply, authdate)                           VALUES (                           'rum-vlad',                           '',                           'Access-Accept', '2010-04-26 18:15:50')
rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth                           (username, pass, reply, authdate)                           VALUES (                           'rum-vlad',                           '',                           'Access-Accept', '2010-04-26 18:15:50')
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
} # server inner-tunnel
[peap] Got tunneled reply code 2
        EAP-Message = 0x030a0004
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = "rum-vlad"
[peap] Got tunneled reply RADIUS code 2
        EAP-Message = 0x030a0004
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = "rum-vlad"
[peap] Tunneled authentication was successful.
[peap] SUCCESS
++[eap] returns handled
Sending Access-Challenge of id 98 to 192.168.10.110 port 1128
        EAP-Message = 0x010b00261900170301001b6371b34a80f990eebe2a57e5901f3e33b120872fad77e9c448c990
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x83d52bc58ade321d78d8a602594b9f66
Finished request 20.
Going to the next request
Waking up in 4.5 seconds.
rad_recv: Access-Request packet from host 192.168.10.110 port 1128, id=99, length=187
        User-Name = "rum-vlad"
        NAS-IP-Address = 192.168.10.110
        NAS-Identifier = "P2302HWUDLP1"
        Framed-MTU = 1496
        Called-Station-Id = "00-19-cb-6f-97-6c:marafon_co"
        Calling-Station-Id = "00-21-91-1d-f2-a3"
        NAS-Port-Type = Wireless-802.11
        EAP-Message = 0x020b00261900170301001b0edde0b46e5a979fce6b6a368fae68989c2cb338648edd0002d3a4
        State = 0x83d52bc58ade321d78d8a602594b9f66
        Message-Authenticator = 0xb823d0dbd56cede9aa8b7ae357ff2ba7
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "rum-vlad", looking up realm NULL
[suffix] Found realm "DEFAULT"
[suffix] Adding Stripped-User-Name = "rum-vlad"
[suffix] Adding Realm = "DEFAULT"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[ntdomain] Request already proxied.  Ignoring.
++[ntdomain] returns ok
[eap] EAP packet type response id 11 length 38
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Received EAP-TLV response.
[peap] Success
[eap] Freeing handler
++[eap] returns ok
+- entering group post-auth {...}
[sql]   expand: %{User-Name} -> rum-vlad
[sql] sql_set_user escaped user --> 'rum-vlad'
[sql]   expand: %{User-Password} ->
[sql]   ... expanding second conditional
[sql]   expand: %{Chap-Password} ->
[sql]   expand: INSERT INTO radpostauth                           (username, pass, reply, authdate)                           VALUES (                           '%{User-Name}',                           '%{%{User-Password}:-%{Chap-Password}}',                           '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth                           (username, pass, reply, authdate)                           VALUES (                           'rum-vlad',                           '',                           'Access-Accept', '2010-04-26 18:15:50')
rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth                           (username, pass, reply, authdate)                           VALUES (                           'rum-vlad',                           '',                           'Access-Accept', '2010-04-26 18:15:50')
rlm_sql (sql): Reserving sql socket id: 3
rlm_sql (sql): Released sql socket id: 3
++[sql] returns ok
++[exec] returns noop
Sending Access-Accept of id 99 to 192.168.10.110 port 1128
        MS-MPPE-Recv-Key = 0x0ccb0cd959684de180b5a620331699cb9edc972b85e74a78ce31ba2809a48acb
        MS-MPPE-Send-Key = 0x332b09140e68ee5b3d0f1282b3e1ebadc16cd74777df4cdc272609175130c29d
        EAP-Message = 0x030b0004
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = "rum-vlad"
Finished request 21.
Going to the next request
Waking up in 4.5 seconds.
Cleaning up request 11 ID 89 with timestamp +170
Cleaning up request 12 ID 90 with timestamp +170
Cleaning up request 13 ID 91 with timestamp +170
Cleaning up request 14 ID 92 with timestamp +170
Cleaning up request 15 ID 93 with timestamp +170
Cleaning up request 16 ID 94 with timestamp +170
Cleaning up request 17 ID 95 with timestamp +170
Cleaning up request 18 ID 96 with timestamp +170
Cleaning up request 19 ID 97 with timestamp +170
Cleaning up request 20 ID 98 with timestamp +170
Cleaning up request 21 ID 99 with timestamp +170
Ready to process requests.

Здесь включена проверка сертификата сервера....

[sash-kan]

явных ошибок в упор не видно. сервер, получается, ожидает продолжения диалога, и всё.
а что по этому поводу рассказывает клиент?

записи cleaning up через какое время в логе появляются?

p.s. бросилась в глаза разница в цифрах timestamp. время у вас синхронизировано на всех машинах? параметр, регулирующий этот timestamp в конфигурации имеется?

[banzay]

явных ошибок в упор не видно. сервер, получается, ожидает продолжения диалога, и всё.
а что по этому поводу рассказывает клиент?

записи cleaning up через какое время в логе появляются?

p.s. бросилась в глаза разница в цифрах timestamp. время у вас синхронизировано на всех машинах? параметр, регулирующий этот timestamp в конфигурации имеется?

время там указано с с первого запроса

Код: Выделить всё

 Waking up in 4.5 seconds.

cleaning up появляеться где то 2-3 секунды от последнего вывода.
Параметр должен быть поищу, а синхронизация времени как завязана с timestamp ? можно конечно офтопика синхронизировать по серверу но что это даст? Похоже на очередной Access-Challenge суппликант просто не отвечает.

[sash-kan]

а синхронизация времени как завязана с timestamp ?

понятия не имею. просто наводящая мысль проскользнула. вот при керберос-аутентификации, например, синхронизация времени жизненно важна.
а по поводу именно timestamp-ов: вижу большую разницу значений в последних двух логах.

[banzay]

а синхронизация времени как завязана с timestamp ?

понятия не имею. просто наводящая мысль проскользнула. вот при керберос-аутентификации, например, синхронизация времени жизненно важна.
а по поводу именно timestamp-ов: вижу большую разницу значений в последних двух логах.

Да разница есть, и timestump разный при каждом подключении, могу предположить что он задаётся динамически, от чего зависит трудно сказать
но протокол вроде должен работать: запрос - ответ если ответа нет то cleaning up, время ожидания я думаю задаётся параметром в конфиге сервера. Но проблема похоже в том что суппликант что то не отдаёт или отдаёт не корректно сервер посылает ещё Access-Challenge и по таймауту
не получив ответа очищает цепочку запросов... А почему так происходит вот в этом то и весь фокус. Попробую ка я в качестве клиента wpa_supplicant может это что то прояснит, там хоть отладку посмотреть можно... Правда сейчас нет под рукой клиента с nix и wifi. Как проверю отпишусь.

[banzay]

В общем попробовал я wpa_supplicant в eap-tls

Код: Выделить всё

rad_recv: Access-Request packet from host 192.168.10.110 port 1128, id=15, length=136
        User-Name = "user"
        NAS-IP-Address = 192.168.10.110
        NAS-Identifier = "P2302HWUDLP1"
        Framed-MTU = 1496
        Called-Station-Id = "00-19-cb-6f-97-6c:marafon_co"
        Calling-Station-Id = "00-21-91-1d-f2-a3"
        NAS-Port-Type = Wireless-802.11
        EAP-Message = 0x020700090175736572
        Message-Authenticator = 0x7b242fb4e8dfdd98a4e156b45f9290f2
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "user", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] No '\' in User-Name = "user", looking up realm NULL
[ntdomain] No such realm "NULL"
++[ntdomain] returns noop
[eap] EAP packet type response id 7 length 9
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
[sql]   expand: %{User-Name} -> user
[sql] sql_set_user escaped user --> 'user'
rlm_sql (sql): Reserving sql socket id: 0
[sql]   expand: SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = 'user'           ORDER BY id
[sql] User found in radcheck table
[sql]   expand: SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radreply           WHERE username = 'user'           ORDER BY id
[sql]   expand: SELECT groupname           FROM radusergroup           WHERE username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT groupname           FROM radusergroup           WHERE username = 'user'           ORDER BY priority
rlm_sql (sql): Released sql socket id: 0
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 15 to 192.168.10.110 port 1128
        EAP-Message = 0x010800061920
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x72936a17729b7337735ef27ce40fec2c
Finished request 1353.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.10.110 port 1128, id=16, length=151
        User-Name = "user"
        NAS-IP-Address = 192.168.10.110
        NAS-Identifier = "P2302HWUDLP1"
        Framed-MTU = 1496
        Called-Station-Id = "00-19-cb-6f-97-6c:marafon_co"
        Calling-Station-Id = "00-21-91-1d-f2-a3"
        NAS-Port-Type = Wireless-802.11
        EAP-Message = 0x02080006030d
        State = 0x72936a17729b7337735ef27ce40fec2c
        Message-Authenticator = 0xddadc8efc75a6fcf2ca7076509669d77
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "user", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] No '\' in User-Name = "user", looking up realm NULL
[ntdomain] No such realm "NULL"
++[ntdomain] returns noop
[eap] EAP packet type response id 8 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
[sql]   expand: %{User-Name} -> user
[sql] sql_set_user escaped user --> 'user'
rlm_sql (sql): Reserving sql socket id: 4
[sql]   expand: SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = 'user'           ORDER BY id
[sql] User found in radcheck table
[sql]   expand: SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radreply           WHERE username = 'user'           ORDER BY id
[sql]   expand: SELECT groupname           FROM radusergroup           WHERE username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT groupname           FROM radusergroup           WHERE username = 'user'           ORDER BY priority
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/tls
[eap] processing type tls
[tls] Requiring client certificate
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 16 to 192.168.10.110 port 1128
        EAP-Message = 0x010900060d20
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x72936a17739a6737735ef27ce40fec2c
Finished request 1354.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.10.110 port 1128, id=17, length=239
        User-Name = "user"
        NAS-IP-Address = 192.168.10.110
        NAS-Identifier = "P2302HWUDLP1"
        Framed-MTU = 1496
        Called-Station-Id = "00-19-cb-6f-97-6c:marafon_co"
        Calling-Station-Id = "00-21-91-1d-f2-a3"
        NAS-Port-Type = Wireless-802.11
        EAP-Message = 0x0209005e0d0016030100530100004f03014bd7fd05d39bc10294132068564e7648c73aa1ea4570
a0a9b545f6c129801d8300002800390038003500160013000a00330032002f000700050004001500
1
20009001400110008000600030100
        State = 0x72936a17739a6737735ef27ce40fec2c
        Message-Authenticator = 0x40c4b4522efb0e2a05273802f2e43727
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "user", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] No '\' in User-Name = "user", looking up realm NULL
[ntdomain] No such realm "NULL"
++[ntdomain] returns noop
[eap] EAP packet type response id 9 length 94
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
[sql]   expand: %{User-Name} -> user
[sql] sql_set_user escaped user --> 'user'
rlm_sql (sql): Reserving sql socket id: 3
[sql]   expand: SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = 'user'           ORDER BY id
[sql] User found in radcheck table
[sql]   expand: SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radreply           WHERE username = 'user'           ORDER BY id
[sql]   expand: SELECT groupname           FROM radusergroup           WHERE username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT groupname           FROM radusergroup           WHERE username = 'user'           ORDER BY priority
rlm_sql (sql): Released sql socket id: 3
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] eaptls_verify returned 7
[tls] Done initial handshake
[tls]     (other): before/accept initialization
[tls]     TLS_accept: before/accept initialization
[tls] <<< TLS 1.0 Handshake [length 0053], ClientHello
[tls]     TLS_accept: SSLv3 read client hello A
[tls] >>> TLS 1.0 Handshake [length 002a], ServerHello
[tls]     TLS_accept: SSLv3 write server hello A
[tls] >>> TLS 1.0 Handshake [length 083d], Certificate
[tls]     TLS_accept: SSLv3 write certificate A
[tls] >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange
[tls]     TLS_accept: SSLv3 write key exchange A
[tls] >>> TLS 1.0 Handshake [length 009f], CertificateRequest
[tls]     TLS_accept: SSLv3 write certificate request A
[tls]     TLS_accept: SSLv3 flush data
[tls]     TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[tls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 17 to 192.168.10.110 port 1128
        EAP-Message = 0x010a04000dc000000b27160301002a0200002603014bd7fd05decd20282d1d00af08775f526825
2c0fac075ae8b63486a92bef4af400003900160301083d0b0008390008360003a03082039c308202
8
4a003020102020101300d06092a864886f70d010104050030818a310b30090603550406130252553
1
0f300d060355040813064d6f73636f77310f300d060355040713064d6f73636f7731153013060355
0
40a130c4d617261666f6e20496e632e3122302006092a864886f70d010901161361646d696e406c6
5
676769726f6e692e636f6d311e301c06035504031315436572746966696361746520417574686f72
6
97479301e170d3130303432
        EAP-Message = 0x373131333330305a170d3131303432373131333330305a307f310b300906035504061302525531
0f300d060355040813064d6f73636f7731153013060355040a130c4d617261666f6e20496e632e31
2
430220603550403131b4b61736869726b61205365727665722043657274696669636174653122302
0
06092a864886f70d010901161361646d696e406c65676765726f6e692e636f6d30820122300d0609
2
a864886f70d01010105000382010f003082010a0282010100c70425d1365a3bc862ed5e13826bfcf
5
329ed3a6215c684d2eb4fe40df76cb9ed697f704814580714fb889b6cb8656b70dbd5dc5196665e8
8
72298426341036b158531a0
        EAP-Message = 0x41d90c26678da5cb32e0cce360f68a901fcf7beceeb30d1800bf69f2e50805d5fda80ba463089a
348e3d95664b289dcf2f84197ff2a0c2db41685fa0d590687364b8ce9c8e54cb486bb48c968b1a74
4
c042c581d50886522c08734cc61e6200f90eb4669962734f07c7b19b7a09b0e822d3b89766cd25ca
f
ab71f95a7b2f28a79c5748489d748a6d5df531a040276bc9c7c24e4bc9040b4359a33e1d1375d3ce
c
07bf7191405900d8833c0f4bbb3e16adb54619eefce7cd16fbb66730203010001a31730153013060
3
551d25040c300a06082b06010505070301300d06092a864886f70d010104050003820101005d45bc
7
135cb6149f16023aa4d2ccd
        EAP-Message = 0x4d8183f4ded7352ce29a7eec9f35c88302f1104e8515deeca83ede314595df783d0ca63ceef409
4bc722965dffb84489bc9ea7c62ea4f896e8d38d383aeaaed7da44a536700a98d81f2c16e4dc809d
9
d2126b4028b29eff267fec0e66a0e97c4b514b9a9cabcdb9a37576822fdbd5810ea7d1585a753001
7
8d57dc13449ba0959c0bb4e7108abe5b9f14768fd2b62786786e1ac6771961d4a91c92d573af3da6
d
3dc45a704ec6319afc2b8b04ced105f2af477cca92e496e5b68ddb3493546ae41a518feb85251653
c
748d873971f7b52178dfb219fa113afae7be992f0f4de21e849b2de1232689e6f592ec69209fdcc6
0
004903082048c30820374a0
        EAP-Message = 0x03020102020900a9b61ff795
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x72936a1770996737735ef27ce40fec2c
Finished request 1355.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 192.168.10.110 port 1128, id=18, length=151
        User-Name = "user"
        NAS-IP-Address = 192.168.10.110
        NAS-Identifier = "P2302HWUDLP1"
        Framed-MTU = 1496
        Called-Station-Id = "00-19-cb-6f-97-6c:marafon_co"
        Calling-Station-Id = "00-21-91-1d-f2-a3"
        NAS-Port-Type = Wireless-802.11
        EAP-Message = 0x020a00060d00
        State = 0x72936a1770996737735ef27ce40fec2c
        Message-Authenticator = 0x97a785b0f03934112ac6cbafc5ad5449
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "user", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] No '\' in User-Name = "user", looking up realm NULL
[ntdomain] No such realm "NULL"
++[ntdomain] returns noop
[eap] EAP packet type response id 10 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
[sql]   expand: %{User-Name} -> user
[sql] sql_set_user escaped user --> 'user'
rlm_sql (sql): Reserving sql socket id: 2
[sql]   expand: SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = 'user'           ORDER BY id
[sql] User found in radcheck table
[sql]   expand: SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radreply           WHERE username = 'user'           ORDER BY id
[sql]   expand: SELECT groupname           FROM radusergroup           WHERE username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT groupname           FROM radusergroup           WHERE username = 'user'           ORDER BY priority
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] Received TLS ACK
[tls] ACK handshake fragment handler
[tls] eaptls_verify returned 1
[tls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 18 to 192.168.10.110 port 1128
        EAP-Message = 0x010b04000dc000000b2792fc10300d06092a864886f70d010105050030818a310b300906035504
0613025255310f300d060355040813064d6f73636f77310f300d060355040713064d6f73636f7731
1
53013060355040a130c4d617261666f6e20496e632e3122302006092a864886f70d0109011613616
4
6d696e406c65676769726f6e692e636f6d311e301c06035504031315436572746966696361746520
4
17574686f72697479301e170d3130303432373131333330305a170d3131303432373131333330305
a
30818a310b3009060355040613025255310f300d060355040813064d6f73636f77310f300d060355
0
40713064d6f73636f773115
        EAP-Message = 0x3013060355040a130c4d617261666f6e20496e632e3122302006092a864886f70d010901161361
646d696e406c65676769726f6e692e636f6d311e301c060355040313154365727469666963617465
2
0417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a02820
1
0100cf3e4307a4b3b8464d9b52f9020b246f227b9b0efa9fc4cce2210a9f317b55dbb49b97cc6942
e
4583d0621136c1234ab4b5e2c1de26e1b4026b89dc53524a74d948c618ccfd5fb94e2e4f950451f4
2
3592e7cb468af06d8ccc31223bffe2062787dc332c661c690298ab43f59e9c8794e6bbdb58d513cb
c
2133c3d71de4090b1628f7c
        EAP-Message = 0xe2625e31dd08dc4ab3386744b61e9549a4f84c82bbfcf65800e9978ecf5d2adc7b0dcb9db7d57f
647fe9f8fc0556ca93a18bb35c22129b9a087479ace86197257e492de8270d03954098761ad02b76
d
1838ac3f63a5604d950d673637f0cfeafe2910c790c63a3b8f96783fba3919a198e119c5df92eb41
7
70c4734e510203010001a381f23081ef301d0603551d0e0416041419d119d7e0215a94058687fcc2
0
fd9d68931acbc3081bf0603551d230481b73081b4801419d119d7e0215a94058687fcc20fd9d6893
1
acbca18190a4818d30818a310b3009060355040613025255310f300d060355040813064d6f73636f
7
7310f300d06035504071306
        EAP-Message = 0x4d6f73636f7731153013060355040a130c4d617261666f6e20496e632e3122302006092a864886
f70d010901161361646d696e406c65676769726f6e692e636f6d311e301c06035504031315436572
7
46966696361746520417574686f72697479820900a9b61ff79592fc10300c0603551d13040530030
1
01ff300d06092a864886f70d0101050500038201010044c3b4c2207b251b20f012497566755f3f90
9
a8b506479202660fd1ed324e2d6719c3e76377f33f58fbc9253c66cb744a9dbf57319a5215c73580
2
496c00785b4d6679115f53bfdf559eb915ede18895a749e74cbd1b44de149990e8cb9b1aa181f7ff
0
65d140b7b65e2f46183af18
        EAP-Message = 0xa0657aafbd49900b6c40e383
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x72936a1771986737735ef27ce40fec2c
Finished request 1356.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 192.168.10.110 port 1128, id=19, length=151
        User-Name = "user"
        NAS-IP-Address = 192.168.10.110
        NAS-Identifier = "P2302HWUDLP1"
        Framed-MTU = 1496
        Called-Station-Id = "00-19-cb-6f-97-6c:marafon_co"
        Calling-Station-Id = "00-21-91-1d-f2-a3"
        NAS-Port-Type = Wireless-802.11
        EAP-Message = 0x020b00060d00
        State = 0x72936a1771986737735ef27ce40fec2c
        Message-Authenticator = 0x08c02de651284b9ef91ca0420f248cbe
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "user", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] No '\' in User-Name = "user", looking up realm NULL
[ntdomain] No such realm "NULL"
++[ntdomain] returns noop
[eap] EAP packet type response id 11 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
[sql]   expand: %{User-Name} -> user
[sql] sql_set_user escaped user --> 'user'
rlm_sql (sql): Reserving sql socket id: 1
[sql]   expand: SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = 'user'           ORDER BY id
[sql] User found in radcheck table
[sql]   expand: SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radreply           WHERE username = 'user'           ORDER BY id
[sql]   expand: SELECT groupname           FROM radusergroup           WHERE username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT groupname           FROM radusergroup           WHERE username = 'user'           ORDER BY priority
rlm_sql (sql): Released sql socket id: 1
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] Received TLS ACK
[tls] ACK handshake fragment handler
[tls] eaptls_verify returned 1
[tls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 19 to 192.168.10.110 port 1128
        EAP-Message = 0x010c03450d8000000b27876be837fe66b9712a49452f549cfd4cdf3eb85f88fd95e8cd4228a392
4b13ec3560a061db8fbda7073981f062a50d0a4fa915b11a4f9659cce615620950e171f73dd9eca5
2
22cbabdd73b735d9e25b1321cd6d97e496854fa566ce0fef7959616ec00a5cc4f812d9824682193c
a
96b1f85ad36a5d54daf5b9a4c356773606d25cb2a16174160301020d0c00020900809024c6f28b80
2
18d1b91701f78d59ded63fb30eb410eada0f206688ec1253cf19bbf71b9baf5f9da7b6b3e5002f5f
4
d97fd221668e047bb6c141730c70e4c367538e79fd4eb1a79d7879fea1cd673d8035658688404129
2
fef2a912e2f96d36a548a63
        EAP-Message = 0x1d80145de28a344d0bf9d83fa6c55229c25a70e561ac1bb5ce40e5229b0001020080538c965a8d
4993e5d9d99d96d6088a806709d45e785ac5c619b7bba5709c126371e16723bbda37841f479335a9
0
e77f4e1370521087611200713c7e190689978662c79a79f89255a253ecf9733a7bfda5bff13ab0e9
a
6c21aeede0188125692b2ba50c63ff47bfbd5189631ae6bc849b986d91a017430617425d56fb3abf
b
0a90100bc4feebe26c2880419e3b60b12801764dbec3c50e8c6949a8c9b5d49c42b7c4081fd39d4f
4
cbb95cb14d6c4d5b816021d1aa6e80e8fdcccd834f753e04c3b5883e1a0ce803523487bc4b343947
0
3e33edde31e47d899fdba39
        EAP-Message = 0x8a017ae2a7f6f1ec085d36c2e065f2bbbdc4a0dd5bd1617277b3f7d98e4e035beb9d8049c5a48a
1e77c482610e8660d04537fcca403fff2a8aef44f1e369a46c2fd4082c5c85e4e974f0b73757cf0a
0
ccb817bcbe2b483cb6288e52c3cd086f4a92949759f3dff6ab9c63edc9c956b0991ae22d8a6798e5
3
9c5460e18e7b896076638d8a6264aa58e8b3fced70d57263129f1a56965946b2b10626df858ab249
1
44aad843c540b160301009f0d000097050304010240008f008d30818a310b3009060355040613025
2
55310f300d060355040813064d6f73636f77310f300d060355040713064d6f73636f773115301306
0
355040a130c4d617261666f
        EAP-Message = 0x6e20496e632e3122302006092a864886f70d010901161361646d696e406c65676769726f6e692e
636f6d311e301c06035504031315436572746966696361746520417574686f726974790e000000
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x72936a17769f6737735ef27ce40fec2c
Finished request 1357.
Going to the next request
Waking up in 4.7 seconds.
Cleaning up request 1353 ID 15 with timestamp +77629
Cleaning up request 1354 ID 16 with timestamp +77629
Cleaning up request 1355 ID 17 with timestamp +77629
Cleaning up request 1356 ID 18 with timestamp +77629
Cleaning up request 1357 ID 19 with timestamp +77629
Ready to process requests.

большой разницы я не вижу.

Вывод - поднимаем то что работает, EAP-PEAP.
И всё таки у кого получилось (если такие есть) поделитесь опытом, страшно интересно где же тут грабли....