Digest using an external database for the Password

Tue Apr 30 11:40:32 CEST 2013

Hi

I now a have solution where an SBC is acting as a Radius Client that is
connecting to FreeRadius (2.1.12) to do SIP Digest authentication. The
password is stored in an external database (this is not the default schema
but my own). I have extracted the password (clear text) using an sql
query.

>From the previous e-mail I put the sql query in the inner-tunnel (this was
confirmed by Alan), however, I think this maybe incorrect - I believe it
should go in the default file (AM I CORRECT?)

Now I have done two tests - one test passes the other fails.

The test that passes - see the following two files:
draft_sterman_aaa_sip_03_freeradius_debug for the radiusd -X output and
radiusclient_draft_sterman_aaa_sip_03 for the Radiusclient output. As can
be seen this passes and my endpoint is authenticated.

The other test fails - see the following two files:
rfc4590_freeradius_debug and the radiusclient_rfc4590. The authentication
fails, I suspect that the attributes passed seems to cause FreeRadius to
reject the authentication. Not sure whether it is the client causing the
trouble with erroneous setting of the attributes or whether Freeradius is
interpreting them incorrectly

It would be good to get to the bottom of the problem with using RFC 4590 -
I hope the debug files help. In the debug some fields are set as removed -
this is what I replaced sensitive information with.

Thx
Mike

-----Original Message-----
From: freeradius-users-bounces+mbrennan=thrupoint.com at lists.freeradius.org
[mailto:freeradius-users-bounces+mbrennan=thrupoint.com at lists.freeradius.o
rg] On Behalf Of Alan DeKok
Sent: 25 April 2013 16:20
To: FreeRadius users mailing list
Subject: Re: Digest using an external database for the Password

Mike Brennan wrote:
> Hi Alan
> Thx for your input I did the following:
> In radiusd.conf file, within the instantiate section the following was
> added:
> sql
> authorize {
> 	...
> 	update control {
> 		Cleartext-Password := "%{sql: SELECT password FROM fusion
...}"
> 	}
> 	...
> }

  That is *not* what I said to do.  Some amount of independent thought is
required.

  List "sql" in the "instantiate" section.  DON'T put the rest of the text
above.

  DO edit the "inner-tunnel" file.  Look for the "authorize" section.
The text above shows an EXAMPLE of what you put in the "authorize"
section.  That's why it uses the word "authorize"

  DON'T put the "..." text in the config files.  That was meant to show
that OTHER text was also in the "authorize" section.

  DON'T put the "..." text in the SQL query.  That was meant to show the
REST of the SQL query

  DO think about what you're doing.

  DO put the ENTIRE sql SELECT statement into the example text I showed
above.

> In the inner-tunnel file I commented out the sql in the authorize
section.
>
> It seemed to work - see attached small snippet from my debug. In the
> attached file there is still a rlm_sql_mysql: MYSQL check_error: 1146
> received message I have missed something else?

  Yes.

  That error is a MySQL error.  You've mis-typed the query.  Go read MySQL
documentation to see how to create a correct query.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

--------------------
Note: The information contained in this message may be privileged and confidential 
and protected from disclosure. If the reader of this message is not the intended 
recipient, or an employee or agent responsible for delivering this message to the 
intended recipient, you are hereby notified that any dissemination, distribution or 
copying of this communication is strictly prohibited. If you have received this 
communication in error, please notify us immediately by replying to the message and 
deleting it from your computer. Thank you. Thrupoint, Inc.
nXaR2cC3
-------------- next part --------------
FreeRADIUS Version 2.1.12, for host i386-redhat-linux-gnu, built on Oct  3 2012 at 01:20:08
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. 
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A 
PARTICULAR PURPOSE. 
You may redistribute copies of FreeRADIUS under the terms of the 
GNU General Public License v2. 
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/smsotp
including configuration file /etc/raddb/modules/rediswho
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/otp
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/redis
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/replicate
including configuration file /etc/raddb/modules/soh
including configuration file /etc/raddb/modules/ntlm_auth
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/cui
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/opendirectory
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/dynamic_clients
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/sql.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/inner-tunnel
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/control-socket
main {
	user = "radiusd"
	group = "radiusd"
	allow_core_dumps = no
}
including dictionary file /etc/raddb/dictionary
main {
	name = "radiusd"
	prefix = "/usr"
	localstatedir = "/var"
	sbindir = "/usr/sbin"
	logdir = "/var/log/radius"
	run_dir = "/var/run/radiusd"
	libdir = "/usr/lib/freeradius"
	radacctdir = "/var/log/radius/radacct"
	hostname_lookups = no
	max_request_time = 30
	cleanup_delay = 5
	max_requests = 1024
	pidfile = "/var/run/radiusd/radiusd.pid"
	checkrad = "/usr/sbin/checkrad"
	debug_level = 0
	proxy_requests = no
 log {
	stripped_names = no
	auth = no
	auth_badpass = no
	auth_goodpass = no
 }
 security {
	max_attributes = 200
	reject_delay = 1
	status_server = yes
 }
}
radiusd: #### Loading Realms and Home Servers ####
radiusd: #### Loading Clients ####
 client localhost {
	ipaddr = 127.0.0.1
	require_message_authenticator = no
	secret = "testing123"
	nastype = "other"
 }
 client sbctest {
	ipaddr = 172.31.252.2
	require_message_authenticator = yes
	secret = "Removed"
 }
radiusd: #### Instantiating modules ####
 instantiate {
 Module: Linked to module rlm_exec
 Module: Instantiating module "exec" from file /etc/raddb/modules/exec
  exec {
	wait = no
	input_pairs = "request"
	shell_escape = yes
  }
 Module: Linked to module rlm_expr
 Module: Instantiating module "expr" from file /etc/raddb/modules/expr
 Module: Linked to module rlm_expiration
 Module: Instantiating module "expiration" from file /etc/raddb/modules/expiration
  expiration {
	reply-message = "Password Has Expired  "
  }
 Module: Linked to module rlm_logintime
 Module: Instantiating module "logintime" from file /etc/raddb/modules/logintime
  logintime {
	reply-message = "You are calling outside your allowed timespan  "
	minimum-timeout = 60
  }
 Module: Linked to module rlm_sql
 Module: Instantiating module "sql" from file /etc/raddb/sql.conf
  sql {
	driver = "rlm_sql_mysql"
	server = "removed"
	port = "3306"
	login = "removed"
	password = "removed"
	radius_db = "fusion"
	read_groups = yes
	sqltrace = no
	sqltracefile = "/var/log/radius/sqltrace.sql"
	readclients = no
	deletestalesessions = yes
	num_sql_socks = 5
	lifetime = 0
	max_queries = 0
	sql_user_name = ""
	default_user_profile = ""
	nas_query = "SELECT id,nasname,shortname,type,secret FROM nas"
	authorize_check_query = ""
	authorize_group_check_query = ""
	authorize_group_reply_query = ""
	accounting_onoff_query = ""
	accounting_update_query = ""
	accounting_update_query_alt = ""
	accounting_start_query = ""
	accounting_start_query_alt = ""
	accounting_stop_query = ""
	accounting_stop_query_alt = ""
	connect_failure_retry_delay = 60
	simul_count_query = ""
	simul_verify_query = ""
	postauth_query = ""
	safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
  }
rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
rlm_sql (sql): Attempting to connect to admin at removed:3306/fusion
rlm_sql (sql): starting 0
rlm_sql (sql): Attempting to connect rlm_sql_mysql #0
rlm_sql_mysql: Starting connect to MySQL server for #0
rlm_sql (sql): Connected new DB handle, #0
rlm_sql (sql): starting 1
rlm_sql (sql): Attempting to connect rlm_sql_mysql #1
rlm_sql_mysql: Starting connect to MySQL server for #1
rlm_sql (sql): Connected new DB handle, #1
rlm_sql (sql): starting 2
rlm_sql (sql): Attempting to connect rlm_sql_mysql #2
rlm_sql_mysql: Starting connect to MySQL server for #2
rlm_sql (sql): Connected new DB handle, #2
rlm_sql (sql): starting 3
rlm_sql (sql): Attempting to connect rlm_sql_mysql #3
rlm_sql_mysql: Starting connect to MySQL server for #3
rlm_sql (sql): Connected new DB handle, #3
rlm_sql (sql): starting 4
rlm_sql (sql): Attempting to connect rlm_sql_mysql #4
rlm_sql_mysql: Starting connect to MySQL server for #4
rlm_sql (sql): Connected new DB handle, #4
 }
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/raddb/radiusd.conf
 modules {
  Module: Creating Auth-Type = digest
  Module: Creating Post-Auth-Type = REJECT
 Module: Checking authenticate {...} for more modules to load
 Module: Linked to module rlm_pap
 Module: Instantiating module "pap" from file /etc/raddb/modules/pap
  pap {
	encryption_scheme = "auto"
	auto_header = no
  }
 Module: Linked to module rlm_chap
 Module: Instantiating module "chap" from file /etc/raddb/modules/chap
 Module: Linked to module rlm_mschap
 Module: Instantiating module "mschap" from file /etc/raddb/modules/mschap
  mschap {
	use_mppe = yes
	require_encryption = no
	require_strong = no
	with_ntdomain_hack = no
	allow_retry = yes
  }
 Module: Linked to module rlm_digest
 Module: Instantiating module "digest" from file /etc/raddb/modules/digest
 Module: Linked to module rlm_unix
 Module: Instantiating module "unix" from file /etc/raddb/modules/unix
  unix {
	radwtmp = "/var/log/radius/radwtmp"
  }
 Module: Linked to module rlm_eap
 Module: Instantiating module "eap" from file /etc/raddb/eap.conf
  eap {
	default_eap_type = "md5"
	timer_expire = 60
	ignore_unknown_eap_types = no
	cisco_accounting_username_bug = no
	max_sessions = 4096
  }
 Module: Linked to sub-module rlm_eap_md5
 Module: Instantiating eap-md5
 Module: Linked to sub-module rlm_eap_leap
 Module: Instantiating eap-leap
 Module: Linked to sub-module rlm_eap_gtc
 Module: Instantiating eap-gtc
   gtc {
	challenge = "Password: "
	auth_type = "PAP"
   }
 Module: Linked to sub-module rlm_eap_tls
 Module: Instantiating eap-tls
   tls {
	rsa_key_exchange = no
	dh_key_exchange = yes
	rsa_key_length = 512
	dh_key_length = 512
	verify_depth = 0
	CA_path = "/etc/raddb/certs"
	pem_file_type = yes
	private_key_file = "/etc/raddb/certs/server.pem"
	certificate_file = "/etc/raddb/certs/server.pem"
	CA_file = "/etc/raddb/certs/ca.pem"
	private_key_password = "whatever"
	dh_file = "/etc/raddb/certs/dh"
	random_file = "/etc/raddb/certs/random"
	fragment_size = 1024
	include_length = yes
	check_crl = no
	cipher_list = "DEFAULT"
    cache {
	enable = no
	lifetime = 24
	max_entries = 255
    }
    verify {
    }
    ocsp {
	enable = no
	override_cert_url = yes
	url = "http://127.0.0.1/ocsp/"
    }
   }
 Module: Linked to sub-module rlm_eap_ttls
 Module: Instantiating eap-ttls
   ttls {
	default_eap_type = "md5"
	copy_request_to_tunnel = no
	use_tunneled_reply = no
	virtual_server = "inner-tunnel"
	include_length = yes
   }
 Module: Linked to sub-module rlm_eap_peap
 Module: Instantiating eap-peap
   peap {
	default_eap_type = "mschapv2"
	copy_request_to_tunnel = no
	use_tunneled_reply = no
	proxy_tunneled_request_as_eap = yes
	virtual_server = "inner-tunnel"
	soh = no
   }
 Module: Linked to sub-module rlm_eap_mschapv2
 Module: Instantiating eap-mschapv2
   mschapv2 {
	with_ntdomain_hack = no
	send_error = no
   }
 Module: Checking authorize {...} for more modules to load
 Module: Linked to module rlm_preprocess
 Module: Instantiating module "preprocess" from file /etc/raddb/modules/preprocess
  preprocess {
	huntgroups = "/etc/raddb/huntgroups"
	hints = "/etc/raddb/hints"
	with_ascend_hack = no
	ascend_channels_per_line = 23
	with_ntdomain_hack = no
	with_specialix_jetstream_hack = no
	with_cisco_vsa_hack = no
	with_alvarion_vsa_hack = no
  }
 Module: Linked to module rlm_realm
 Module: Instantiating module "suffix" from file /etc/raddb/modules/realm
  realm suffix {
	format = "suffix"
	delimiter = "@"
	ignore_default = no
	ignore_null = no
  }
 Module: Linked to module rlm_files
 Module: Instantiating module "files" from file /etc/raddb/modules/files
  files {
	usersfile = "/etc/raddb/users"
	acctusersfile = "/etc/raddb/acct_users"
	preproxy_usersfile = "/etc/raddb/preproxy_users"
	compat = "no"
  }
 Module: Checking preacct {...} for more modules to load
 Module: Linked to module rlm_acct_unique
 Module: Instantiating module "acct_unique" from file /etc/raddb/modules/acct_unique
  acct_unique {
	key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
  }
 Module: Checking accounting {...} for more modules to load
 Module: Linked to module rlm_detail
 Module: Instantiating module "detail" from file /etc/raddb/modules/detail
  detail {
	detailfile = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
	header = "%t"
	detailperm = 384
	dirperm = 493
	locking = no
	log_packet_header = no
  }
 Module: Linked to module rlm_radutmp
 Module: Instantiating module "radutmp" from file /etc/raddb/modules/radutmp
  radutmp {
	filename = "/var/log/radius/radutmp"
	username = "%{User-Name}"
	case_sensitive = yes
	check_with_nas = yes
	perm = 384
	callerid = yes
  }
 Module: Linked to module rlm_attr_filter
 Module: Instantiating module "attr_filter.accounting_response" from file /etc/raddb/modules/attr_filter
  attr_filter attr_filter.accounting_response {
	attrsfile = "/etc/raddb/attrs.accounting_response"
	key = "%{User-Name}"
	relaxed = no
  }
 Module: Checking session {...} for more modules to load
 Module: Checking post-proxy {...} for more modules to load
 Module: Checking post-auth {...} for more modules to load
 Module: Instantiating module "attr_filter.access_reject" from file /etc/raddb/modules/attr_filter
  attr_filter attr_filter.access_reject {
	attrsfile = "/etc/raddb/attrs.access_reject"
	key = "%{User-Name}"
	relaxed = no
  }
 } # modules
} # server
server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel
 modules {
 Module: Checking authenticate {...} for more modules to load
 Module: Checking authorize {...} for more modules to load
 Module: Checking session {...} for more modules to load
 Module: Checking post-proxy {...} for more modules to load
 Module: Checking post-auth {...} for more modules to load
 } # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
	type = "auth"
	ipaddr = *
	port = 1812
}
listen {
	type = "acct"
	ipaddr = *
	port = 0
}
listen {
	type = "control"
 listen {
	socket = "/var/run/radiusd/radiusd.sock"
 }
}
listen {
	type = "auth"
	ipaddr = 127.0.0.1
	port = 18120
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /var/run/radiusd/radiusd.sock
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Ready to process requests.
rad_recv: Access-Request packet from host 172.31.252.2 port 1484, id=146, length=217
	NAS-IP-Address = 172.31.252.2
	User-Name = "test"
	Digest-Response = "a07866ea3930762152069e04e689ef62"
	Digest-Attributes = 0x0a0674657374
	Digest-Attributes = 0x011d667573696f6e2e6364666c61622e74687275706f696e742e636f6d
	Digest-Attributes = 0x0208353737383333
	Digest-Attributes = 0x030a5245474953544552
	Digest-Attributes = 0x04217369703a667573696f6e2e6364666c61622e74687275706f696e742e636f6d
	Digest-Attributes = 0x06056d6435
	Digest-Attributes = 0x08041401
	Digest-Attributes = 0x09042d31
	Acct-Session-Id = "04c3a38c01f53172"
	Message-Authenticator = 0xe260d03d95634cce72635804e1633df9
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[digest] Checking for correctly formatted Digest-Attributes
[digest] Digest-Attributes look OK.  Converting them to something more usful.
	Digest-User-Name = "test"
	Digest-Realm = "fusion.cdflab.thrupoint.com"
	Digest-Nonce = "577833"
	Digest-Method = "REGISTER"
	Digest-URI = "sip:fusion.cdflab.thrupoint.com"
	Digest-Algorithm = "md5"
	Digest-CNonce = "\024\001"
	Digest-Nonce-Count = "-1"
[digest] Adding Auth-Type = DIGEST
++[digest] returns ok
sql_xlat
	expand: SELECT password from fusion.cdm_credentials where person_id=(select person_id from cdm_person where user_name='%{User-Name}') -> SELECT password from fusion.cdm_credentials where person_id=(select person_id from cdm_person where user_name='test')
rlm_sql (sql): Reserving sql socket id: 4
sql_xlat finished
rlm_sql (sql): Released sql socket id: 4
	expand: %{sql:SELECT password from fusion.cdm_credentials where person_id=(select person_id from cdm_person where user_name='%{User-Name}')} -> test
++[control] returns ok
[suffix] No '@' in User-Name = "test", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
Found Auth-Type = digest
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[digest] A1 = test:fusion.cdflab.thrupoint.com:test
[digest] A2 = REGISTER:sip:fusion.cdflab.thrupoint.com
H(A1) = 1a87e51397665b377e8e24e3d980fa3d
H(A2) = 818b8e422fb9fb113c1c7182a8c3f09c
[digest] KD = 1a87e51397665b377e8e24e3d980fa3d:577833:818b8e422fb9fb113c1c7182a8c3f09c 
EXPECTED a07866ea3930762152069e04e689ef62
RECEIVED a07866ea3930762152069e04e689ef62
++[digest] returns ok
# Executing section post-auth from file /etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 146 to 172.31.252.2 port 1484
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 146 with timestamp +5
Ready to process requests.
rad_recv: Access-Request packet from host 172.31.252.2 port 1484, id=147, length=217
	NAS-IP-Address = 172.31.252.2
	User-Name = "test"
	Digest-Response = "884cea1e2ede3ef0c819a2dd794b2a7b"
	Digest-Attributes = 0x0a0674657374
	Digest-Attributes = 0x011d667573696f6e2e6364666c61622e74687275706f696e742e636f6d
	Digest-Attributes = 0x0208363238363835
	Digest-Attributes = 0x030a5245474953544552
	Digest-Attributes = 0x04217369703a667573696f6e2e6364666c61622e74687275706f696e742e636f6d
	Digest-Attributes = 0x06056d6435
	Digest-Attributes = 0x08041401
	Digest-Attributes = 0x09042d31
	Acct-Session-Id = "04c3a38c01f53172"
	Message-Authenticator = 0x9c752f071ef45d4bdc986106bf10ba21
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[digest] Checking for correctly formatted Digest-Attributes
[digest] Digest-Attributes look OK.  Converting them to something more usful.
	Digest-User-Name = "test"
	Digest-Realm = "fusion.cdflab.thrupoint.com"
	Digest-Nonce = "628685"
	Digest-Method = "REGISTER"
	Digest-URI = "sip:fusion.cdflab.thrupoint.com"
	Digest-Algorithm = "md5"
	Digest-CNonce = "\024\001"
	Digest-Nonce-Count = "-1"
[digest] Adding Auth-Type = DIGEST
++[digest] returns ok
sql_xlat
	expand: SELECT password from fusion.cdm_credentials where person_id=(select person_id from cdm_person where user_name='%{User-Name}') -> SELECT password from fusion.cdm_credentials where person_id=(select person_id from cdm_person where user_name='test')
rlm_sql (sql): Reserving sql socket id: 3
sql_xlat finished
rlm_sql (sql): Released sql socket id: 3
	expand: %{sql:SELECT password from fusion.cdm_credentials where person_id=(select person_id from cdm_person where user_name='%{User-Name}')} -> test
++[control] returns ok
[suffix] No '@' in User-Name = "test", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
Found Auth-Type = digest
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[digest] A1 = test:fusion.cdflab.thrupoint.com:test
[digest] A2 = REGISTER:sip:fusion.cdflab.thrupoint.com
H(A1) = 1a87e51397665b377e8e24e3d980fa3d
H(A2) = 818b8e422fb9fb113c1c7182a8c3f09c
[digest] KD = 1a87e51397665b377e8e24e3d980fa3d:628685:818b8e422fb9fb113c1c7182a8c3f09c 
EXPECTED 884cea1e2ede3ef0c819a2dd794b2a7b
RECEIVED 884cea1e2ede3ef0c819a2dd794b2a7b
++[digest] returns ok
# Executing section post-auth from file /etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 147 to 172.31.252.2 port 1484
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
-------------- next part --------------
>09:27:33  Tx  Access-Request   146  172.31.252.2:1484     -> 172.31.252.47:1812
  Authenticator          bd6de3db23178e4fb54e0568fd06f06b
  NAS-IP-Address         172.31.252.2
  User-Name              test
  Digest-Response        6130373836366561333933303736323135323036396530346536383965663632
  Digest-User-Name       test
  Digest-Realm           fusion.cdflab.thrupoint.com
  Digest-Nonce           577833
  Digest-Method          REGISTER
  Digest-URI             sip:fusion.cdflab.thrupoint.com
  Digest-Algorithm       md5
  Digest-CNonce
  Digest-Nonce-Count     -1
  Acct-Session-ID        04c3a38c01f53172
  Message-Authenticator  e260d03d95634cce72635804e1633df9
09:27:33  Rx  Access-Accept    146  172.31.252.2:1484     <- 172.31.252.47:1812 
  Authenticator          2ff7eeeb7e7ba445924e9b8787fed9b5
09:27:43  Tx  Access-Request   147  172.31.252.2:1484     -> 172.31.252.47:1812 
  Authenticator          5de6519fbe81d246e4860223f9d978ca
  NAS-IP-Address         172.31.252.2
  User-Name              test
  Digest-Response        3838346365613165326564653365663063383139613264643739346232613762
  Digest-User-Name       test
  Digest-Realm           fusion.cdflab.thrupoint.com
  Digest-Nonce           628685
  Digest-Method          REGISTER
  Digest-URI             sip:fusion.cdflab.thrupoint.com
  Digest-Algorithm       md5
  Digest-CNonce
  Digest-Nonce-Count     -1
  Acct-Session-ID        04c3a38c01f53172
  Message-Authenticator  9c752f071ef45d4bdc986106bf10ba21
09:27:43  Rx  Access-Accept    147  172.31.252.2:1484     <- 172.31.252.47:1812 
  Authenticator          02e19110de9fa58e0ce3eb2e2aa49352
-------------- next part --------------
Auth>09:20:08  Tx  Access-Request   143  172.31.252.2:1484     -> 172.31.252.47:1812
  Authenticator          1a673100c06a3cf49ef088a9343fffe4
  NAS-IP-Address         172.31.252.2
  User-Name              test
  Digest-Response        8c12354250405c0aaca98f864c4a469c
  Digest-User-Name       test
  Digest-Realm           fusion.cdflab.thrupoint.com
  Digest-Nonce           377090
  Digest-Method          REGISTER
  Digest-URI             sip:fusion.cdflab.thrupoint.com
  Digest-Algorithm       md5
  Digest-CNonce
  Digest-Nonce-Count     -1
  Acct-Session-ID        04c3a38bc1569c09
  Message-Authenticator  efcb8ee66d33a056b8f9488508731a7b
09:20:09  Rx  Access-Reject    143  172.31.252.2:1484     <- 172.31.252.47:1812
  Authenticator          46117f55f61ade60bcbbd20c1a67ca4b
09:20:09  Tx  Access-Request   144  172.31.252.2:1484     -> 172.31.252.47:1812
  Authenticator          3263437128f30e7b91ed639fc7c4aed2
  NAS-IP-Address         172.31.252.2
  User-Name              test
  Digest-Response        a89cabb63f58e0c3352a00d319571cdc
  Digest-User-Name       test
  Digest-Realm           fusion.cdflab.thrupoint.com
  Digest-Nonce           427880
  Digest-Method          REGISTER
  Digest-URI             sip:fusion.cdflab.thrupoint.com
  Digest-Algorithm       md5
  Digest-CNonce
  Digest-Nonce-Count     -1
  Acct-Session-ID        04c3a38bc1569c09
  Message-Authenticator  635a1d86660ceadc4def75ddd7a3d69b
09:20:10  Rx  Access-Reject    144  172.31.252.2:1484     <- 172.31.252.47:1812
  Authenticator          bff90cc5165222daa56b00e507cd917b
09:20:10  Tx  Access-Request   145  172.31.252.2:1484     -> 172.31.252.47:1812
  Authenticator          2a8595abb6f5ecd2b92e80c1a15cb493
  NAS-IP-Address         172.31.252.2
  User-Name              test
  Digest-Response        8f160134898dd80591f02676dba3b5bd
  Digest-User-Name       test
  Digest-Realm           fusion.cdflab.thrupoint.com
  Digest-Nonce           442690
  Digest-Method          REGISTER
  Digest-URI             sip:fusion.cdflab.thrupoint.com
  Digest-Algorithm       md5
  Digest-CNonce
  Digest-Nonce-Count     -1
  Acct-Session-ID        04c3a38bc1569c09
  Message-Authenticator  e1fbf8639440b74b866a8581b9f1954a
09:20:11  Rx  Access-Reject    145  172.31.252.2:1484     <- 172.31.252.47:1812
  Authenticator          cc3c1298c38bcc3a7b999038fb124823
-------------- next part --------------
FreeRADIUS Version 2.1.12, for host i386-redhat-linux-gnu, built on Oct  3 2012 at 01:20:08
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. 
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A 
PARTICULAR PURPOSE. 
You may redistribute copies of FreeRADIUS under the terms of the 
GNU General Public License v2. 
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/smsotp
including configuration file /etc/raddb/modules/rediswho
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/otp
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/redis
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/replicate
including configuration file /etc/raddb/modules/soh
including configuration file /etc/raddb/modules/ntlm_auth
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/cui
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/opendirectory
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/dynamic_clients
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/sql.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/inner-tunnel
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/control-socket
main {
	user = "radiusd"
	group = "radiusd"
	allow_core_dumps = no
}
including dictionary file /etc/raddb/dictionary
main {
	name = "radiusd"
	prefix = "/usr"
	localstatedir = "/var"
	sbindir = "/usr/sbin"
	logdir = "/var/log/radius"
	run_dir = "/var/run/radiusd"
	libdir = "/usr/lib/freeradius"
	radacctdir = "/var/log/radius/radacct"
	hostname_lookups = no
	max_request_time = 30
	cleanup_delay = 5
	max_requests = 1024
	pidfile = "/var/run/radiusd/radiusd.pid"
	checkrad = "/usr/sbin/checkrad"
	debug_level = 0
	proxy_requests = no
 log {
	stripped_names = no
	auth = no
	auth_badpass = no
	auth_goodpass = no
 }
 security {
	max_attributes = 200
	reject_delay = 1
	status_server = yes
 }
}
radiusd: #### Loading Realms and Home Servers ####
radiusd: #### Loading Clients ####
 client localhost {
	ipaddr = 127.0.0.1
	require_message_authenticator = no
	secret = "testing123"
	nastype = "other"
 }
 client sbctest {
	ipaddr = 172.31.252.2
	require_message_authenticator = yes
	secret = "removed"
 }
radiusd: #### Instantiating modules ####
 instantiate {
 Module: Linked to module rlm_exec
 Module: Instantiating module "exec" from file /etc/raddb/modules/exec
  exec {
	wait = no
	input_pairs = "request"
	shell_escape = yes
  }
 Module: Linked to module rlm_expr
 Module: Instantiating module "expr" from file /etc/raddb/modules/expr
 Module: Linked to module rlm_expiration
 Module: Instantiating module "expiration" from file /etc/raddb/modules/expiration
  expiration {
	reply-message = "Password Has Expired  "
  }
 Module: Linked to module rlm_logintime
 Module: Instantiating module "logintime" from file /etc/raddb/modules/logintime
  logintime {
	reply-message = "You are calling outside your allowed timespan  "
	minimum-timeout = 60
  }
 Module: Linked to module rlm_sql
 Module: Instantiating module "sql" from file /etc/raddb/sql.conf
  sql {
	driver = "rlm_sql_mysql"
	server = "removed"
	port = "3306"
	login = "removed"
	password = "removed"
	radius_db = "fusion"
	read_groups = yes
	sqltrace = no
	sqltracefile = "/var/log/radius/sqltrace.sql"
	readclients = no
	deletestalesessions = yes
	num_sql_socks = 5
	lifetime = 0
	max_queries = 0
	sql_user_name = ""
	default_user_profile = ""
	nas_query = "SELECT id,nasname,shortname,type,secret FROM nas"
	authorize_check_query = ""
	authorize_group_check_query = ""
	authorize_group_reply_query = ""
	accounting_onoff_query = ""
	accounting_update_query = ""
	accounting_update_query_alt = ""
	accounting_start_query = ""
	accounting_start_query_alt = ""
	accounting_stop_query = ""
	accounting_stop_query_alt = ""
	connect_failure_retry_delay = 60
	simul_count_query = ""
	simul_verify_query = ""
	postauth_query = ""
	safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
  }
rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
rlm_sql (sql): Attempting to connect to admin at removed:3306/fusion
rlm_sql (sql): starting 0
rlm_sql (sql): Attempting to connect rlm_sql_mysql #0
rlm_sql_mysql: Starting connect to MySQL server for #0
rlm_sql (sql): Connected new DB handle, #0
rlm_sql (sql): starting 1
rlm_sql (sql): Attempting to connect rlm_sql_mysql #1
rlm_sql_mysql: Starting connect to MySQL server for #1
rlm_sql (sql): Connected new DB handle, #1
rlm_sql (sql): starting 2
rlm_sql (sql): Attempting to connect rlm_sql_mysql #2
rlm_sql_mysql: Starting connect to MySQL server for #2
rlm_sql (sql): Connected new DB handle, #2
rlm_sql (sql): starting 3
rlm_sql (sql): Attempting to connect rlm_sql_mysql #3
rlm_sql_mysql: Starting connect to MySQL server for #3
rlm_sql (sql): Connected new DB handle, #3
rlm_sql (sql): starting 4
rlm_sql (sql): Attempting to connect rlm_sql_mysql #4
rlm_sql_mysql: Starting connect to MySQL server for #4
rlm_sql (sql): Connected new DB handle, #4
 }
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/raddb/radiusd.conf
 modules {
  Module: Creating Auth-Type = digest
  Module: Creating Post-Auth-Type = REJECT
 Module: Checking authenticate {...} for more modules to load
 Module: Linked to module rlm_pap
 Module: Instantiating module "pap" from file /etc/raddb/modules/pap
  pap {
	encryption_scheme = "auto"
	auto_header = no
  }
 Module: Linked to module rlm_chap
 Module: Instantiating module "chap" from file /etc/raddb/modules/chap
 Module: Linked to module rlm_mschap
 Module: Instantiating module "mschap" from file /etc/raddb/modules/mschap
  mschap {
	use_mppe = yes
	require_encryption = no
	require_strong = no
	with_ntdomain_hack = no
	allow_retry = yes
  }
 Module: Linked to module rlm_digest
 Module: Instantiating module "digest" from file /etc/raddb/modules/digest
 Module: Linked to module rlm_unix
 Module: Instantiating module "unix" from file /etc/raddb/modules/unix
  unix {
	radwtmp = "/var/log/radius/radwtmp"
  }
 Module: Linked to module rlm_eap
 Module: Instantiating module "eap" from file /etc/raddb/eap.conf
  eap {
	default_eap_type = "md5"
	timer_expire = 60
	ignore_unknown_eap_types = no
	cisco_accounting_username_bug = no
	max_sessions = 4096
  }
 Module: Linked to sub-module rlm_eap_md5
 Module: Instantiating eap-md5
 Module: Linked to sub-module rlm_eap_leap
 Module: Instantiating eap-leap
 Module: Linked to sub-module rlm_eap_gtc
 Module: Instantiating eap-gtc
   gtc {
	challenge = "Password: "
	auth_type = "PAP"
   }
 Module: Linked to sub-module rlm_eap_tls
 Module: Instantiating eap-tls
   tls {
	rsa_key_exchange = no
	dh_key_exchange = yes
	rsa_key_length = 512
	dh_key_length = 512
	verify_depth = 0
	CA_path = "/etc/raddb/certs"
	pem_file_type = yes
	private_key_file = "/etc/raddb/certs/server.pem"
	certificate_file = "/etc/raddb/certs/server.pem"
	CA_file = "/etc/raddb/certs/ca.pem"
	private_key_password = "whatever"
	dh_file = "/etc/raddb/certs/dh"
	random_file = "/etc/raddb/certs/random"
	fragment_size = 1024
	include_length = yes
	check_crl = no
	cipher_list = "DEFAULT"
    cache {
	enable = no
	lifetime = 24
	max_entries = 255
    }
    verify {
    }
    ocsp {
	enable = no
	override_cert_url = yes
	url = "http://127.0.0.1/ocsp/"
    }
   }
 Module: Linked to sub-module rlm_eap_ttls
 Module: Instantiating eap-ttls
   ttls {
	default_eap_type = "md5"
	copy_request_to_tunnel = no
	use_tunneled_reply = no
	virtual_server = "inner-tunnel"
	include_length = yes
   }
 Module: Linked to sub-module rlm_eap_peap
 Module: Instantiating eap-peap
   peap {
	default_eap_type = "mschapv2"
	copy_request_to_tunnel = no
	use_tunneled_reply = no
	proxy_tunneled_request_as_eap = yes
	virtual_server = "inner-tunnel"
	soh = no
   }
 Module: Linked to sub-module rlm_eap_mschapv2
 Module: Instantiating eap-mschapv2
   mschapv2 {
	with_ntdomain_hack = no
	send_error = no
   }
 Module: Checking authorize {...} for more modules to load
 Module: Linked to module rlm_preprocess
 Module: Instantiating module "preprocess" from file /etc/raddb/modules/preprocess
  preprocess {
	huntgroups = "/etc/raddb/huntgroups"
	hints = "/etc/raddb/hints"
	with_ascend_hack = no
	ascend_channels_per_line = 23
	with_ntdomain_hack = no
	with_specialix_jetstream_hack = no
	with_cisco_vsa_hack = no
	with_alvarion_vsa_hack = no
  }
 Module: Linked to module rlm_realm
 Module: Instantiating module "suffix" from file /etc/raddb/modules/realm
  realm suffix {
	format = "suffix"
	delimiter = "@"
	ignore_default = no
	ignore_null = no
  }
 Module: Linked to module rlm_files
 Module: Instantiating module "files" from file /etc/raddb/modules/files
  files {
	usersfile = "/etc/raddb/users"
	acctusersfile = "/etc/raddb/acct_users"
	preproxy_usersfile = "/etc/raddb/preproxy_users"
	compat = "no"
  }
 Module: Checking preacct {...} for more modules to load
 Module: Linked to module rlm_acct_unique
 Module: Instantiating module "acct_unique" from file /etc/raddb/modules/acct_unique
  acct_unique {
	key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
  }
 Module: Checking accounting {...} for more modules to load
 Module: Linked to module rlm_detail
 Module: Instantiating module "detail" from file /etc/raddb/modules/detail
  detail {
	detailfile = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
	header = "%t"
	detailperm = 384
	dirperm = 493
	locking = no
	log_packet_header = no
  }
 Module: Linked to module rlm_radutmp
 Module: Instantiating module "radutmp" from file /etc/raddb/modules/radutmp
  radutmp {
	filename = "/var/log/radius/radutmp"
	username = "%{User-Name}"
	case_sensitive = yes
	check_with_nas = yes
	perm = 384
	callerid = yes
  }
 Module: Linked to module rlm_attr_filter
 Module: Instantiating module "attr_filter.accounting_response" from file /etc/raddb/modules/attr_filter
  attr_filter attr_filter.accounting_response {
	attrsfile = "/etc/raddb/attrs.accounting_response"
	key = "%{User-Name}"
	relaxed = no
  }
 Module: Checking session {...} for more modules to load
 Module: Checking post-proxy {...} for more modules to load
 Module: Checking post-auth {...} for more modules to load
 Module: Instantiating module "attr_filter.access_reject" from file /etc/raddb/modules/attr_filter
  attr_filter attr_filter.access_reject {
	attrsfile = "/etc/raddb/attrs.access_reject"
	key = "%{User-Name}"
	relaxed = no
  }
 } # modules
} # server
server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel
 modules {
 Module: Checking authenticate {...} for more modules to load
 Module: Checking authorize {...} for more modules to load
 Module: Checking session {...} for more modules to load
 Module: Checking post-proxy {...} for more modules to load
 Module: Checking post-auth {...} for more modules to load
 } # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
	type = "auth"
	ipaddr = *
	port = 1812
}
listen {
	type = "acct"
	ipaddr = *
	port = 0
}
listen {
	type = "control"
 listen {
	socket = "/var/run/radiusd/radiusd.sock"
 }
}
listen {
	type = "auth"
	ipaddr = 127.0.0.1
	port = 18120
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /var/run/radiusd/radiusd.sock
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Ready to process requests.
rad_recv: Access-Request packet from host 172.31.252.2 port 1484, id=143, length=201
	NAS-IP-Address = 172.31.252.2
	User-Name = "test"
	Attr-103 = 0x3863313233353432353034303563306161636139386638363463346134363963
	Attr-115 = 0x74657374
	Attr-104 = 0x667573696f6e2e6364666c61622e74687275706f696e742e636f6d
	Attr-105 = 0x333737303930
	Attr-108 = 0x5245474953544552
	Attr-109 = 0x7369703a667573696f6e2e6364666c61622e74687275706f696e742e636f6d
	Attr-111 = 0x6d6435
	Attr-113 = 0x1401
	Attr-114 = 0x2d31
	Acct-Session-Id = "04c3a38bc1569c09"
	Message-Authenticator = 0xefcb8ee66d33a056b8f9488508731a7b
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[digest] returns noop
sql_xlat
	expand: SELECT password from fusion.cdm_credentials where person_id=(select person_id from cdm_person where user_name='%{User-Name}') -> SELECT password from fusion.cdm_credentials where person_id=(select person_id from cdm_person where user_name='test')
rlm_sql (sql): Reserving sql socket id: 4
sql_xlat finished
rlm_sql (sql): Released sql socket id: 4
	expand: %{sql:SELECT password from fusion.cdm_credentials where person_id=(select person_id from cdm_person where user_name='%{User-Name}')} -> test
++[control] returns noop
[suffix] No '@' in User-Name = "test", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
WARNING: Please update your configuration, and remove 'Auth-Type = Local'
WARNING: Use the PAP or CHAP modules instead.
No User-Password or CHAP-Password attribute in the request.
Cannot perform authentication.
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] 	expand: %{User-Name} -> test
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 143 to 172.31.252.2 port 1484
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.31.252.2 port 1484, id=144, length=201
	NAS-IP-Address = 172.31.252.2
	User-Name = "test"
	Attr-103 = 0x6138396361626236336635386530633333353261303064333139353731636463
	Attr-115 = 0x74657374
	Attr-104 = 0x667573696f6e2e6364666c61622e74687275706f696e742e636f6d
	Attr-105 = 0x343237383830
	Attr-108 = 0x5245474953544552
	Attr-109 = 0x7369703a667573696f6e2e6364666c61622e74687275706f696e742e636f6d
	Attr-111 = 0x6d6435
	Attr-113 = 0x1401
	Attr-114 = 0x2d31
	Acct-Session-Id = "04c3a38bc1569c09"
	Message-Authenticator = 0x635a1d86660ceadc4def75ddd7a3d69b
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[digest] returns noop
sql_xlat
	expand: SELECT password from fusion.cdm_credentials where person_id=(select person_id from cdm_person where user_name='%{User-Name}') -> SELECT password from fusion.cdm_credentials where person_id=(select person_id from cdm_person where user_name='test')
rlm_sql (sql): Reserving sql socket id: 3
sql_xlat finished
rlm_sql (sql): Released sql socket id: 3
	expand: %{sql:SELECT password from fusion.cdm_credentials where person_id=(select person_id from cdm_person where user_name='%{User-Name}')} -> test
++[control] returns noop
[suffix] No '@' in User-Name = "test", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
WARNING: Please update your configuration, and remove 'Auth-Type = Local'
WARNING: Use the PAP or CHAP modules instead.
No User-Password or CHAP-Password attribute in the request.
Cannot perform authentication.
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] 	expand: %{User-Name} -> test
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 1 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 1
Sending Access-Reject of id 144 to 172.31.252.2 port 1484
Waking up in 3.9 seconds.
rad_recv: Access-Request packet from host 172.31.252.2 port 1484, id=145, length=201
	NAS-IP-Address = 172.31.252.2
	User-Name = "test"
	Attr-103 = 0x3866313630313334383938646438303539316630323637366462613362356264
	Attr-115 = 0x74657374
	Attr-104 = 0x667573696f6e2e6364666c61622e74687275706f696e742e636f6d
	Attr-105 = 0x343432363930
	Attr-108 = 0x5245474953544552
	Attr-109 = 0x7369703a667573696f6e2e6364666c61622e74687275706f696e742e636f6d
	Attr-111 = 0x6d6435
	Attr-113 = 0x1401
	Attr-114 = 0x2d31
	Acct-Session-Id = "04c3a38bc1569c09"
	Message-Authenticator = 0xe1fbf8639440b74b866a8581b9f1954a
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[digest] returns noop
sql_xlat
	expand: SELECT password from fusion.cdm_credentials where person_id=(select person_id from cdm_person where user_name='%{User-Name}') -> SELECT password from fusion.cdm_credentials where person_id=(select person_id from cdm_person where user_name='test')
rlm_sql (sql): Reserving sql socket id: 2
sql_xlat finished
rlm_sql (sql): Released sql socket id: 2
	expand: %{sql:SELECT password from fusion.cdm_credentials where person_id=(select person_id from cdm_person where user_name='%{User-Name}')} -> test
++[control] returns noop
[suffix] No '@' in User-Name = "test", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
WARNING: Please update your configuration, and remove 'Auth-Type = Local'
WARNING: Use the PAP or CHAP modules instead.
No User-Password or CHAP-Password attribute in the request.
Cannot perform authentication.
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] 	expand: %{User-Name} -> test
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 2 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 2
Sending Access-Reject of id 145 to 172.31.252.2 port 1484
Waking up in 2.9 seconds.
Cleaning up request 0 ID 143 with timestamp +20
Waking up in 1.0 seconds.
Cleaning up request 1 ID 144 with timestamp +21
Waking up in 1.0 seconds.
Cleaning up request 2 ID 145 with timestamp +22
Ready to process requests.