FreeRADIUS not receiving password from WLC

Richard Long longrichard562 at yahoo.com
Wed May 7 17:33:38 CEST 2014


Hi all, 
I'm a bit stuck.  I've stood up a CentOS server with FreeRADIUS so I can authenticate against Active Directory using a Cisco Wireless Controller.  As you can see from the output below, I've got ntlm_auth and radtest working correctly, however, the wireless controller doesn't seem to be passing passwords to FreeRADIUS.  I very obviously got something wrong in my setup, but I can't figure out what.  I appreciate any help. 
[root at san-prod-rad-01 /]# ntlm_auth –-request-nt-key –-domain=NOTTELLING --username=mschmidt 
password: 
NT_STATUS_OK: Success (0x0) 
------------------------------------------------------------------------ 
[root at san-prod-rad-01 /]# radtest mschmidt ########## 127.0.0.1 0 C at tHelm3t 
Sending Access-Request of id 155 to 127.0.0.1 port 1812 
        User-Name = "mschmidt" 
        User-Password = "#######" 
        NAS-IP-Address = 10.X.X.111 
        NAS-Port = 0 
        Message-Authenticator = 0x00000000000000000000000000000000 
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=155, length=20 
------------------------------------------------------------------------ 
[root at san-prod-rad-01 ~]# radiusd -X 
FreeRADIUS Version 2.1.12, for host x86_64-redhat-linux-gnu, built on Oct  3 2012 at 01:22:51 
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. 
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A 
PARTICULAR PURPOSE. 
You may redistribute copies of FreeRADIUS under the terms of the 
GNU General Public License v2. 
Starting - reading configuration files ... 
including configuration file /etc/raddb/radiusd.conf 
including configuration file /etc/raddb/proxy.conf 
including configuration file /etc/raddb/clients.conf 
including files in directory /etc/raddb/modules/ 
including configuration file /etc/raddb/modules/realm 
including configuration file /etc/raddb/modules/attr_rewrite 
including configuration file /etc/raddb/modules/sradutmp 
including configuration file /etc/raddb/modules/expr 
including configuration file /etc/raddb/modules/smbpasswd 
including configuration file /etc/raddb/modules/ntlm_auth 
including configuration file /etc/raddb/modules/digest 
including configuration file /etc/raddb/modules/soh 
including configuration file /etc/raddb/modules/redis 
including configuration file /etc/raddb/modules/policy 
including configuration file /etc/raddb/modules/echo 
including configuration file /etc/raddb/modules/counter 
including configuration file /etc/raddb/modules/ippool 
including configuration file /etc/raddb/modules/pap 
including configuration file /etc/raddb/modules/files 
including configuration file /etc/raddb/modules/wimax 
including configuration file /etc/raddb/modules/expiration 
including configuration file /etc/raddb/modules/inner-eap 
including configuration file /etc/raddb/modules/attr_filter 
including configuration file /etc/raddb/modules/chap 
including configuration file /etc/raddb/modules/logintime 
including configuration file /etc/raddb/modules/perl 
including configuration file /etc/raddb/modules/otp 
including configuration file /etc/raddb/modules/dynamic_clients 
including configuration file /etc/raddb/modules/detail 
including configuration file /etc/raddb/modules/preprocess 
including configuration file /etc/raddb/modules/opendirectory 
including configuration file /etc/raddb/modules/sql_log 
including configuration file /etc/raddb/modules/cui 
including configuration file /etc/raddb/modules/mschap 
including configuration file /etc/raddb/modules/acct_unique 
including configuration file /etc/raddb/modules/detail.example.com 
including configuration file /etc/raddb/modules/unix 
including configuration file /etc/raddb/modules/checkval 
including configuration file /etc/raddb/modules/replicate 
including configuration file /etc/raddb/modules/detail.log 
including configuration file /etc/raddb/modules/mac2vlan 
including configuration file /etc/raddb/modules/linelog 
including configuration file /etc/raddb/modules/smsotp 
including configuration file /etc/raddb/modules/always 
including configuration file /etc/raddb/modules/sqlcounter_expire_on_login 
including configuration file /etc/raddb/modules/etc_group 
including configuration file /etc/raddb/modules/mac2ip 
including configuration file /etc/raddb/modules/exec 
including configuration file /etc/raddb/modules/passwd 
including configuration file /etc/raddb/modules/pam 
including configuration file /etc/raddb/modules/rediswho 
including configuration file /etc/raddb/modules/radutmp 
including configuration file /etc/raddb/eap.conf 
including configuration file /etc/raddb/sql.conf 
including configuration file /etc/raddb/sql/mysql/dialup.conf 
including configuration file /etc/raddb/policy.conf 
including files in directory /etc/raddb/sites-enabled/ 
including configuration file /etc/raddb/sites-enabled/default 
including configuration file /etc/raddb/sites-enabled/inner-tunnel 
including configuration file /etc/raddb/sites-enabled/control-socket 
main { 
        user = "radiusd" 
        group = "radiusd" 
        allow_core_dumps = no 
} 
including dictionary file /etc/raddb/dictionary 
main { 
        name = "radiusd" 
        prefix = "/usr" 
        localstatedir = "/var" 
        sbindir = "/usr/sbin" 
        logdir = "/var/log/radius" 
        run_dir = "/var/run/radiusd" 
        libdir = "/usr/lib64/freeradius" 
        radacctdir = "/var/log/radius/radacct" 
        hostname_lookups = no 
        max_request_time = 30 
        cleanup_delay = 5 
        max_requests = 1024 
        pidfile = "/var/run/radiusd/radiusd.pid" 
        checkrad = "/usr/sbin/checkrad" 
        debug_level = 0 
        proxy_requests = yes 
 log { 
        stripped_names = no 
        auth = no 
        auth_badpass = no 
        auth_goodpass = no 
 } 
 security { 
        max_attributes = 200 
        reject_delay = 1 
        status_server = yes 
 } 
} 
radiusd: #### Loading Realms and Home Servers #### 
 proxy server { 
        retry_delay = 5 
        retry_count = 3 
        default_fallback = no 
        dead_time = 120 
        wake_all_if_all_dead = no 
 } 
 home_server localhost { 
        ipaddr = 127.0.0.1 
        port = 1812 
        type = "auth" 
        secret = "testing123" 
        response_window = 20 
        max_outstanding = 65536 
        require_message_authenticator = yes 
        zombie_period = 40 
        status_check = "status-server" 
        ping_interval = 30 
        check_interval = 30 
        num_answers_to_alive = 3 
        num_pings_to_alive = 3 
        revive_interval = 120 
        status_check_timeout = 4 
  coa { 
        irt = 2 
        mrt = 16 
        mrc = 5 
        mrd = 30 
  } 
 } 
 home_server_pool my_auth_failover { 
        type = fail-over 
        home_server = localhost 
 } 
 realm example.com { 
        auth_pool = my_auth_failover 
 } 
 realm LOCAL { 
 } 
radiusd: #### Loading Clients #### 
 client localhost { 
        ipaddr = 127.0.0.1 
        require_message_authenticator = no 
        secret = "C at tHelm3t" 
        nastype = "other" 
 } 
 client 192.168.X.X { 
        require_message_authenticator = no 
        secret = "C at tHelm3t" 
        shortname = "sano-wlc-01" 
        nastype = "cisco" 
 } 
radiusd: #### Instantiating modules #### 
 instantiate { 
 Module: Linked to module rlm_exec 
 Module: Instantiating module "exec" from file /etc/raddb/modules/exec 
  exec { 
        wait = no 
        input_pairs = "request" 
        shell_escape = yes 
  } 
 Module: Linked to module rlm_expr 
 Module: Instantiating module "expr" from file /etc/raddb/modules/expr 
 Module: Linked to module rlm_expiration 
 Module: Instantiating module "expiration" from file /etc/raddb/modules/expiration 
  expiration { 
        reply-message = "Password Has Expired  " 
  } 
 Module: Linked to module rlm_logintime 
 Module: Instantiating module "logintime" from file /etc/raddb/modules/logintime 
  logintime { 
        reply-message = "You are calling outside your allowed timespan  " 
        minimum-timeout = 60 
  } 
 } 
radiusd: #### Loading Virtual Servers #### 
server { # from file /etc/raddb/radiusd.conf 
 modules { 
  Module: Creating Auth-Type = NTLM 
  Module: Creating Auth-Type = digest 
  Module: Creating Post-Auth-Type = REJECT 
 Module: Checking authenticate {...} for more modules to load 
 Module: Instantiating module "ntlm_auth" from file /etc/raddb/modules/ntlm_auth 
  exec ntlm_auth { 
        wait = yes 
        program = "/usr/bin/ntlm_auth --request-nt-key --domain=NOTTELLING --username=%{mschap:User-Name} --password=%{User-Password}" 
        input_pairs = "request" 
        shell_escape = yes 
  } 
 Module: Linked to module rlm_pap 
 Module: Instantiating module "pap" from file /etc/raddb/modules/pap 
  pap { 
        encryption_scheme = "auto" 
        auto_header = no 
  } 
 Module: Linked to module rlm_chap 
 Module: Instantiating module "chap" from file /etc/raddb/modules/chap 
 Module: Linked to module rlm_mschap 
 Module: Instantiating module "mschap" from file /etc/raddb/radiusd.conf 
  mschap { 
        use_mppe = yes 
        require_encryption = yes 
        require_strong = yes 
        with_ntdomain_hack = yes 
        ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-Domain:-NOTTELLING} --username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" 
        allow_retry = yes 
  } 
 Module: Linked to module rlm_digest 
 Module: Instantiating module "digest" from file /etc/raddb/modules/digest 
 Module: Linked to module rlm_unix 
 Module: Instantiating module "unix" from file /etc/raddb/modules/unix 
  unix { 
        radwtmp = "/var/log/radius/radwtmp" 
  } 
 Module: Linked to module rlm_eap 
 Module: Instantiating module "eap" from file /etc/raddb/eap.conf 
  eap { 
        default_eap_type = "peap" 
        timer_expire = 60 
        ignore_unknown_eap_types = no 
        cisco_accounting_username_bug = no 
        max_sessions = 4096 
  } 
 Module: Linked to sub-module rlm_eap_md5 
 Module: Instantiating eap-md5 
 Module: Linked to sub-module rlm_eap_leap 
 Module: Instantiating eap-leap 
 Module: Linked to sub-module rlm_eap_gtc 
 Module: Instantiating eap-gtc 
   gtc { 
        challenge = "Password: " 
        auth_type = "PAP" 
   } 
 Module: Linked to sub-module rlm_eap_tls 
 Module: Instantiating eap-tls 
   tls { 
        rsa_key_exchange = no 
        dh_key_exchange = yes 
        rsa_key_length = 512 
        dh_key_length = 512 
        verify_depth = 0 
        CA_path = "/etc/raddb/certs" 
        pem_file_type = yes 
        private_key_file = "/etc/raddb/certs/server.pem" 
        certificate_file = "/etc/raddb/certs/server.pem" 
        CA_file = "/etc/raddb/certs/ca.pem" 
        private_key_password = "whatever" 
        dh_file = "/etc/raddb/certs/dh" 
        random_file = "/dev/urandom" 
        fragment_size = 1024 
        include_length = yes 
        check_crl = no 
        cipher_list = "DEFAULT" 
    cache { 
        enable = no 
        lifetime = 24 
        max_entries = 255 
    } 
    verify { 
    } 
    ocsp { 
        enable = no 
        override_cert_url = yes 
        url = "http://127.0.0.1/ocsp/" 
    } 
   } 
 Module: Linked to sub-module rlm_eap_ttls 
 Module: Instantiating eap-ttls 
   ttls { 
        default_eap_type = "md5" 
        copy_request_to_tunnel = no 
        use_tunneled_reply = no 
        virtual_server = "inner-tunnel" 
        include_length = yes 
   } 
 Module: Linked to sub-module rlm_eap_peap 
 Module: Instantiating eap-peap 
   peap { 
        default_eap_type = "mschapv2" 
        copy_request_to_tunnel = no 
        use_tunneled_reply = no 
        proxy_tunneled_request_as_eap = yes 
        virtual_server = "inner-tunnel" 
        soh = no 
   } 
 Module: Linked to sub-module rlm_eap_mschapv2 
 Module: Instantiating eap-mschapv2 
   mschapv2 { 
        with_ntdomain_hack = no 
        send_error = no 
   } 
 Module: Checking authorize {...} for more modules to load 
 Module: Linked to module rlm_preprocess 
 Module: Instantiating module "preprocess" from file /etc/raddb/modules/preprocess 
  preprocess { 
        huntgroups = "/etc/raddb/huntgroups" 
        hints = "/etc/raddb/hints" 
        with_ascend_hack = no 
        ascend_channels_per_line = 23 
        with_ntdomain_hack = no 
        with_specialix_jetstream_hack = no 
        with_cisco_vsa_hack = no 
        with_alvarion_vsa_hack = no 
  } 
 Module: Linked to module rlm_realm 
 Module: Instantiating module "suffix" from file /etc/raddb/modules/realm 
  realm suffix { 
        format = "suffix" 
        delimiter = "@" 
        ignore_default = no 
        ignore_null = no 
  } 
 Module: Linked to module rlm_files 
 Module: Instantiating module "files" from file /etc/raddb/modules/files 
  files { 
        usersfile = "/etc/raddb/users" 
        acctusersfile = "/etc/raddb/acct_users" 
        preproxy_usersfile = "/etc/raddb/preproxy_users" 
        compat = "no" 
  } 
 Module: Linked to module rlm_sql 
 Module: Instantiating module "sql" from file /etc/raddb/sql.conf 
  sql { 
        driver = "rlm_sql_mysql" 
        server = "localhost" 
        port = "" 
        login = "radius" 
        password = "radpass" 
        radius_db = "radius" 
        read_groups = yes 
        sqltrace = no 
        sqltracefile = "/var/log/radius/sqltrace.sql" 
        readclients = no 
        deletestalesessions = yes 
        num_sql_socks = 5 
        lifetime = 0 
        max_queries = 0 
        sql_user_name = "%{User-Name}" 
        default_user_profile = "" 
        nas_query = "SELECT id, nasname, shortname, type, secret, server FROM nas" 
        authorize_check_query = "SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY id" 
        authorize_reply_query = "SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '%{SQL-User-Name}'           ORDER BY id" 
        authorize_group_check_query = "SELECT id, groupname, attribute,           Value, op           FROM radgroupcheck           WHERE groupname = '%{Sql-Group}'           ORDER BY id" 
        authorize_group_reply_query = "SELECT id, groupname, attribute,           value, op           FROM radgroupreply           WHERE groupname = '%{Sql-Group}'           ORDER BY id" 
        accounting_onoff_query = "          UPDATE radacct           SET              acctstoptime       =  '%S',              acctsessiontime    =  unix_timestamp('%S') -                                    unix_timestamp(acctstarttime),              acctterminatecause =  '%{Acct-Terminate-Cause}',              acctstopdelay      =  %{%{Acct-Delay-Time}:-0}           WHERE acctstoptime IS NULL           AND nasipaddress      =  '%{NAS-IP-Address}'           AND acctstarttime     <= '%S'" 
        accounting_update_query = "           UPDATE radacct           SET              framedipaddress = '%{Framed-IP-Address}',              acctsessiontime     = '%{Acct-Session-Time}',              acctinputoctets     = '%{%{Acct-Input-Gigawords}:-0}'  << 32 |                                    '%{%{Acct-Input-Octets}:-0}',              acctoutputoctets    = '%{%{Acct-Output-Gigawords}:-0}' << 32 |                                    '%{%{Acct-Output-Octets}:-0}'           WHERE acctsessionid = '%{Acct-Session-Id}'           AND username        = '%{SQL-User-Name}'           AND nasipaddress    = '%{NAS-IP-Address}'" 
        accounting_update_query_alt = "           INSERT INTO radacct             (acctsessionid,    acctuniqueid,      username,              realm,            nasipaddress,      nasportid,              nasporttype,      acctstarttime,     acctsessiontime,              acctauthentic,    connectinfo_start, acctinputoctets,              acctoutputoctets, calledstationid,   callingstationid,              servicetype,      framedprotocol,    framedipaddress,              acctstartdelay,   xascendsessionsvrkey)           VALUES             ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',              '%{SQL-User-Name}',              '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}',              '%{NAS-Port-Type}',              DATE_SUB('%S',                       INTERVAL (%{%{Acct-Session-Time}:-0} +                                 %{%{Acct-Delay-Time}:-0}) SECOND),                       '%{Acct-Session-Time}',              '%{Acct-Authentic}', '',    
          '%{%{Acct-Input-Gigawords}:-0}' << 32 |              '%{%{Acct-Input-Octets}:-0}',              '%{%{Acct-Output-Gigawords}:-0}' << 32 |              '%{%{Acct-Output-Octets}:-0}',              '%{Called-Station-Id}', '%{Calling-Station-Id}',              '%{Service-Type}', '%{Framed-Protocol}',              '%{Framed-IP-Address}',              '0', '%{X-Ascend-Session-Svr-Key}')" 
        accounting_start_query = "           INSERT INTO radacct             (acctsessionid,    acctuniqueid,     username,              realm,            nasipaddress,     nasportid,              nasporttype,      acctstarttime,    acctstoptime,              acctsessiontime,  acctauthentic,    connectinfo_start,              connectinfo_stop, acctinputoctets,  acctoutputoctets,              calledstationid,  callingstationid, acctterminatecause,              servicetype,      framedprotocol,   framedipaddress,              acctstartdelay,   acctstopdelay,    xascendsessionsvrkey)           VALUES             ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',              '%{SQL-User-Name}',              '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}',              '%{NAS-Port-Type}', '%S', NULL,              '0', '%{Acct-Authentic}', '%{Connect-Info}',              '', '0', '0',              '%{Called-Station-Id}', '%{Calling-Station-Id}', '',      
        '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}',              '%{%{Acct-Delay-Time}:-0}', '0', '%{X-Ascend-Session-Svr-Key}')" 
        accounting_start_query_alt = "           UPDATE radacct SET              acctstarttime     = '%S',              acctstartdelay    = '%{%{Acct-Delay-Time}:-0}',              connectinfo_start = '%{Connect-Info}'           WHERE acctsessionid  = '%{Acct-Session-Id}'           AND username         = '%{SQL-User-Name}'           AND nasipaddress     = '%{NAS-IP-Address}'" 
        accounting_stop_query = "           UPDATE radacct SET              acctstoptime       = '%S',              acctsessiontime    = '%{Acct-Session-Time}',              acctinputoctets    = '%{%{Acct-Input-Gigawords}:-0}' << 32 |                                   '%{%{Acct-Input-Octets}:-0}',              acctoutputoctets   = '%{%{Acct-Output-Gigawords}:-0}' << 32 |                                   '%{%{Acct-Output-Octets}:-0}',              acctterminatecause = '%{Acct-Terminate-Cause}',              acctstopdelay      = '%{%{Acct-Delay-Time}:-0}',              connectinfo_stop   = '%{Connect-Info}'           WHERE acctsessionid   = '%{Acct-Session-Id}'           AND username          = '%{SQL-User-Name}'           AND nasipaddress      = '%{NAS-IP-Address}'" 
        accounting_stop_query_alt = "           INSERT INTO radacct             (acctsessionid, acctuniqueid, username,              realm, nasipaddress, nasportid,              nasporttype, acctstarttime, acctstoptime,              acctsessiontime, acctauthentic, connectinfo_start,              connectinfo_stop, acctinputoctets, acctoutputoctets,              calledstationid, callingstationid, acctterminatecause,              servicetype, framedprotocol, framedipaddress,              acctstartdelay, acctstopdelay)           VALUES             ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',              '%{SQL-User-Name}',              '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}',              '%{NAS-Port-Type}',              DATE_SUB('%S',                  INTERVAL (%{%{Acct-Session-Time}:-0} +                  %{%{Acct-Delay-Time}:-0}) SECOND),              '%S', '%{Acct-Session-Time}', '%{Acct-Authentic}', '',              '%{Connect-Info}',
              '%{%{Acct-Input-Gigawords}:-0}' << 32 |              '%{%{Acct-Input-Octets}:-0}',              '%{%{Acct-Output-Gigawords}:-0}' << 32 |              '%{%{Acct-Output-Octets}:-0}',              '%{Called-Station-Id}', '%{Calling-Station-Id}',              '%{Acct-Terminate-Cause}',              '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}',              '0', '%{%{Acct-Delay-Time}:-0}')" 
        group_membership_query = "SELECT groupname           FROM radusergroup           WHERE username = '%{SQL-User-Name}'           ORDER BY priority" 
        connect_failure_retry_delay = 60 
        simul_count_query = "" 
        simul_verify_query = "SELECT radacctid, acctsessionid, username,                                nasipaddress, nasportid, framedipaddress,                                callingstationid, framedprotocol                                FROM radacct                                WHERE username = '%{SQL-User-Name}'                                AND acctstoptime IS NULL" 
        postauth_query = "INSERT INTO radpostauth                           (username, pass, reply, authdate)                           VALUES (                           '%{User-Name}',                           '%{%{User-Password}:-%{Chap-Password}}',                           '%{reply:Packet-Type}', '%S')" 
        safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" 
  } 
rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked 
rlm_sql (sql): Attempting to connect to radius at localhost:/radius 
rlm_sql (sql): starting 0 
rlm_sql (sql): Attempting to connect rlm_sql_mysql #0 
rlm_sql_mysql: Starting connect to MySQL server for #0 
rlm_sql (sql): Connected new DB handle, #0 
rlm_sql (sql): starting 1 
rlm_sql (sql): Attempting to connect rlm_sql_mysql #1 
rlm_sql_mysql: Starting connect to MySQL server for #1 
rlm_sql (sql): Connected new DB handle, #1 
rlm_sql (sql): starting 2 
rlm_sql (sql): Attempting to connect rlm_sql_mysql #2 
rlm_sql_mysql: Starting connect to MySQL server for #2 
rlm_sql (sql): Connected new DB handle, #2 
rlm_sql (sql): starting 3 
rlm_sql (sql): Attempting to connect rlm_sql_mysql #3 
rlm_sql_mysql: Starting connect to MySQL server for #3 
rlm_sql (sql): Connected new DB handle, #3 
rlm_sql (sql): starting 4 
rlm_sql (sql): Attempting to connect rlm_sql_mysql #4 
rlm_sql_mysql: Starting connect to MySQL server for #4 
rlm_sql (sql): Connected new DB handle, #4 
 Module: Checking preacct {...} for more modules to load 
 Module: Linked to module rlm_acct_unique 
 Module: Instantiating module "acct_unique" from file /etc/raddb/modules/acct_unique 
  acct_unique { 
        key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" 
  } 
 Module: Checking accounting {...} for more modules to load 
 Module: Linked to module rlm_detail 
 Module: Instantiating module "detail" from file /etc/raddb/modules/detail 
  detail { 
        detailfile = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" 
        header = "%t" 
        detailperm = 384 
        dirperm = 493 
        locking = no 
        log_packet_header = no 
  } 
 Module: Linked to module rlm_radutmp 
 Module: Instantiating module "radutmp" from file /etc/raddb/modules/radutmp 
  radutmp { 
        filename = "/var/log/radius/radutmp" 
        username = "%{User-Name}" 
        case_sensitive = yes 
        check_with_nas = yes 
        perm = 384 
        callerid = yes 
  } 
 Module: Linked to module rlm_attr_filter 
 Module: Instantiating module "attr_filter.accounting_response" from file /etc/raddb/modules/attr_filter 
  attr_filter attr_filter.accounting_response { 
        attrsfile = "/etc/raddb/attrs.accounting_response" 
        key = "%{User-Name}" 
        relaxed = no 
  } 
 Module: Checking session {...} for more modules to load 
 Module: Checking post-proxy {...} for more modules to load 
 Module: Checking post-auth {...} for more modules to load 
 Module: Instantiating module "attr_filter.access_reject" from file /etc/raddb/modules/attr_filter 
  attr_filter attr_filter.access_reject { 
        attrsfile = "/etc/raddb/attrs.access_reject" 
        key = "%{User-Name}" 
        relaxed = no 
  } 
 } # modules 
} # server 
server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel 
 modules { 
 Module: Checking authenticate {...} for more modules to load 
 Module: Checking authorize {...} for more modules to load 
 Module: Checking session {...} for more modules to load 
 Module: Checking post-proxy {...} for more modules to load 
 Module: Checking post-auth {...} for more modules to load 
 } # modules 
} # server 
radiusd: #### Opening IP addresses and Ports #### 
listen { 
        type = "auth" 
        ipaddr = * 
        port = 0 
} 
listen { 
        type = "acct" 
        ipaddr = * 
        port = 0 
} 
listen { 
        type = "control" 
 listen { 
        socket = "/var/run/radiusd/radiusd.sock" 
 } 
} 
listen { 
        type = "auth" 
        ipaddr = 127.0.0.1 
        port = 18120 
} 
 ... adding new socket proxy address * port 55274 
Listening on authentication address * port 1812 
Listening on accounting address * port 1813 
Listening on command file /var/run/radiusd/radiusd.sock 
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel 
Listening on proxy address * port 1814 
Ready to process requests. 
rad_recv: Access-Request packet from host 192.168.130.5 port 32768, id=98, length=240 
        User-Name = "mschmidt" 
        Chargeable-User-Identity = "" 
        Location-Capable = Civix-Location 
        Calling-Station-Id = "54-26-96-3b-c7-b9" 
        Called-Station-Id = "04-da-d2-b3-ec-80:QP_USER" 
        NAS-Port = 1 
        Cisco-AVPair = "audit-session-id=c0a882050000124653690841" 
        NAS-IP-Address = 192.168.130.5 
        NAS-Identifier = "sano-wlc-01" 
        Airespace-Wlan-Id = 1 
        Service-Type = Framed-User 
        Framed-MTU = 1300 
        NAS-Port-Type = Wireless-802.11 
        Tunnel-Type:0 = VLAN 
        Tunnel-Medium-Type:0 = IEEE-802 
        Tunnel-Private-Group-Id:0 = "3301" 
        EAP-Message = 0x0201000d01616e74686f6e7962 
        Message-Authenticator = 0xa700edf63895515ddddc22454448b583 
# Executing section authorize from file /etc/raddb/sites-enabled/default 
+- entering group authorize {...} 
++[preprocess] returns ok 
++[chap] returns noop 
++[mschap] returns noop 
++[digest] returns noop 
[suffix] No '@' in User-Name = "mschmidt", looking up realm NULL 
[suffix] No such realm "NULL" 
++[suffix] returns noop 
[eap] EAP packet type response id 1 length 13 
[eap] No EAP Start, assuming it's an on-going EAP conversation 
++[eap] returns updated 
[files] users: Matched entry DEFAULT at line 131 
++[files] returns ok 
[sql]   expand: %{User-Name} -> mschmidt 
[sql] sql_set_user escaped user --> 'mschmidt' 
rlm_sql (sql): Reserving sql socket id: 4 
[sql]   expand: SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = 'mschmidt'           ORDER BY id 
[sql]   expand: SELECT groupname           FROM radusergroup           WHERE username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT groupname           FROM radusergroup           WHERE username = 'mschmidt'           ORDER BY priority 
rlm_sql (sql): Released sql socket id: 4 
[sql] User mschmidt not found 
++[sql] returns notfound 
++[expiration] returns noop 
++[logintime] returns noop 
[ntlm_auth]     expand: --username=%{mschap:User-Name} -> --username=mschmidt 
[ntlm_auth]     expand: --password=%{User-Password} -> --password= 
Exec-Program output: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a) 
Exec-Program-Wait: plaintext: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a) 
Exec-Program: returned: 1 
++[ntlm_auth] returns reject 
Using Post-Auth-Type Reject 
# Executing group from file /etc/raddb/sites-enabled/default 
+- entering group REJECT {...} 
[attr_filter.access_reject]     expand: %{User-Name} -> mschmidt 
attr_filter: Matched entry DEFAULT at line 11 
++[attr_filter.access_reject] returns updated 
Delaying reject of request 0 for 1 seconds 
Going to the next request 
Waking up in 0.6 seconds. 
Sending delayed reject for request 0 
Sending Access-Reject of id 98 to 192.168.130.5 port 32768 
Waking up in 4.9 seconds. 
Cleaning up request 0 ID 98 with timestamp +26 
Ready to process requests. 


More information about the Freeradius-Users mailing list