Proxying between RADIUS servers using TLS
Stefan Paetow
Stefan.Paetow at jisc.ac.uk
Wed Apr 1 17:50:22 CEST 2015
> Probably because the home server name you used is a valid DNS name,
I ive you the output of this cnfiguration (authhost set to the
home_server). You'll notice that authhost willhappily accept the
home_server entry and then do its thing... Provided a secret has been
provided in the 'realm' entry. The home_server entry contains an
underscore (not a dot):
Copyright (C) 1999-2015 The FreeRADIUS erver project and contributors
There is NO warranty; not even for MERCANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file namd COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /etc/raddb/dictionary
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/mods-enabled/
including configuration file /etc/raddb/mods-enabled/expiration
including configuration file /etc/raddb/mods-enabled/echo
including configuration file /etc/raddb/mods-enabled/exec
incluing configuration file /etc/raddb/mods-enabled/alway
including configuration file /etc/raddb/mods-enabled/sradutmp
including configuration file /etc/raddb/mods-enabled/attr_filter
including configuration file /etc/raddb/mods-enabled/utf8
including configuration file /etc/raddb/mods-enabled/digest
including configuration file /etc/raddb/mods-enabled/unpack
including configuration file /etc/raddb/mds-enabled/dynamic_clients
including configuration file /etc/raddb/mods-enabled/logintime
including configuration file /etc/raddb/mods-enabled/preprocess
including configuration file /etc/raddb/mods-enabled/pap
including configuration file /etc/raddb/mods-enabled/soh
including configuration file /etc/raddb/mods-enabled/chapincluding configuration ile /etc/raddb/mods-enabled/dhcp
including configuration file /etc/raddb/mods-enabled/linelog
including configuration file /etc/raddb/mods-enabled/expr
including configuration file /etc/raddb/mods-enabled/radutmp
including configuration file /etc/raddb/mods-enabled/ntlm_auth
including configuration file /etc/raddb/mods-enabled/mschap
including configuration file /etc/raddb/mods-enabled/realm
including configuration file /etcraddb/mods-enabled/passwd
including configuration file /etc/raddb/mods-enabled/abfab_psk_sql
including configuration file /etc/raddb/mods-enabled/eap
inluding configuration file /etc/raddb/mods-enabled/detail.log
including configuration file /etc/raddb/mods-enabled/detail
including configuration file /etc/raddb/mods-enabled/uni
including configuration file /etc/raddb/mods-enabled/replicate
including configuration file /etc/raddb/mods-enabled/files
including configuration file /etc/raddb/mods-enabled/cache_eap
including files in directory /etc/raddb/policy.d/
including configuration file /etc/raddb/policy.d/filter
including configuration file /etc/raddb/policy.d/accounting
including configuration file /etc/raddb/policy.d/cui
including configuration file /etc/radb/policy.d/dhcp
including configuration file /etc/raddb/policy.d/control
including configuration file /etc/raddb/policy.d/abfab-tr
including configuration file /etc/raddb/policy.d/canonicalization
including configuration file /etc/raddb/policy.d/eap
including configuration file /etc/raddb/polic.d/debug
including configuration file /etc/raddb/policy.d/operator-name
including files in directory /etc/raddb/sites-enabled/
including configuration ile /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/abfab-tr-idp
including configuration file /etc/raddb/sites-enabled/channel_bindings
including configuration file /etc/raddb/sites-enabled/inner-tunnel
including configuration file /etc/raddb/sites-enabled/lund-server
including configuration file /etc/raddb/sites-enabled/abfab-tls
main {
name = "radiusd"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/radius"
run_dir = "/var/run/radiusd"
libdir = "/usr/lib64/freeradius"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
colourise = yes
msg_denied = "You are already logged in - access denied"
}
resources {
}
security {
max_attributes = 200
reject_delay = 1.000000
status_server = yes
allow_vulnerable_openssl = "yes"
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = <<< secret >>>
response_window = 20.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 120
limit {
max_connetions = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server main-idp65x64_localdomain {
ipaddr = 192.168.213.24
port = 2083
type = "auth"
proto = "tcp"
secret = <<< secret >>>
response_window = 30.000000
response_timeouts = 1
max_outstanding = 65536
zombe_period = 40
status_check = "none"
ping_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 300
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
tls {
rsa_ky_exchange = no
dh_key_exhange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
ca_path = "/etc/raddb/certs"
pem_file_type = yes
private_key_file = "/etc/raddb/certs/main-idp-client.pem"
certificate_file = "/etc/raddb/certs/main-idp-client.pem"
ca_file = "/etc/raddb/certs/main-idp-capem"
private_key_password = <<< secret >>>
dh_file = "/etc/radd/certs/dh"
random_file = "/etc/raddb/certs/random"
fragment_size = 8192
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
ecdh_curve = "prime256v1"
}
realm main-rp65x4.localdomain {
}
realm LOCAL {
}
realm main-idp65x64.localdomain {
nostrip
authhost = main-idp65x64_localdomain
secret = radsec
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
home_server_pool main-idp65x64_localdomain_authpool {
home_server = main-idp65x64_localdomain
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = <<< secret >>>
nas_type = "other"
proto = "*"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client localhost_ipv6 {
ipv6addr = ::1
require_message_authenticator = no
secret = <<< secret >>>
limi {
max_connections = 16
lifetime = 0
idle_tmeout = 30
}
}
Debugger not attached
# Creating Auth-Type = digest
radiusd: #### Instantiating modules ####
instantiate {
}
modules {
# Loaded module rlm_expiration
# Instantiating module "expiration" from file
/etc/raddb/mods-enabled/expiration
# Loaded module rlm_exec
# Instantiating module "echo" from file /etc/raddb/mods-enabled/echo
exec echo {
wait = es
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
# Instantiating module "exec" from file /etc/raddb/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Loaded module rlm_always
# Instantiatng module "reject" from ile /etc/raddb/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Instantiating module "fail" from file /etc/raddb/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Instantiating module "ok" from file /etc/raddb/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Instantiating module "handled" from file /etc/rddb/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Instantiating module "invalid" from file /etc/radd/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Instantiating module "userlock" from file
/etc/raddb/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Instantiating module "notfound" from file
/etc/raddb/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mp = no
}
# Instantiating module "noop" from file /etc/raddb/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Instantiating module "updated" from file /etc/raddb/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = n
}
# Loaded module rlm_radutmp
# Instantiating module "sradutmp" from file
/etc/raddb/mods-enabled/sradutmp
radutmp sradutmp {
filename = "/ar/log/radius/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
# Loaded module rlm_attr_filter
# Instantiating module "attr_filter.post-proxy" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/etc/raddb/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
reading pairlist file /etc/raddb/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/etc/raddb/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
reading pairlist file /etc/raddb/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename = "/etc/raddb/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /etc/raddb/mods-config/attr_filter/access_reject
# Instantiating module "attr_filter.access_challenge" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename = "/etc/raddb/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /etc/raddb/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename = "/etc/raddb/mods-config/attr_filter/acounting_response"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file
/etc/raddb/mods-config/attr_filter/accounting_response
# Loaded module rlm_utf8
# Instantiating module "utf8" from file /etc/raddb/mods-enabled/utf8
# Loaded module rlm_digest
# Instantiating module "digest" from file /etc/raddb/mods-enabled/digest
# Loaded modue rlm_unpack
# Instantiating module "unpack" from file /etc/raddb/mods-enabled/unpack
# Loaded module rlm_dynamic_clients
# Instantiating module "dynamic_clients" from file
/etc/raddb/mods-enabled/dynamic_lients
# Loaded module rlm_logintime
# Instantiating module "logintime" from file
/et/raddb/mods-enabled/logintim
logintime {
minimum_timeout = 60
}
# Loaded module rlm_preprocess
#Instantiating module "preprocess" from file
/etc/raddb/mods-enabled/preprocess
preprocess {
huntgroups = "/etc/raddb/mods-config/preprocess/huntgroups"
hints = "/etc/raddb/mods-config/preprocess/hints"
with_scend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack= no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
reading pairlist file /etc/raddb/mods-config/preprocess/huntgroups
reading pairlist file /etc/raddb/mods-config/preprocess/hints
# Loaded module rlm_pap
# Instantiating module "pap" from file /etc/raddb/mods-enabled/pap
pap {
normalise = yes
}
# Loaded module rlm_soh
# Instantiating module "soh" from file /etc/raddb/mods-enabled/soh
soh {
dhcp = yes
}
# Loaded module rlm_chap
# Instantiating module "chap" from file /etc/raddb/mods-enabled/chap
# Loaded module rlm_dhcp
# Instantiating module "dhcp" from file /tc/raddb/mods-enabled/dhcp
# Loaded module rlm_linelog
# Instantiating module "linelog" from file
/etc/raddb/mods-enabled/linelog
linelog {
flename = "/var/log/radius/linelog"
permissions = 384
format = "This is a log message for %{User-Name}"
reference = "messages.%{%{Packet-Type}:-default}"
}
# Instantiating module "log_accounting" from file
/etc/raddb/modsenabled/linelog
linelog log_accounting {
filename = "/var/log/radius/linelog-accounting"
permissions = 384
format = ""
reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
}
# Loaded module rlm_expr
# Instantiating module "expr" rom file /etc/raddb/mods-enabled/expr
expr {
safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_:
/äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
}
# Instantiating module "radutmp" from file
/etc/raddb/mods-enabled/radutmp
radutmp {
filename = "/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
# Instantiating module "ntlm_auth" from file
/etc/raddb/mods-enaled/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-ntkey --domain=MYDOMAIN
--username=%{mschap:User-Name} --password=%{User-Password}"
shell_escape = yes
}
# Loaded module rlm_mschap
# Instantiating module "mschap" from file /etc/raddb/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = no
require_stron = no
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
}
# Loaded module rlm_realm
# Instantiating module "IPASS" from file /etc/raddb/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
default_community = "none"
rp_realm = "none"
trust_router = "none"
tr_port = 0
}
Warning: dh_check failed with 8
: the g value is not a generator
# Instantiating module "suffix" from file /etc/raddb/mods-enabled/realm
realm suffix {
format = "suffix"
delimiter= "@"
ignore_default = no
ignore_null = no
default_community = "none"
rp_realm = "none"
trust_router = "none"
tr_port = 0
}
# Instantiating module "realmpercent" frm file
/etc/raddb/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
default_community = "none"
rp_realm = "none"
trust_router = "none"
tr_port = 0
}
# Instantiating module "ntdomain" from file /etc/raddb/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\\"
ignore_default = no
ignore_null = no
default_community = "none"
rp_realm = "none"
trust_router = "none"
tr_port = 0
}
# Loaded module rlm_passwd
# Instantiating module "etc_passwd" from file
/etc/raddb/mods-enabled/passwd
passwd etc_passwd {
filename = "/etc/passwd"
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
# Loaded module rlm_sql
# Instantiating module "psksql" from file
/etc/raddb/mods-enabled/abfab_psk_sql
sql psksql {
driver = "rlm_sql_sqlite"
server = "localhost"
port = ""
login = ""
password = <<< secret >>>
radius_db = "radius"
read_groups = yes
read_profiles = yes
read_clients = no
delete_stale_sessions = yes
sql_user_name = ""
default_user_profile = ""
client_query = "SELECT id,nasname,shortname,type,secret FROM nas"
safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
accounting {
reference = ".query"
type {
accounting-on {
}
accounting-off {
}
start {
}
interim-update {
}
stop {
}
}
}
post-auth {
reference = ".query"
}
}
rlm_sql (psksql): Creating new attribute psksql-SQL-Group
rlm_sql_sqlite: libsqlite version: 3.6.20
sqlite {
filename = "/var/lib/trust_router/keys"
}
rlm_sql (psksql): Driver rlm_sql_sqlite (module rlm_sql_sqlite) loaded and
linked
rlm_sql (psksql): Attempting to connect to database "radius"
rlm_sql (psksql): Initialising connection pool
pool {
start = 5
min = 5
max = 10
spare = 3
uses = 0
lifetime = 0
cleanup_interval = 30
idle_timeout = 60
retry_delay = 1
spread = no
}
rlm_sql (psksql): Opening additional connection (0), 1 of 10 pending slots
used
rlm_sql_sqlite: Opening SQLite database "/var/lib/trust_router/keys"
rlm_sql (psksql): Opening additional connection (1), 1 of 9 pending slots
used
rlm_sql_sqlite: Opening SQLite database "/var/lib/trust_router/keys"
rlm_sql (psksql): Opening additional connection (2), 1 of 8 pending slots
used
rlm_sql_sqlite: Opening SQLite database "/var/lib/trust_router/keys"
rlm_sql (psksql): Opening additional connection (3), 1 of 7 pending slots
used
rlm_sql_sqlite: Opening SQLite database "/var/lib/trust_router/keys"
rlm_sql (psksql): Opening additional connection (4), 1 of 6 pending slots
used
rlm_sql_sqlite: Opening SQLite database "/var/lib/trust_router/keys"
# Loaded module rlm_eap
# Instantiating module "eap" from file /etc/raddb/mods-enabled/eap
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
mod_accounting_username_bug = no
max_sessions = 1024
}
# Linked to sub-module rlm_eap_md5
# Linked to sub-module rlm_eap_leap
# Linked to sub-module rlm_eap_gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
}
tls-config tls-common {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
ca_path = "/etc/raddb/certs"
pem_file_type = yes
private_key_file = "/etc/raddb/certs/server.pem"
certificate_file = "/etc/raddb/certs/server.pem"
ca_file = "/etc/raddb/certs/ca.pem"
private_key_password = <<< secret >>>
dh_file = "/etc/raddb/certs/dh"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
ecdh_curve = "prime256v1"
cache {
enable = yes
lifetime = 24
max_entries = 255
}
verify {
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
}
# Linked to sub-module rlm_eap_ttls
ttls {
tls = "tls-common"
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
require_client_cert = no
}
Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_method = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
require_client_cert = no
}
Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
# Loaded module rlm_detail
# Instantiating module "auth_log" from file
/etc/raddb/mods-enabled/detail.log
detail auth_log {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addr
ess}}/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in
detail output
# Instantiating module "reply_log" from file
/etc/raddb/mods-enabled/detail.log
detail reply_log {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addr
ess}}/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Instantiating module "pre_proxy_log" from file
/etc/raddb/mods-enabled/detail.log
detail pre_proxy_log {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addr
ess}}/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Instantiating module "post_proxy_log" from file
/etc/raddb/mods-enabled/detail.log
detail post_proxy_log {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addr
ess}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Instantiating module "detail" from file /etc/raddb/mods-enabled/detail
detail {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addr
ess}}/detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_unix
# Instantiating module "unix" from file /etc/raddb/mods-enabled/unix
unix {
radwtmp = "/var/log/radius/radwtmp"
}
# Loaded module rlm_replicate
# Instantiating module "replicate" from file
/etc/raddb/mods-enabled/replicate
# Loaded module rlm_files
# Instantiating module "files" from file /etc/raddb/mods-enabled/files
files {
filename = "/etc/raddb/mods-config/files/authorize"
usersfile = "/etc/raddb/mods-config/files/authorize"
acctusersfile = "/etc/raddb/mods-config/files/accounting"
preproxy_usersfile = "/etc/raddb/mods-config/files/pre-proxy"
compat = "cistron"
}
reading pairlist file /etc/raddb/mods-config/files/authorize
[/etc/raddb/mods-config/files/authorize]:182 Cistron compatibility checks
for entry DEFAULT ...
[/etc/raddb/mods-config/files/authorize]:189 Cistron compatibility checks
for entry DEFAULT ...
[/etc/raddb/mods-config/files/authorize]:195 Cistron compatibility checks
for entry DEFAULT ...
reading pairlist file /etc/raddb/mods-config/files/authorize
[/etc/raddb/mods-config/files/authorize]:182 Cistron compatibility checks
for entry DEFAULT ...
[/etc/raddb/mods-config/files/authorize]:189 Cistron compatibility checks
for entry DEFAULT ...
[/etc/raddb/mods-config/files/authorize]:195 Cistron compatibility checks
for entry DEFAULT ...
reading pairlist file /etc/raddb/mods-config/files/accounting
reading pairlist file /etc/raddb/mods-config/files/pre-proxy
# Loaded module rlm_cache
# Instantiating module "cache_eap" from file
/etc/raddb/mods-enabled/cache_eap
cache cache_eap {
driver = "rlm_cache_rbtree"
key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
ttl = 15
max_entries = 0
epoch = 0
add_stats = no
}
rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree)
loaded and linked
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/raddb/radiusd.conf
} # server
server default { # from file /etc/raddb/sites-enabled/default
# Loading authenticate {...}
# Loading authorize {...}
Ignoring "sql" (see raddb/mods-available/README.rst)
Ignoring "ldap" (see raddb/mods-available/README.rst)
# Loading preacct {...}
# Loading accounting {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server default
server abfab-idp { # from file /etc/raddb/sites-enabled/abfab-tr-idp
# Loading authenticate {...}
# Loading authorize {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server abfab-idp
server channel_bindings { # from file
/etc/raddb/sites-enabled/channel_bindings
# Loading authorize {...}
} # server channel_bindings
server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel
# Loading authenticate {...}
# Loading authorize {...}
# Loading session {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server inner-tunnel
/etc/raddb/policy.d/abfab-tr[28] Please change %{gss-acceptor-host-name}}
to &gss-acceptor-host-name}
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
cleanup_delay = 5
max_queue_size = 65536
auto_limit_acct = no
}
Thread spawned new child 1. Total threads in pool: 1
Thread spawned new child 2. Total threads in pool: 2
Thread spawned new child 3. Total threads in pool: 3
Thread spawned new child 4. Total threads in pool: 4
Thread spawned new child 5. Total threads in pool: 5
Thread pool initialized
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
virtual_server = "abfab-idp"
ipaddr = *
port = 2083
proto = "tcp"
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
ca_path = "/etc/raddb/certs"
pem_file_type = yes
private_key_file = "/etc/raddb/certs/server.key"
certificate_file = "/etc/raddb/certs/server.pem"
ca_file = "/etc/raddb/certs/ca.pem"
private_key_password = <<< secret >>>
dh_file = "/etc/raddb/certs/dh"
fragment_size = 8192
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
require_client_cert = yes
ecdh_curve = "prime256v1"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
}
ocsp {
enable = no
override_cert_url = no
use_nonce = yes
timeout = 0
softfail = no
}
}
Thread 4 waiting to be assigned a request
Thread 5 waiting to be assigned a request
Thread 3 waiting to be assigned a request
Thread 2 waiting to be assigned a request
Thread 1 waiting to be assigned a request
clients = "radsec-abfab"
client default {
ipaddr = 0.0.0.0/0
require_message_authenticator = no
proto = "tls"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
}
listen {
type = "auth"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
Listening on auth proto tcp address * port 2083 (TLS) bound to server
abfab-idp
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Opening new proxy socket 'proxy address * port 0'
Listening on proxy address * port 32883
Ready to process requests
... new connection request on TCP socket
Listening on auth from client (127.0.0.1, 47640) -> (*, 2083,
virtual-server=abfab-idp)
Waking up in 0.8 seconds.
(0) Requiring client certificate
(0) Initiate
(0) (other): before/accept initialization
(0) TLS_accept: before/accept initialization
(0) <<< TLS 1.0 Handshake [length 0096], ClientHello
(0) TLS_accept: SSLv3 read client hello A
(0) >>> TLS 1.0 Handshake [length 003e], ServerHello
(0) TLS_accept: SSLv3 write server hello A
(0) >>> TLS 1.0 Handshake [length 093f], Certificate
(0) TLS_accept: SSLv3 write certificate A
(0) >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange
(0) TLS_accept: SSLv3 write key exchange A
(0) >>> TLS 1.0 Handshake [length 00bc], CertificateRequest
(0) TLS_accept: SSLv3 write certificate request A
(0) TLS_accept: SSLv3 flush data
(0) TLS_accept: Need to read more data: SSLv3 read client certificate A
(0) TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
Waking up in 0.8 seconds.
(0) <<< TLS 1.0 Handshake [length 093a], Certificate
(0) TLS Verify adding attributes
(0) chain-depth=1,
(0) error=0
(0) --> BUF-Name = The RP Company Certificate Authority
(0) --> subject = /C=FR/ST=Radius/L=Somewhere/O=The RP
Company/emailAddress=admin at main-rp65x64.localdomain/CN=The RP Company
Certificate Authority
(0) --> issuer = /C=FR/ST=Radius/L=Somewhere/O=The RP
Company/emailAddress=admin at main-rp65x64.localdomain/CN=The RP Company
Certificate Authority
(0) --> verify return:1
(0) TLS Verify adding attributes
(0) chain-depth=0,
(0) error=0
(0) --> BUF-Name = user at main-rp65x64.localdomain
(0) --> subject = /C=FR/ST=Radius/O=The RP
Company/CN=user at main-rp65x64.localdomain/emailAddress=user at main-rp65x64.loc
aldomain
(0) --> issuer = /C=FR/ST=Radius/L=Somewhere/O=The RP
Company/emailAddress=admin at main-rp65x64.localdomain/CN=The RP Company
Certificate Authority
(0) --> verify return:1
(0) TLS_accept: SSLv3 read client certificate A
(0) <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange
(0) TLS_accept: SSLv3 read client key exchange A
(0) <<< TLS 1.0 Handshake [length 0106], CertificateVerify
(0) TLS_accept: SSLv3 read certificate verify A
(0) <<< TLS 1.0 ChangeCipherSpec [length 0001]
(0) <<< TLS 1.0 Handshake [length 0010], Finished
(0) TLS_accept: SSLv3 read finished A
(0) >>> TLS 1.0 ChangeCipherSpec [length 0001]
(0) TLS_accept: SSLv3 write change cipher spec A
(0) >>> TLS 1.0 Handshake [length 0010], Finished
(0) TLS_accept: SSLv3 write finished A
(0) TLS_accept: SSLv3 flush data
(0) (other): SSL negotiation finished successfully
SSL Connection Established
Waking up in 0.8 seconds.
(0) Application data status 7
(0) tls_recv: Access-Request packet from host 127.0.0.1 port 47640, id=0,
length=131
Threads: total/active/spare threads = 5/0/5
Thread 5 got semaphore
Thread 5 handling request 0, (1 handled so far)
(0) Received Access-Request Id 0 from 127.0.0.1:47640 to 0.0.0.0:2083
length 131
(0) User-Name = '@main-idp65x64.localdomain'
(0) GSS-Acceptor-Service-Name = 'host'
(0) GSS-Acceptor-Host-Name = 'main-rp65x64.localdomain'
(0) EAP-Message =
0x0200001f01406d61696e2d69647036357836342e6c6f63616c646f6d61696e
(0) Message-Authenticator = 0x2c3105c2b0f36cc4cd0648f99f293146
(0) # Executing section authorize from file
/etc/raddb/sites-enabled/abfab-tr-idp
(0) authorize {
(0) policy psk_authorize {
(0) if (TLS-PSK-Identity) {
(0) if (TLS-PSK-Identity) -> FALSE
(0) } # policy psk_authorize = notfound
(0) policy abfab_client_check {
(0) if ("%{client:gss_acceptor_host_name}" &&
"%{gss-acceptor-host-name}") {
(0) EXPAND %{client:gss_acceptor_host_name}
(0) -->
(0) if ("%{client:gss_acceptor_host_name}" &&
"%{gss-acceptor-host-name}") -> FALSE
(0) if ("%{client:trust_router_coi}") {
(0) EXPAND %{client:trust_router_coi}
(0) --> trapc65x64.localdomain
(0) if ("%{client:trust_router_coi}") -> TRUE
(0) if ("%{client:trust_router_coi}") {
(0) update request {
(0) EXPAND %{client:trust_router_coi}
(0) --> trapc65x64.localdomain
(0) Trust-Router-COI := "trapc65x64.localdomain"
(0) } # update request = noop
(0) } # if ("%{client:trust_router_coi}") = noop
(0) if ("%{client:gss_acceptor_realm_name}") {
(0) EXPAND %{client:gss_acceptor_realm_name}
(0) --> main-rp65x64.localdomain
(0) if ("%{client:gss_acceptor_realm_name}") -> TRUE
(0) if ("%{client:gss_acceptor_realm_name}") {
(0) update request {
(0) EXPAND %{client:gss_acceptor_realm_name}
(0) --> main-rp65x64.localdomain
(0) GSS-Acceptor-Realm-Name := "main-rp65x64.localdomain"
(0) } # update request = noop
(0) } # if ("%{client:gss_acceptor_realm_name}") = noop
(0) } # policy abfab_client_check = noop
(0) policy filter_username {
(0) if (!&User-Name) {
(0) if (!&User-Name) -> FALSE
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@.*@/ ) {
(0) if (&User-Name =~ /@.*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /@\./) {
(0) if (&User-Name =~ /@\./) -> FALSE
(0) } # policy filter_username = noop
(0) [preprocess] = ok
(0) suffix: Checking for suffix after "@"
(0) suffix: Looking up realm "main-idp65x64.localdomain" for User-Name =
"@main-idp65x64.localdomain"
(0) suffix: Found realm "main-idp65x64.localdomain"
(0) suffix: Adding Realm = "main-idp65x64.localdomain"
(0) suffix: Proxying request from user @main-idp65x64.localdomain to realm
main-idp65x64.localdomain
(0) suffix: Preparing to proxy authentication request to realm
"main-idp65x64.localdomain"
(0) [suffix] = updated
(0) eap: Request is supposed to be proxied to Realm
main-idp65x64.localdomain. Not doing EAP.
(0) [eap] = noop
(0) [expiration] = noop
(0) [logintime] = noop
(0) } # authorize = ok
Opening new proxy socket 'proxy (0.0.0.0, 0) -> home_server
(192.168.213.24, 2083)'
Waking up in 0.3 seconds.
Trying SSL to port 2083
Requiring Server certificate
(0) (other): before/connect initialization
(0) TLS_connect: before/connect initialization
(0) >>> Unknown TLS version [length 00f0]
(0) TLS_connect: SSLv2/v3 write client hello A
(0) <<< Unknown TLS version [length 003e]
(0) TLS_connect: SSLv3 read server hello A
(0) <<< Unknown TLS version [length 094e]
(0) TLS Verify adding attributes
(0) chain-depth=1,
(0) error=0
(0) --> BUF-Name = The IDP Company Certificate Authority
(0) --> subject = /C=FR/ST=Radius/L=Somewhere/O=The IDP
Company/emailAddress=admin at main-idp65x64.localdomain/CN=The IDP Company
Certificate Authority
(0) --> issuer = /C=FR/ST=Radius/L=Somewhere/O=The IDP
Company/emailAddress=admin at main-idp65x64.localdomain/CN=The IDP Company
Certificate Authority
(0) --> verify return:1
(0) TLS Verify adding attributes
(0) chain-depth=0,
(0) error=0
(0) --> BUF-Name = The IDP Company Server Certificate
(0) --> subject = /C=FR/ST=Radius/O=The IDP Company/CN=The IDP Company
Server Certificate/emailAddress=admin at main-idp65x64.localdomain
(0) --> issuer = /C=FR/ST=Radius/L=Somewhere/O=The IDP
Company/emailAddress=admin at main-idp65x64.localdomain/CN=The IDP Company
Certificate Authority
(0) --> verify return:1
(0) TLS_connect: SSLv3 read server certificate A
(0) <<< Unknown TLS version [length 014d]
(0) TLS_connect: SSLv3 read server key exchange A
(0) <<< Unknown TLS version [length 00dd]
(0) TLS_connect: SSLv3 read server certificate request A
(0) <<< Unknown TLS version [length 0004]
(0) TLS_connect: SSLv3 read server done A
(0) >>> Unknown TLS version [length 0949]
(0) TLS_connect: SSLv3 write client certificate A
(0) >>> Unknown TLS version [length 0046]
(0) TLS_connect: SSLv3 write client key exchange A
(0) >>> Unknown TLS version [length 0108]
(0) TLS_connect: SSLv3 write certificate verify A
(0) >>> Unknown TLS version [length 0001]
(0) TLS_connect: SSLv3 write change cipher spec A
(0) >>> Unknown TLS version [length 0010]
(0) TLS_connect: SSLv3 write finished A
(0) TLS_connect: SSLv3 flush data
(0) <<< Unknown TLS version [length 0001]
(0) <<< Unknown TLS version [length 0010]
(0) TLS_connect: SSLv3 read finished A
(0) (other): SSL negotiation finished successfully
Listening on proxy (192.168.213.56, 39779) -> home_server (192.168.213.24,
2083)
(0) Proxying request to home server 192.168.213.24 port 2083 (TLS) timeout
30.000000
(0) Sent Access-Request Id 51 from 192.168.213.56:39779 to
192.168.213.24:2083 length 202
(0) User-Name = '@main-idp65x64.localdomain'
(0) GSS-Acceptor-Service-Name = 'host'
(0) GSS-Acceptor-Host-Name = 'main-rp65x64.localdomain'
(0) EAP-Message =
0x0200001f01406d61696e2d69647036357836342e6c6f63616c646f6d61696e
(0) Message-Authenticator = 0x2c3105c2b0f36cc4cd0648f99f293146
(0) Trust-Router-COI := 'trapc65x64.localdomain'
(0) GSS-Acceptor-Realm-Name := 'main-rp65x64.localdomain'
(0) Event-Timestamp = 'Mar 20 2015 05:23:30 GMT'
(0) NAS-IP-Address = 127.0.0.1
(0) Proxy-State = 0x30
Thread 5 waiting to be assigned a request
Waking up in 0.1 seconds.
Waking up in 0.3 seconds.
Thread 4 got semaphore
Thread 4 handling request 0, (1 handled so far)
(0) Received Access-Challenge Id 51 from 192.168.213.24:2083 to
192.168.213.56:39779 length 67
(0) EAP-Message = 0x010100061520
(0) Message-Authenticator = 0x57713dab1b8477f7b5f3813f73d67cc9
(0) State = 0x624e9873624f8d9244b62dd155e240a4
(0) Proxy-State = 0x30
(0) # Executing section post-proxy from file
/etc/raddb/sites-enabled/abfab-tr-idp
(0) post-proxy {
(0) eap: No pre-existing handler found
(0) [eap] = noop
(0) } # post-proxy = noop
(0) Using Post-Auth-Type Challenge
(0) # Executing group from file /etc/raddb/sites-enabled/abfab-tr-idp
(0) Sent Access-Challenge Id 0 from 0.0.0.0:2083 to 127.0.0.1:47640 length
64
(0) EAP-Message = 0x010100061520
(0) Message-Authenticator = 0x57713dab1b8477f7b5f3813f73d67cc9
(0) State = 0x624e9873624f8d9244b62dd155e240a4
(0) Finished request
Thread 4 waiting to be assigned a request
(0) Application data status 7
(0) tls_recv: Access-Request packet from host 127.0.0.1 port 47640, id=0,
length=279
Waking up in 0.3 seconds.
Thread 3 got semaphore
Thread 3 handling request 1, (1 handled so far)
(1) Received Access-Request Id 0 from 127.0.0.1:47640 to 0.0.0.0:2083
length 279
(1) User-Name = '@main-idp65x64.localdomain'
(1) GSS-Acceptor-Service-Name = 'host'
(1) GSS-Acceptor-Host-Name = 'main-rp65x64.localdomain'
(1) EAP-Message =
0x020100a115001603010096010000920301550baed294c1717618dd6172bee5229dc2bcaa4
06e88d566952d30836773e97300004cc014c00a0039003800880087c00fc00500350084c013
c00900330032c012c008009a00990045004400160013c00ec004c00dc003002f00960041000
a0007c011c007c0
(1) State = 0x624e9873624f8d9244b62dd155e240a4
(1) Message-Authenticator = 0x6d99b9ff73c8b14335db31d396e588a8
(1) session-state: No cached attributes
(1) # Executing section authorize from file
/etc/raddb/sites-enabled/abfab-tr-idp
(1) authorize {
(1) policy psk_authorize {
(1) if (TLS-PSK-Identity) {
(1) if (TLS-PSK-Identity) -> FALSE
(1) } # policy psk_authorize = notfound
(1) policy abfab_client_check {
(1) if ("%{client:gss_acceptor_host_name}" &&
"%{gss-acceptor-host-name}") {
(1) EXPAND %{client:gss_acceptor_host_name}
(1) -->
(1) if ("%{client:gss_acceptor_host_name}" &&
"%{gss-acceptor-host-name}") -> FALSE
(1) if ("%{client:trust_router_coi}") {
(1) EXPAND %{client:trust_router_coi}
(1) --> trapc65x64.localdomain
(1) if ("%{client:trust_router_coi}") -> TRUE
(1) if ("%{client:trust_router_coi}") {
(1) update request {
(1) EXPAND %{client:trust_router_coi}
(1) --> trapc65x64.localdomain
(1) Trust-Router-COI := "trapc65x64.localdomain"
(1) } # update request = noop
(1) } # if ("%{client:trust_router_coi}") = noop
(1) if ("%{client:gss_acceptor_realm_name}") {
(1) EXPAND %{client:gss_acceptor_realm_name}
(1) --> main-rp65x64.localdomain
(1) if ("%{client:gss_acceptor_realm_name}") -> TRUE
(1) if ("%{client:gss_acceptor_realm_name}") {
(1) update request {
(1) EXPAND %{client:gss_acceptor_realm_name}
(1) --> main-rp65x64.localdomain
(1) GSS-Acceptor-Realm-Name := "main-rp65x64.localdomain"
(1) } # update request = noop
(1) } # if ("%{client:gss_acceptor_realm_name}") = noop
(1) } # policy abfab_client_check = noop
(1) policy filter_username {
(1) if (!&User-Name) {
(1) if (!&User-Name) -> FALSE
(1) if (&User-Name =~ / /) {
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@.*@/ ) {
(1) if (&User-Name =~ /@.*@/ ) -> FALSE
(1) if (&User-Name =~ /\.\./ ) {
(1) if (&User-Name =~ /\.\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(1) if (&User-Name =~ /\.$/) {
(1) if (&User-Name =~ /\.$/) -> FALSE
(1) if (&User-Name =~ /@\./) {
(1) if (&User-Name =~ /@\./) -> FALSE
(1) } # policy filter_username = noop
(1) [preprocess] = ok
(1) suffix: Checking for suffix after "@"
(1) suffix: Looking up realm "main-idp65x64.localdomain" for User-Name =
"@main-idp65x64.localdomain"
(1) suffix: Found realm "main-idp65x64.localdomain"
(1) suffix: Adding Realm = "main-idp65x64.localdomain"
(1) suffix: Proxying request from user @main-idp65x64.localdomain to realm
main-idp65x64.localdomain
(1) suffix: Preparing to proxy authentication request to realm
"main-idp65x64.localdomain"
(1) [suffix] = updated
(1) eap: Request is supposed to be proxied to Realm
main-idp65x64.localdomain. Not doing EAP.
(1) [eap] = noop
(1) [expiration] = noop
(1) [logintime] = noop
(1) } # authorize = ok
(1) Proxying request to home server 192.168.213.24 port 2083 (TLS) timeout
30.000000
(1) Sent Access-Request Id 242 from 192.168.213.56:39779 to
192.168.213.24:2083 length 350
(1) User-Name = '@main-idp65x64.localdomain'
(1) GSS-Acceptor-Service-Name = 'host'
(1) GSS-Acceptor-Host-Name = 'main-rp65x64.localdomain'
(1) EAP-Message =
0x020100a115001603010096010000920301550baed294c1717618dd6172bee5229dc2bcaa4
06e88d566952d30836773e97300004cc014c00a0039003800880087c00fc00500350084c013
c00900330032c012c008009a00990045004400160013c00ec004c00dc003002f00960041000
a0007c011c007c0
(1) State = 0x624e9873624f8d9244b62dd155e240a4
(1) Message-Authenticator = 0x6d99b9ff73c8b14335db31d396e588a8
(1) Trust-Router-COI := 'trapc65x64.localdomain'
(1) GSS-Acceptor-Realm-Name := 'main-rp65x64.localdomain'
(1) Event-Timestamp = 'Mar 20 2015 05:23:30 GMT'
(1) NAS-IP-Address = 127.0.0.1
(1) Proxy-State = 0x30
Thread 3 waiting to be assigned a request
(1) Received Access-Challenge Id 242 from 192.168.213.24:2083 to
192.168.213.56:39779 length 1071
(1) EAP-Message =
0x010203ec15c000000b0f160301005e0200005a0301550baedba41c012c8ec4d2820c405f9
27fbbb73a5d12045a8b9070302f123dbd2063312a9b5af0f5543b7524587b822afc7476ba1e
a27b5e521006ca647509cc05c014000012ff01000100000b000403000102000f00010116030
1094e0b00094a00
(1) Message-Authenticator = 0x4cbff08646c49fc075c254ddaf3707ec
(1) State = 0x624e9873634c8d9244b62dd155e240a4
(1) Proxy-State = 0x30
(1) # Executing section post-proxy from file
/etc/raddb/sites-enabled/abfab-tr-idp
(1) post-proxy {
(1) eap: No pre-existing handler found
(1) [eap] = noop
(1) } # post-proxy = noop
(1) Using Post-Auth-Type Challenge
(1) # Executing group from file /etc/raddb/sites-enabled/abfab-tr-idp
(1) Sent Access-Challenge Id 0 from 0.0.0.0:2083 to 127.0.0.1:47640 length
1068
(1) EAP-Message =
0x010203ec15c000000b0f160301005e0200005a0301550baedba41c012c8ec4d2820c405f9
27fbbb73a5d12045a8b9070302f123dbd2063312a9b5af0f5543b7524587b822afc7476ba1e
a27b5e521006ca647509cc05c014000012ff01000100000b000403000102000f00010116030
1094e0b00094a00
(1) Message-Authenticator = 0x4cbff08646c49fc075c254ddaf3707ec
(1) State = 0x624e9873634c8d9244b62dd155e240a4
(1) Finished request
Waking up in 0.3 seconds.
(0) Application data status 7
(0) tls_recv: Access-Request packet from host 127.0.0.1 port 47640, id=0,
length=124
Waking up in 0.3 seconds.
Thread 2 got semaphore
Thread 2 handling request 2, (1 handled so far)
(2) Received Access-Request Id 0 from 127.0.0.1:47640 to 0.0.0.0:2083
length 124
(2) User-Name = '@main-idp65x64.localdomain'
(2) GSS-Acceptor-Service-Name = 'host'
(2) GSS-Acceptor-Host-Name = 'main-rp65x64.localdomain'
(2) EAP-Message = 0x020200061500
(2) State = 0x624e9873634c8d9244b62dd155e240a4
(2) Message-Authenticator = 0xa8c75d22fef8821b5d8cfd5afa068964
(2) session-state: No cached attributes
(2) # Executing section authorize from file
/etc/raddb/sites-enabled/abfab-tr-idp
(2) authorize {
(2) policy psk_authorize {
(2) if (TLS-PSK-Identity) {
(2) if (TLS-PSK-Identity) -> FALSE
(2) } # policy psk_authorize = notfound
(2) policy abfab_client_check {
(2) if ("%{client:gss_acceptor_host_name}" &&
"%{gss-acceptor-host-name}") {
(2) EXPAND %{client:gss_acceptor_host_name}
(2) -->
(2) if ("%{client:gss_acceptor_host_name}" &&
"%{gss-acceptor-host-name}") -> FALSE
(2) if ("%{client:trust_router_coi}") {
(2) EXPAND %{client:trust_router_coi}
(2) --> trapc65x64.localdomain
(2) if ("%{client:trust_router_coi}") -> TRUE
(2) if ("%{client:trust_router_coi}") {
(2) update request {
(2) EXPAND %{client:trust_router_coi}
(2) --> trapc65x64.localdomain
(2) Trust-Router-COI := "trapc65x64.localdomain"
(2) } # update request = noop
(2) } # if ("%{client:trust_router_coi}") = noop
(2) if ("%{client:gss_acceptor_realm_name}") {
(2) EXPAND %{client:gss_acceptor_realm_name}
(2) --> main-rp65x64.localdomain
(2) if ("%{client:gss_acceptor_realm_name}") -> TRUE
(2) if ("%{client:gss_acceptor_realm_name}") {
(2) update request {
(2) EXPAND %{client:gss_acceptor_realm_name}
(2) --> main-rp65x64.localdomain
(2) GSS-Acceptor-Realm-Name := "main-rp65x64.localdomain"
(2) } # update request = noop
(2) } # if ("%{client:gss_acceptor_realm_name}") = noop
(2) } # policy abfab_client_check = noop
(2) policy filter_username {
(2) if (!&User-Name) {
(2) if (!&User-Name) -> FALSE
(2) if (&User-Name =~ / /) {
(2) if (&User-Name =~ / /) -> FALSE
(2) if (&User-Name =~ /@.*@/ ) {
(2) if (&User-Name =~ /@.*@/ ) -> FALSE
(2) if (&User-Name =~ /\.\./ ) {
(2) if (&User-Name =~ /\.\./ ) -> FALSE
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(2) if (&User-Name =~ /\.$/) {
(2) if (&User-Name =~ /\.$/) -> FALSE
(2) if (&User-Name =~ /@\./) {
(2) if (&User-Name =~ /@\./) -> FALSE
(2) } # policy filter_username = noop
(2) [preprocess] = ok
(2) suffix: Checking for suffix after "@"
(2) suffix: Looking up realm "main-idp65x64.localdomain" for User-Name =
"@main-idp65x64.localdomain"
(2) suffix: Found realm "main-idp65x64.localdomain"
(2) suffix: Adding Realm = "main-idp65x64.localdomain"
(2) suffix: Proxying request from user @main-idp65x64.localdomain to realm
main-idp65x64.localdomain
(2) suffix: Preparing to proxy authentication request to realm
"main-idp65x64.localdomain"
(2) [suffix] = updated
(2) eap: Request is supposed to be proxied to Realm
main-idp65x64.localdomain. Not doing EAP.
(2) [eap] = noop
(2) [expiration] = noop
(2) [logintime] = noop
(2) } # authorize = ok
(2) Proxying request to home server 192.168.213.24 port 2083 (TLS) timeout
30.000000
(2) Sent Access-Request Id 31 from 192.168.213.56:39779 to
192.168.213.24:2083 length 195
(2) User-Name = '@main-idp65x64.localdomain'
(2) GSS-Acceptor-Service-Name = 'host'
(2) GSS-Acceptor-Host-Name = 'main-rp65x64.localdomain'
(2) EAP-Message = 0x020200061500
(2) State = 0x624e9873634c8d9244b62dd155e240a4
(2) Message-Authenticator = 0xa8c75d22fef8821b5d8cfd5afa068964
(2) Trust-Router-COI := 'trapc65x64.localdomain'
(2) GSS-Acceptor-Realm-Name := 'main-rp65x64.localdomain'
(2) Event-Timestamp = 'Mar 20 2015 05:23:30 GMT'
(2) NAS-IP-Address = 127.0.0.1
(2) Proxy-State = 0x30
Thread 2 waiting to be assigned a request
(2) Received Access-Challenge Id 31 from 192.168.213.24:2083 to
192.168.213.56:39779 length 1071
(2) EAP-Message =
0x010303ec15c000000b0f4d2ab15016ff2f6912da25705c6b9117ca3b45d563b87acc36153
98ac114410cab095da7455f94c6dd3b67fb12b754e03534443ab36b142336193532c5e470c9
b61941ed2911d3167a03e0bb0f799255fa8024254afb9a8aee0b07c5f2e5e40e486c89e7a56
83291be4f03f716
(2) Message-Authenticator = 0x776c05805ff610a169d2f2711eeeb97a
(2) State = 0x624e9873604d8d9244b62dd155e240a4
(2) Proxy-State = 0x30
(2) # Executing section post-proxy from file
/etc/raddb/sites-enabled/abfab-tr-idp
(2) post-proxy {
(2) eap: No pre-existing handler found
(2) [eap] = noop
(2) } # post-proxy = noop
(2) Using Post-Auth-Type Challenge
(2) # Executing group from file /etc/raddb/sites-enabled/abfab-tr-idp
(2) Sent Access-Challenge Id 0 from 0.0.0.0:2083 to 127.0.0.1:47640 length
1068
(2) EAP-Message =
0x010303ec15c000000b0f4d2ab15016ff2f6912da25705c6b9117ca3b45d563b87acc36153
98ac114410cab095da7455f94c6dd3b67fb12b754e03534443ab36b142336193532c5e470c9
b61941ed2911d3167a03e0bb0f799255fa8024254afb9a8aee0b07c5f2e5e40e486c89e7a56
83291be4f03f716
(2) Message-Authenticator = 0x776c05805ff610a169d2f2711eeeb97a
(2) State = 0x624e9873604d8d9244b62dd155e240a4
(2) Finished request
Waking up in 0.3 seconds.
(0) Application data status 7
(0) tls_recv: Access-Request packet from host 127.0.0.1 port 47640, id=0,
length=124
Waking up in 0.3 seconds.
Thread 1 got semaphore
Thread 1 handling request 3, (1 handled so far)
(3) Received Access-Request Id 0 from 127.0.0.1:47640 to 0.0.0.0:2083
length 124
(3) User-Name = '@main-idp65x64.localdomain'
(3) GSS-Acceptor-Service-Name = 'host'
(3) GSS-Acceptor-Host-Name = 'main-rp65x64.localdomain'
(3) EAP-Message = 0x020300061500
(3) State = 0x624e9873604d8d9244b62dd155e240a4
(3) Message-Authenticator = 0x3b2e1bcb5ed0ee5d07b02bc5d6a9fb1b
(3) session-state: No cached attributes
(3) # Executing section authorize from file
/etc/raddb/sites-enabled/abfab-tr-idp
(3) authorize {
(3) policy psk_authorize {
(3) if (TLS-PSK-Identity) {
(3) if (TLS-PSK-Identity) -> FALSE
(3) } # policy psk_authorize = notfound
(3) policy abfab_client_check {
(3) if ("%{client:gss_acceptor_host_name}" &&
"%{gss-acceptor-host-name}") {
(3) EXPAND %{client:gss_acceptor_host_name}
(3) -->
(3) if ("%{client:gss_acceptor_host_name}" &&
"%{gss-acceptor-host-name}") -> FALSE
(3) if ("%{client:trust_router_coi}") {
(3) EXPAND %{client:trust_router_coi}
(3) --> trapc65x64.localdomain
(3) if ("%{client:trust_router_coi}") -> TRUE
(3) if ("%{client:trust_router_coi}") {
(3) update request {
(3) EXPAND %{client:trust_router_coi}
(3) --> trapc65x64.localdomain
(3) Trust-Router-COI := "trapc65x64.localdomain"
(3) } # update request = noop
(3) } # if ("%{client:trust_router_coi}") = noop
(3) if ("%{client:gss_acceptor_realm_name}") {
(3) EXPAND %{client:gss_acceptor_realm_name}
(3) --> main-rp65x64.localdomain
(3) if ("%{client:gss_acceptor_realm_name}") -> TRUE
(3) if ("%{client:gss_acceptor_realm_name}") {
(3) update request {
(3) EXPAND %{client:gss_acceptor_realm_name}
(3) --> main-rp65x64.localdomain
(3) GSS-Acceptor-Realm-Name := "main-rp65x64.localdomain"
(3) } # update request = noop
(3) } # if ("%{client:gss_acceptor_realm_name}") = noop
(3) } # policy abfab_client_check = noop
(3) policy filter_username {
(3) if (!&User-Name) {
(3) if (!&User-Name) -> FALSE
(3) if (&User-Name =~ / /) {
(3) if (&User-Name =~ / /) -> FALSE
(3) if (&User-Name =~ /@.*@/ ) {
(3) if (&User-Name =~ /@.*@/ ) -> FALSE
(3) if (&User-Name =~ /\.\./ ) {
(3) if (&User-Name =~ /\.\./ ) -> FALSE
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(3) if (&User-Name =~ /\.$/) {
(3) if (&User-Name =~ /\.$/) -> FALSE
(3) if (&User-Name =~ /@\./) {
(3) if (&User-Name =~ /@\./) -> FALSE
(3) } # policy filter_username = noop
(3) [preprocess] = ok
(3) suffix: Checking for suffix after "@"
(3) suffix: Looking up realm "main-idp65x64.localdomain" for User-Name =
"@main-idp65x64.localdomain"
(3) suffix: Found realm "main-idp65x64.localdomain"
(3) suffix: Adding Realm = "main-idp65x64.localdomain"
(3) suffix: Proxying request from user @main-idp65x64.localdomain to realm
main-idp65x64.localdomain
(3) suffix: Preparing to proxy authentication request to realm
"main-idp65x64.localdomain"
(3) [suffix] = updated
(3) eap: Request is supposed to be proxied to Realm
main-idp65x64.localdomain. Not doing EAP.
(3) [eap] = noop
(3) [expiration] = noop
(3) [logintime] = noop
(3) } # authorize = ok
(3) Proxying request to home server 192.168.213.24 port 2083 (TLS) timeout
30.000000
(3) Sent Access-Request Id 148 from 192.168.213.56:39779 to
192.168.213.24:2083 length 195
(3) User-Name = '@main-idp65x64.localdomain'
(3) GSS-Acceptor-Service-Name = 'host'
(3) GSS-Acceptor-Host-Name = 'main-rp65x64.localdomain'
(3) EAP-Message = 0x020300061500
(3) State = 0x624e9873604d8d9244b62dd155e240a4
(3) Message-Authenticator = 0x3b2e1bcb5ed0ee5d07b02bc5d6a9fb1b
(3) Trust-Router-COI := 'trapc65x64.localdomain'
(3) GSS-Acceptor-Realm-Name := 'main-rp65x64.localdomain'
(3) Event-Timestamp = 'Mar 20 2015 05:23:30 GMT'
(3) NAS-IP-Address = 127.0.0.1
(3) Proxy-State = 0x30
Thread 1 waiting to be assigned a request
(3) Received Access-Challenge Id 148 from 192.168.213.24:2083 to
192.168.213.56:39779 length 920
(3) EAP-Message =
0x01040355158000000b0f12301006035504071309536f6d657768657265311830160603550
40a130f5468652049445020436f6d70616e79312e302c06092a864886f70d010901161f6164
6d696e406d61696e2d69647036357836342e6c6f63616c646f6d61696e312e302c060355040
313255468652049
(3) Message-Authenticator = 0x09669b4642bdce77fe3a7d0359b7ac4f
(3) State = 0x624e9873614a8d9244b62dd155e240a4
(3) Proxy-State = 0x30
(3) # Executing section post-proxy from file
/etc/raddb/sites-enabled/abfab-tr-idp
(3) post-proxy {
(3) eap: No pre-existing handler found
(3) [eap] = noop
(3) } # post-proxy = noop
(3) Using Post-Auth-Type Challenge
(3) # Executing group from file /etc/raddb/sites-enabled/abfab-tr-idp
(3) Sent Access-Challenge Id 0 from 0.0.0.0:2083 to 127.0.0.1:47640 length
917
(3) EAP-Message =
0x01040355158000000b0f12301006035504071309536f6d657768657265311830160603550
40a130f5468652049445020436f6d70616e79312e302c06092a864886f70d010901161f6164
6d696e406d61696e2d69647036357836342e6c6f63616c646f6d61696e312e302c060355040
313255468652049
(3) Message-Authenticator = 0x09669b4642bdce77fe3a7d0359b7ac4f
(3) State = 0x624e9873614a8d9244b62dd155e240a4
(3) Finished request
Waking up in 0.3 seconds.
(0) Application data status 7
(0) tls_recv: Access-Request packet from host 127.0.0.1 port 47640, id=0,
length=258
Waking up in 0.2 seconds.
Thread 5 got semaphore
Thread 5 handling request 4, (2 handled so far)
(4) Received Access-Request Id 0 from 127.0.0.1:47640 to 0.0.0.0:2083
length 258
(4) User-Name = '@main-idp65x64.localdomain'
(4) GSS-Acceptor-Service-Name = 'host'
(4) GSS-Acceptor-Host-Name = 'main-rp65x64.localdomain'
(4) EAP-Message =
0x0204008c150016030100461000004241044edefecb0a15e53b2fd6f654884ae6526574a22
008310394452ad36b69e663a430974d58930fc14dee399bbcadace6e32e09db92ed03f67781
26b6e67136bf84140301000101160301003069e526b5f5f44ab2b02cec69ee08ccccf2d3c75
3c154ab68150f70
(4) State = 0x624e9873614a8d9244b62dd155e240a4
(4) Message-Authenticator = 0xa0e6172a092f092ae70db1580f9f1751
(4) session-state: No cached attributes
(4) # Executing section authorize from file
/etc/raddb/sites-enabled/abfab-tr-idp
(4) authorize {
(4) policy psk_authorize {
(4) if (TLS-PSK-Identity) {
(4) if (TLS-PSK-Identity) -> FALSE
(4) } # policy psk_authorize = notfound
(4) policy abfab_client_check {
(4) if ("%{client:gss_acceptor_host_name}" &&
"%{gss-acceptor-host-name}") {
(4) EXPAND %{client:gss_acceptor_host_name}
(4) -->
(4) if ("%{client:gss_acceptor_host_name}" &&
"%{gss-acceptor-host-name}") -> FALSE
(4) if ("%{client:trust_router_coi}") {
(4) EXPAND %{client:trust_router_coi}
(4) --> trapc65x64.localdomain
(4) if ("%{client:trust_router_coi}") -> TRUE
(4) if ("%{client:trust_router_coi}") {
(4) update request {
(4) EXPAND %{client:trust_router_coi}
(4) --> trapc65x64.localdomain
(4) Trust-Router-COI := "trapc65x64.localdomain"
(4) } # update request = noop
(4) } # if ("%{client:trust_router_coi}") = noop
(4) if ("%{client:gss_acceptor_realm_name}") {
(4) EXPAND %{client:gss_acceptor_realm_name}
(4) --> main-rp65x64.localdomain
(4) if ("%{client:gss_acceptor_realm_name}") -> TRUE
(4) if ("%{client:gss_acceptor_realm_name}") {
(4) update request {
(4) EXPAND %{client:gss_acceptor_realm_name}
(4) --> main-rp65x64.localdomain
(4) GSS-Acceptor-Realm-Name := "main-rp65x64.localdomain"
(4) } # update request = noop
(4) } # if ("%{client:gss_acceptor_realm_name}") = noop
(4) } # policy abfab_client_check = noop
(4) policy filter_username {
(4) if (!&User-Name) {
(4) if (!&User-Name) -> FALSE
(4) if (&User-Name =~ / /) {
(4) if (&User-Name =~ / /) -> FALSE
(4) if (&User-Name =~ /@.*@/ ) {
(4) if (&User-Name =~ /@.*@/ ) -> FALSE
(4) if (&User-Name =~ /\.\./ ) {
(4) if (&User-Name =~ /\.\./ ) -> FALSE
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(4) if (&User-Name =~ /\.$/) {
(4) if (&User-Name =~ /\.$/) -> FALSE
(4) if (&User-Name =~ /@\./) {
(4) if (&User-Name =~ /@\./) -> FALSE
(4) } # policy filter_username = noop
(4) [preprocess] = ok
(4) suffix: Checking for suffix after "@"
(4) suffix: Looking up realm "main-idp65x64.localdomain" for User-Name =
"@main-idp65x64.localdomain"
(4) suffix: Found realm "main-idp65x64.localdomain"
(4) suffix: Adding Realm = "main-idp65x64.localdomain"
(4) suffix: Proxying request from user @main-idp65x64.localdomain to realm
main-idp65x64.localdomain
(4) suffix: Preparing to proxy authentication request to realm
"main-idp65x64.localdomain"
(4) [suffix] = updated
(4) eap: Request is supposed to be proxied to Realm
main-idp65x64.localdomain. Not doing EAP.
(4) [eap] = noop
(4) [expiration] = noop
(4) [logintime] = noop
(4) } # authorize = ok
(4) Proxying request to home server 192.168.213.24 port 2083 (TLS) timeout
30.000000
(4) Sent Access-Request Id 170 from 192.168.213.56:39779 to
192.168.213.24:2083 length 329
(4) User-Name = '@main-idp65x64.localdomain'
(4) GSS-Acceptor-Service-Name = 'host'
(4) GSS-Acceptor-Host-Name = 'main-rp65x64.localdomain'
(4) EAP-Message =
0x0204008c150016030100461000004241044edefecb0a15e53b2fd6f654884ae6526574a22
008310394452ad36b69e663a430974d58930fc14dee399bbcadace6e32e09db92ed03f67781
26b6e67136bf84140301000101160301003069e526b5f5f44ab2b02cec69ee08ccccf2d3c75
3c154ab68150f70
(4) State = 0x624e9873614a8d9244b62dd155e240a4
(4) Message-Authenticator = 0xa0e6172a092f092ae70db1580f9f1751
(4) Trust-Router-COI := 'trapc65x64.localdomain'
(4) GSS-Acceptor-Realm-Name := 'main-rp65x64.localdomain'
(4) Event-Timestamp = 'Mar 20 2015 05:23:30 GMT'
(4) NAS-IP-Address = 127.0.0.1
(4) Proxy-State = 0x30
Thread 5 waiting to be assigned a request
(4) Received Access-Challenge Id 170 from 192.168.213.24:2083 to
192.168.213.56:39779 length 130
(4) EAP-Message =
0x0105004515800000003b140301000101160301003003c05dd1fc522ee506b71d52632ad1f
9351611cd071c429b2821f1694ab45ac2f0703b13877270383d7b6077b4ecb953
(4) Message-Authenticator = 0xcaa6eda1c3a5a258d463a899b28d5f55
(4) State = 0x624e9873664b8d9244b62dd155e240a4
(4) Proxy-State = 0x30
(4) # Executing section post-proxy from file
/etc/raddb/sites-enabled/abfab-tr-idp
(4) post-proxy {
(4) eap: No pre-existing handler found
(4) [eap] = noop
(4) } # post-proxy = noop
(4) Using Post-Auth-Type Challenge
(4) # Executing group from file /etc/raddb/sites-enabled/abfab-tr-idp
(4) Sent Access-Challenge Id 0 from 0.0.0.0:2083 to 127.0.0.1:47640 length
127
(4) EAP-Message =
0x0105004515800000003b140301000101160301003003c05dd1fc522ee506b71d52632ad1f
9351611cd071c429b2821f1694ab45ac2f0703b13877270383d7b6077b4ecb953
(4) Message-Authenticator = 0xcaa6eda1c3a5a258d463a899b28d5f55
(4) State = 0x624e9873664b8d9244b62dd155e240a4
(4) Finished request
Waking up in 0.2 seconds.
(0) Application data status 7
(0) tls_recv: Access-Request packet from host 127.0.0.1 port 47640, id=0,
length=246
Waking up in 0.1 seconds.
Thread 4 got semaphore
Thread 4 handling request 5, (2 handled so far)
(5) Received Access-Request Id 0 from 127.0.0.1:47640 to 0.0.0.0:2083
length 246
(5) User-Name = '@main-idp65x64.localdomain'
(5) GSS-Acceptor-Service-Name = 'host'
(5) GSS-Acceptor-Host-Name = 'main-rp65x64.localdomain'
(5) EAP-Message =
0x02050080150017030100208b62ff2b3881902a380bc71904c7a8ef12b3abf37e258a37c26
6eeb8a0b7628a17030100509d8d77e1936ce65bc5a1cdd165bad9317d40782e6b62738c3e0a
54a065a2f77ef6c1ca5b62736bbd197ebd83bf7329c7dccb665fbcd37ae90b29b97e1ee16d8
8782851dcfded91
(5) State = 0x624e9873664b8d9244b62dd155e240a4
(5) Message-Authenticator = 0xcf9509b67ea4081fa1c3b8e42bd4acdc
(5) session-state: No cached attributes
(5) # Executing section authorize from file
/etc/raddb/sites-enabled/abfab-tr-idp
(5) authorize {
(5) policy psk_authorize {
(5) if (TLS-PSK-Identity) {
(5) if (TLS-PSK-Identity) -> FALSE
(5) } # policy psk_authorize = notfound
(5) policy abfab_client_check {
(5) if ("%{client:gss_acceptor_host_name}" &&
"%{gss-acceptor-host-name}") {
(5) EXPAND %{client:gss_acceptor_host_name}
(5) -->
(5) if ("%{client:gss_acceptor_host_name}" &&
"%{gss-acceptor-host-name}") -> FALSE
(5) if ("%{client:trust_router_coi}") {
(5) EXPAND %{client:trust_router_coi}
(5) --> trapc65x64.localdomain
(5) if ("%{client:trust_router_coi}") -> TRUE
(5) if ("%{client:trust_router_coi}") {
(5) update request {
(5) EXPAND %{client:trust_router_coi}
(5) --> trapc65x64.localdomain
(5) Trust-Router-COI := "trapc65x64.localdomain"
(5) } # update request = noop
(5) } # if ("%{client:trust_router_coi}") = noop
(5) if ("%{client:gss_acceptor_realm_name}") {
(5) EXPAND %{client:gss_acceptor_realm_name}
(5) --> main-rp65x64.localdomain
(5) if ("%{client:gss_acceptor_realm_name}") -> TRUE
(5) if ("%{client:gss_acceptor_realm_name}") {
(5) update request {
(5) EXPAND %{client:gss_acceptor_realm_name}
(5) --> main-rp65x64.localdomain
(5) GSS-Acceptor-Realm-Name := "main-rp65x64.localdomain"
(5) } # update request = noop
(5) } # if ("%{client:gss_acceptor_realm_name}") = noop
(5) } # policy abfab_client_check = noop
(5) policy filter_username {
(5) if (!&User-Name) {
(5) if (!&User-Name) -> FALSE
(5) if (&User-Name =~ / /) {
(5) if (&User-Name =~ / /) -> FALSE
(5) if (&User-Name =~ /@.*@/ ) {
(5) if (&User-Name =~ /@.*@/ ) -> FALSE
(5) if (&User-Name =~ /\.\./ ) {
(5) if (&User-Name =~ /\.\./ ) -> FALSE
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(5) if (&User-Name =~ /\.$/) {
(5) if (&User-Name =~ /\.$/) -> FALSE
(5) if (&User-Name =~ /@\./) {
(5) if (&User-Name =~ /@\./) -> FALSE
(5) } # policy filter_username = noop
(5) [preprocess] = ok
(5) suffix: Checking for suffix after "@"
(5) suffix: Looking up realm "main-idp65x64.localdomain" for User-Name =
"@main-idp65x64.localdomain"
(5) suffix: Found realm "main-idp65x64.localdomain"
(5) suffix: Adding Realm = "main-idp65x64.localdomain"
(5) suffix: Proxying request from user @main-idp65x64.localdomain to realm
main-idp65x64.localdomain
(5) suffix: Preparing to proxy authentication request to realm
"main-idp65x64.localdomain"
(5) [suffix] = updated
(5) eap: Request is supposed to be proxied to Realm
main-idp65x64.localdomain. Not doing EAP.
(5) [eap] = noop
(5) [expiration] = noop
(5) [logintime] = noop
(5) } # authorize = ok
(5) Proxying request to home server 192.168.213.24 port 2083 (TLS) timeout
30.000000
(5) Sent Access-Request Id 154 from 192.168.213.56:39779 to
192.168.213.24:2083 length 317
(5) User-Name = '@main-idp65x64.localdomain'
(5) GSS-Acceptor-Service-Name = 'host'
(5) GSS-Acceptor-Host-Name = 'main-rp65x64.localdomain'
(5) EAP-Message =
0x02050080150017030100208b62ff2b3881902a380bc71904c7a8ef12b3abf37e258a37c26
6eeb8a0b7628a17030100509d8d77e1936ce65bc5a1cdd165bad9317d40782e6b62738c3e0a
54a065a2f77ef6c1ca5b62736bbd197ebd83bf7329c7dccb665fbcd37ae90b29b97e1ee16d8
8782851dcfded91
(5) State = 0x624e9873664b8d9244b62dd155e240a4
(5) Message-Authenticator = 0xcf9509b67ea4081fa1c3b8e42bd4acdc
(5) Trust-Router-COI := 'trapc65x64.localdomain'
(5) GSS-Acceptor-Realm-Name := 'main-rp65x64.localdomain'
(5) Event-Timestamp = 'Mar 20 2015 05:23:30 GMT'
(5) NAS-IP-Address = 127.0.0.1
(5) Proxy-State = 0x30
Thread 4 waiting to be assigned a request
(5) Received Access-Challenge Id 154 from 192.168.213.24:2083 to
192.168.213.56:39779 length 140
(5) EAP-Message =
0x0106004f15800000004517030100407a9f331f46c728c130d7ba48c5241fba882601f45d0
6d3f751471eaf62b6e5d7197e99a5b0f427c4787bf0b772ae79a49b452755f0de9db606fa99
35556aa183
(5) Message-Authenticator = 0x1ba652c38efca358b6442b6462b25619
(5) State = 0x624e987367488d9244b62dd155e240a4
(5) Proxy-State = 0x30
(5) # Executing section post-proxy from file
/etc/raddb/sites-enabled/abfab-tr-idp
(5) post-proxy {
(5) eap: No pre-existing handler found
(5) [eap] = noop
(5) } # post-proxy = noop
(5) Using Post-Auth-Type Challenge
(5) # Executing group from file /etc/raddb/sites-enabled/abfab-tr-idp
(5) Sent Access-Challenge Id 0 from 0.0.0.0:2083 to 127.0.0.1:47640 length
137
(5) EAP-Message =
0x0106004f15800000004517030100407a9f331f46c728c130d7ba48c5241fba882601f45d0
6d3f751471eaf62b6e5d7197e99a5b0f427c4787bf0b772ae79a49b452755f0de9db606fa99
35556aa183
(5) Message-Authenticator = 0x1ba652c38efca358b6442b6462b25619
(5) State = 0x624e987367488d9244b62dd155e240a4
(5) Finished request
Waking up in 0.1 seconds.
(0) Application data status 7
(0) tls_recv: Access-Request packet from host 127.0.0.1 port 47640, id=0,
length=278
Thread 3 got semaphore
Thread 3 handling request 6, (2 handled so far)
(6) Received Access-Request Id 0 from 127.0.0.1:47640 to 0.0.0.0:2083
length 278
(6) User-Name = '@main-idp65x64.localdomain'
(6) GSS-Acceptor-Service-Name = 'host'
(6) GSS-Acceptor-Host-Name = 'main-rp65x64.localdomain'
(6) EAP-Message =
0x020600a015001703010020035dc5746d642d942c34504894241ffb3a4800d226236832a44
61b03e3f6e9a517030100700b145eddc20debb2bcb54c2f64ecf2d9821212b4a44fc84f25c6
e813f5262c60648ba8c2502a6bbe9ee9bc5e75e21cb0d892b91b3623c82afc4e39f02c03a2e
2b4ddcae0b8f120
(6) State = 0x624e987367488d9244b62dd155e240a4
(6) Message-Authenticator = 0x60af0ea3cd7ee5a210c95532f9b44dd7
(6) session-state: No cached attributes
(6) # Executing section authorize from file
/etc/raddb/sites-enabled/abfab-tr-idp
(6) authorize {
(6) policy psk_authorize {
(6) if (TLS-PSK-Identity) {
(6) if (TLS-PSK-Identity) -> FALSE
(6) } # policy psk_authorize = notfound
(6) policy abfab_client_check {
(6) if ("%{client:gss_acceptor_host_name}" &&
"%{gss-acceptor-host-name}") {
(6) EXPAND %{client:gss_acceptor_host_name}
(6) -->
(6) if ("%{client:gss_acceptor_host_name}" &&
"%{gss-acceptor-host-name}") -> FALSE
(6) if ("%{client:trust_router_coi}") {
(6) EXPAND %{client:trust_router_coi}
(6) --> trapc65x64.localdomain
(6) if ("%{client:trust_router_coi}") -> TRUE
(6) if ("%{client:trust_router_coi}") {
(6) update request {
(6) EXPAND %{client:trust_router_coi}
(6) --> trapc65x64.localdomain
(6) Trust-Router-COI := "trapc65x64.localdomain"
(6) } # update request = noop
(6) } # if ("%{client:trust_router_coi}") = noop
(6) if ("%{client:gss_acceptor_realm_name}") {
(6) EXPAND %{client:gss_acceptor_realm_name}
(6) --> main-rp65x64.localdomain
(6) if ("%{client:gss_acceptor_realm_name}") -> TRUE
(6) if ("%{client:gss_acceptor_realm_name}") {
(6) update request {
(6) EXPAND %{client:gss_acceptor_realm_name}
(6) --> main-rp65x64.localdomain
(6) GSS-Acceptor-Realm-Name := "main-rp65x64.localdomain"
(6) } # update request = noop
(6) } # if ("%{client:gss_acceptor_realm_name}") = noop
(6) } # policy abfab_client_check = noop
(6) policy filter_username {
(6) if (!&User-Name) {
(6) if (!&User-Name) -> FALSE
(6) if (&User-Name =~ / /) {
(6) if (&User-Name =~ / /) -> FALSE
(6) if (&User-Name =~ /@.*@/ ) {
(6) if (&User-Name =~ /@.*@/ ) -> FALSE
(6) if (&User-Name =~ /\.\./ ) {
(6) if (&User-Name =~ /\.\./ ) -> FALSE
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(6) if (&User-Name =~ /\.$/) {
(6) if (&User-Name =~ /\.$/) -> FALSE
(6) if (&User-Name =~ /@\./) {
(6) if (&User-Name =~ /@\./) -> FALSE
(6) } # policy filter_username = noop
(6) [preprocess] = ok
(6) suffix: Checking for suffix after "@"
(6) suffix: Looking up realm "main-idp65x64.localdomain" for User-Name =
"@main-idp65x64.localdomain"
(6) suffix: Found realm "main-idp65x64.localdomain"
(6) suffix: Adding Realm = "main-idp65x64.localdomain"
(6) suffix: Proxying request from user @main-idp65x64.localdomain to realm
main-idp65x64.localdomain
(6) suffix: Preparing to proxy authentication request to realm
"main-idp65x64.localdomain"
(6) [suffix] = updated
(6) eap: Request is supposed to be proxied to Realm
main-idp65x64.localdomain. Not doing EAP.
(6) [eap] = noop
(6) [expiration] = noop
(6) [logintime] = noop
(6) } # authorize = ok
(6) Proxying request to home server 192.168.213.24 port 2083 (TLS) timeout
30.000000
(6) Sent Access-Request Id 90 from 192.168.213.56:39779 to
192.168.213.24:2083 length 349
(6) User-Name = '@main-idp65x64.localdomain'
(6) GSS-Acceptor-Service-Name = 'host'
(6) GSS-Acceptor-Host-Name = 'main-rp65x64.localdomain'
(6) EAP-Message =
0x020600a015001703010020035dc5746d642d942c34504894241ffb3a4800d226236832a44
61b03e3f6e9a517030100700b145eddc20debb2bcb54c2f64ecf2d9821212b4a44fc84f25c6
e813f5262c60648ba8c2502a6bbe9ee9bc5e75e21cb0d892b91b3623c82afc4e39f02c03a2e
2b4ddcae0b8f120
(6) State = 0x624e987367488d9244b62dd155e240a4
(6) Message-Authenticator = 0x60af0ea3cd7ee5a210c95532f9b44dd7
(6) Trust-Router-COI := 'trapc65x64.localdomain'
(6) GSS-Acceptor-Realm-Name := 'main-rp65x64.localdomain'
(6) Event-Timestamp = 'Mar 20 2015 05:23:30 GMT'
(6) NAS-IP-Address = 127.0.0.1
(6) Proxy-State = 0x30
Thread 3 waiting to be assigned a request
(6) Received Access-Challenge Id 90 from 192.168.213.24:2083 to
192.168.213.56:39779 length 156
(6) EAP-Message =
0x0107005f1580000000551703010050bf16d2f6beb2090271610cf06e770074ca6ecbf231e
a112a22626d10efdcf188d4a129afc427b50672c4313f97f2d3400c66bbb11a763460d64937
1f01ccbc85b29154d94f2481f90f1f893789394048
(6) Message-Authenticator = 0x6e0a470348ecb3579f412717030f788b
(6) State = 0x624e987364498d9244b62dd155e240a4
(6) Proxy-State = 0x30
(6) # Executing section post-proxy from file
/etc/raddb/sites-enabled/abfab-tr-idp
(6) post-proxy {
(6) eap: No pre-existing handler found
(6) [eap] = noop
(6) } # post-proxy = noop
(6) Using Post-Auth-Type Challenge
(6) # Executing group from file /etc/raddb/sites-enabled/abfab-tr-idp
(6) Sent Access-Challenge Id 0 from 0.0.0.0:2083 to 127.0.0.1:47640 length
153
(6) EAP-Message =
0x0107005f1580000000551703010050bf16d2f6beb2090271610cf06e770074ca6ecbf231e
a112a22626d10efdcf188d4a129afc427b50672c4313f97f2d3400c66bbb11a763460d64937
1f01ccbc85b29154d94f2481f90f1f893789394048
(6) Message-Authenticator = 0x6e0a470348ecb3579f412717030f788b
(6) State = 0x624e987364498d9244b62dd155e240a4
(6) Finished request
(0) Application data status 7
(0) tls_recv: Access-Request packet from host 127.0.0.1 port 47640, id=0,
length=124
Thread 2 got semaphore
Thread 2 handling request 7, (2 handled so far)
(7) Received Access-Request Id 0 from 127.0.0.1:47640 to 0.0.0.0:2083
length 124
(7) User-Name = '@main-idp65x64.localdomain'
(7) GSS-Acceptor-Service-Name = 'host'
(7) GSS-Acceptor-Host-Name = 'main-rp65x64.localdomain'
(7) EAP-Message = 0x020700061500
(7) State = 0x624e987364498d9244b62dd155e240a4
(7) Message-Authenticator = 0x012c910c69bf42cd6876c32bf8ffb696
(7) session-state: No cached attributes
(7) # Executing section authorize from file
/etc/raddb/sites-enabled/abfab-tr-idp
(7) authorize {
(7) policy psk_authorize {
(7) if (TLS-PSK-Identity) {
(7) if (TLS-PSK-Identity) -> FALSE
(7) } # policy psk_authorize = notfound
(7) policy abfab_client_check {
(7) if ("%{client:gss_acceptor_host_name}" &&
"%{gss-acceptor-host-name}") {
(7) EXPAND %{client:gss_acceptor_host_name}
(7) -->
(7) if ("%{client:gss_acceptor_host_name}" &&
"%{gss-acceptor-host-name}") -> FALSE
(7) if ("%{client:trust_router_coi}") {
(7) EXPAND %{client:trust_router_coi}
(7) --> trapc65x64.localdomain
(7) if ("%{client:trust_router_coi}") -> TRUE
(7) if ("%{client:trust_router_coi}") {
(7) update request {
(7) EXPAND %{client:trust_router_coi}
(7) --> trapc65x64.localdomain
(7) Trust-Router-COI := "trapc65x64.localdomain"
(7) } # update request = noop
(7) } # if ("%{client:trust_router_coi}") = noop
(7) if ("%{client:gss_acceptor_realm_name}") {
(7) EXPAND %{client:gss_acceptor_realm_name}
(7) --> main-rp65x64.localdomain
(7) if ("%{client:gss_acceptor_realm_name}") -> TRUE
(7) if ("%{client:gss_acceptor_realm_name}") {
(7) update request {
(7) EXPAND %{client:gss_acceptor_realm_name}
(7) --> main-rp65x64.localdomain
(7) GSS-Acceptor-Realm-Name := "main-rp65x64.localdomain"
(7) } # update request = noop
(7) } # if ("%{client:gss_acceptor_realm_name}") = noop
(7) } # policy abfab_client_check = noop
(7) policy filter_username {
(7) if (!&User-Name) {
(7) if (!&User-Name) -> FALSE
(7) if (&User-Name =~ / /) {
(7) if (&User-Name =~ / /) -> FALSE
(7) if (&User-Name =~ /@.*@/ ) {
(7) if (&User-Name =~ /@.*@/ ) -> FALSE
(7) if (&User-Name =~ /\.\./ ) {
(7) if (&User-Name =~ /\.\./ ) -> FALSE
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(7) if (&User-Name =~ /\.$/) {
(7) if (&User-Name =~ /\.$/) -> FALSE
(7) if (&User-Name =~ /@\./) {
(7) if (&User-Name =~ /@\./) -> FALSE
(7) } # policy filter_username = noop
(7) [preprocess] = ok
(7) suffix: Checking for suffix after "@"
(7) suffix: Looking up realm "main-idp65x64.localdomain" for User-Name =
"@main-idp65x64.localdomain"
(7) suffix: Found realm "main-idp65x64.localdomain"
(7) suffix: Adding Realm = "main-idp65x64.localdomain"
(7) suffix: Proxying request from user @main-idp65x64.localdomain to realm
main-idp65x64.localdomain
(7) suffix: Preparing to proxy authentication request to realm
"main-idp65x64.localdomain"
(7) [suffix] = updated
(7) eap: Request is supposed to be proxied to Realm
main-idp65x64.localdomain. Not doing EAP.
(7) [eap] = noop
(7) [expiration] = noop
(7) [logintime] = noop
(7) } # authorize = ok
(7) Proxying request to home server 192.168.213.24 port 2083 (TLS) timeout
30.000000
(7) Sent Access-Request Id 105 from 192.168.213.56:39779 to
192.168.213.24:2083 length 195
(7) User-Name = '@main-idp65x64.localdomain'
(7) GSS-Acceptor-Service-Name = 'host'
(7) GSS-Acceptor-Host-Name = 'main-rp65x64.localdomain'
(7) EAP-Message = 0x020700061500
(7) State = 0x624e987364498d9244b62dd155e240a4
(7) Message-Authenticator = 0x012c910c69bf42cd6876c32bf8ffb696
(7) Trust-Router-COI := 'trapc65x64.localdomain'
(7) GSS-Acceptor-Realm-Name := 'main-rp65x64.localdomain'
(7) Event-Timestamp = 'Mar 20 2015 05:23:31 GMT'
(7) NAS-IP-Address = 127.0.0.1
(7) Proxy-State = 0x30
Thread 2 waiting to be assigned a request
(7) Received Access-Accept Id 105 from 192.168.213.24:2083 to
192.168.213.56:39779 length 163
(7) MS-MPPE-Recv-Key =
0x5eb67478c6a7589f59f6c24ced7fecb1fc5c03c08b75fc643d035b4bf91c598e
(7) MS-MPPE-Send-Key =
0xf4d8dfd23b3014ae7e20d695f9053bab4776789a6d445bcd80aaf2d49af6b802
(7) EAP-Message = 0x03070004
(7) Message-Authenticator = 0x7eab126e9bb769fd385c1b6ffdf805a7
(7) Proxy-State = 0x30
(7) # Executing section post-proxy from file
/etc/raddb/sites-enabled/abfab-tr-idp
(7) post-proxy {
(7) eap: No pre-existing handler found
(7) [eap] = noop
(7) } # post-proxy = noop
(7) Found Auth-Type = Accept
(7) Auth-Type = Accept, accepting the user
(7) # Executing section post-auth from file
/etc/raddb/sites-enabled/abfab-tr-idp
(7) post-auth {
(7) [exec] = noop
(7) policy remove_reply_message_if_eap {
(7) if (&reply:EAP-Message && &reply:Reply-Message) {
(7) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(7) else {
(7) [noop] = noop
(7) } # else = noop
(7) } # policy remove_reply_message_if_eap = noop
(7) } # post-auth = noop
(7) Sent Access-Accept Id 0 from 0.0.0.0:2083 to 127.0.0.1:47640 length 160
(7) MS-MPPE-Recv-Key =
0x5eb67478c6a7589f59f6c24ced7fecb1fc5c03c08b75fc643d035b4bf91c598e
(7) MS-MPPE-Send-Key =
0xf4d8dfd23b3014ae7e20d695f9053bab4776789a6d445bcd80aaf2d49af6b802
(7) EAP-Message = 0x03070004
(7) Message-Authenticator = 0x7eab126e9bb769fd385c1b6ffdf805a7
(7) Finished request
Closing TLS socket from client port 47640
(0) >>> TLS 1.0 Alert [length 0002], warning close_notify
Client has closed connection
Waking up in 3.9 seconds.
(0) <done>: Cleaning up request packet ID 0 with timestamp +5
(1) <done>: Cleaning up request packet ID 0 with timestamp +5
(2) <done>: Cleaning up request packet ID 0 with timestamp +5
(3) <done>: Cleaning up request packet ID 0 with timestamp +5
(4) <done>: Cleaning up request packet ID 0 with timestamp +5
(5) <done>: Cleaning up request packet ID 0 with timestamp +5
(6) <done>: Cleaning up request packet ID 0 with timestamp +5
... shutting down socket auth from client (127.0.0.1, 47640) -> (*, 2083,
virtual-server=abfab-idp)
(7) <done>: Cleaning up request packet ID 0 with timestamp +6
Waking up in 2.9 seconds.
... cleaning up socket auth from client (127.0.0.1, 47640) -> (*, 2083,
virtual-server=abfab-idp)
Ready to process requests
>
More information about the Freeradius-Users
mailing list