Problems with Active directory integration

Spider s spidersoftware at gmail.com
Fri May 13 12:53:40 CEST 2016


------------------------------
*Problems with AD integration*
------------------------------

Fri, May 13, 2016 at 10:43 AM



Hello, I have got a problem with AD integration. I follow this guide
http://deployingradius.com/documents/configuration/active_directory.html.



All is correct, all accepted and all test passed. Perfect :-)

Now I need use AD integration, this is the problem.



First i describe my scenario:

One windows 2003 server with AD and dns server, with a user (full
administrator privileged)

One ubuntu server 16 (ubunturadius) with the las radius version build.

Native Samba (apt-get install) no build from source.

One Unifi wifi Access Point with Our Radius server configured. (ip+ secret)
for auth.

1 windows 7 client (user for connect to wifi)

Freeradius last build from source 3.0.11

All local test from my ubuntu server are correct (about guide).



My test: (for privacy change real domain for “myrealdomain” and my user
“myrealuser”



root at ubunturadius:~# net join -U MYREALUSER

Enter MYREALUSER's password:

Using short domain name -- MYREALDOMAIN

Joined 'UBUNTURADIUS' to dns domain 'MYREALDOMAIN.es'



root at ubunturadius:~# net ads info

LDAP server: 192.168.1.2

LDAP server name: adserver.MYREALDOMAIN.es

Realm: MYREALDOMAIN.ES

Bind Path: dc=MYREALDOMAIN,dc=ES

LDAP port: 389

Server time: jue, 12 may 2016 14:20:27 CEST

KDC server: 192.168.1.2

Server time offset: -35

-----------------------------------------------------------------------------------



root at ubunturadius:~# ntlm_auth --request-nt-key --domain=MYREALDOMAIN
--username=MYREALUSER

Password:

NT_STATUS_OK: Success (0x0)

root at ubunturadius:~#





I want:

Users can access to my wifi network with active directory credentials only,
no need install cert on windows clients or phones.





This are my warnigs:

[/usr/local/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item
"FreeRADIUS-Response-Delay"  found in filter list for realm "DEFAULT".

[/usr/local/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item
"FreeRADIUS-Response-Delay-USec"     found in filter list for realm
"DEFAULT".

Ignoring "sql" (see raddb/mods-available/README.rst)

Ignoring "ldap" (see raddb/mods-available/README.rst)



(6) pap: WARNING: No "known good" password found for the user.  Not setting
Auth-Type

(6) pap: WARNING: Authentication will fail unless a "known good" password
is available



(7) pap: WARNING: No "known good" password found for the user.  Not setting
Auth-Type

(7) pap: WARNING: Authentication will fail unless a "known good" password
is available







And this are the errors:

(4) eap_peap: ERROR: TLS Alert read:fatal:unknown CA

(4) eap_peap: ERROR: TLS_accept: Failed in unknown state

(4) eap_peap: ERROR: SSL says: error:14094418:SSL
routines:ssl3_read_bytes:tlsv1 alert unknown ca

(4) eap_peap: ERROR: SSL_read failed inside of TLS (-1), TLS session failed

(4) eap_peap: ERROR: TLS receive handshake failed during operation

(4) eap_peap: ERROR: [eaptls process] = fail

(4) eap: ERROR: Failed continuing EAP PEAP (25) session.  EAP sub-module
failed



(7) eap_leap: ERROR: No Cleartext-Password or NT-Password configured for
this user

(7) eap: ERROR: Failed continuing EAP LEAP (17) session.  EAP sub-module
failed



(6) eap_leap: ERROR: Successfully initiated





Any suggestion??? , or next steps ??  I am new with freeradius, sorry.

Thank you in advanced









This is my complete debug output:



root at ubunturadius:~# clear

root at ubunturadius:~# radiusd -X

Server was built with:

  accounting               : yes

  authentication           : yes

  ascend-binary-attributes : yes

  coa                      : yes

  control-socket           : yes

  detail                   : yes

  dhcp                     : yes

  dynamic-clients          : yes

  osfc2                    : no

  proxy                    : yes

  regex-pcre               : no

  regex-posix              : yes

  regex-posix-extended     : yes

  session-management       : yes

  stats                    : yes

  tcp                      : yes

  threads                  : yes

  tls                      : yes

  unlang                   : yes

  vmps                     : yes

  developer                : no

Server core libs:

  freeradius-server        : 3.0.11

  talloc                   : 2.0.*

  ssl                      : 1.0.2g release

Endianness:

  little

Compilation flags:

  cppflags :

  cflags   : -I/home/user/freeradius-server-3.0.11
-I/home/user/freeradius-server-3.0.11/src -include
/home/user/freeradius-server-3.0.11/src/freeradius-devel/autoconf.h
-include /home/user/freeradius-server-3.0.11/src/freeradius-devel/build.h
-include
/home/user/freeradius-server-3.0.11/src/freeradius-devel/features.h
-include
/home/user/freeradius-server-3.0.11/src/freeradius-devel/radpaths.h
-fno-strict-aliasing -g -O2 -Wall -std=c99 -D_GNU_SOURCE -D_REENTRANT
-D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -DNDEBUG -DIS_MODULE=1

  ldflags  :

  libs     : -lcrypto -lssl -ltalloc -lnsl -lresolv -ldl -lpthread



Copyright (C) 1999-2016 The FreeRADIUS server project and contributors

There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A

PARTICULAR PURPOSE

You may redistribute copies of FreeRADIUS under the terms of the

GNU General Public License

For more information about these matters, see the file named COPYRIGHT

Starting - reading configuration files ...

including dictionary file /usr/local/share/freeradius/dictionary

including dictionary file /usr/local/share/freeradius/dictionary.dhcp

including dictionary file /usr/local/share/freeradius/dictionary.vqp

including dictionary file /usr/local/etc/raddb/dictionary

including configuration file /usr/local/etc/raddb/radiusd.conf

including configuration file /usr/local/etc/raddb/proxy.conf

including configuration file /usr/local/etc/raddb/clients.conf

including files in directory /usr/local/etc/raddb/mods-enabled/

including configuration file /usr/local/etc/raddb/mods-enabled/attr_filter

including configuration file /usr/local/etc/raddb/mods-enabled/chap

including configuration file /usr/local/etc/raddb/mods-enabled/preprocess

including configuration file /usr/local/etc/raddb/mods-enabled/soh

including configuration file /usr/local/etc/raddb/mods-enabled/always

including configuration file /usr/local/etc/raddb/mods-enabled/mschap

including configuration file /usr/local/etc/raddb/mods-enabled/eap

including configuration file /usr/local/etc/raddb/mods-enabled/utf8

including configuration file /usr/local/etc/raddb/mods-enabled/cache_eap

including configuration file /usr/local/etc/raddb/mods-enabled/files

including configuration file /usr/local/etc/raddb/mods-enabled/exec

including configuration file /usr/local/etc/raddb/mods-enabled/digest

including configuration file /usr/local/etc/raddb/mods-enabled/ntlm_auth

including configuration file /usr/local/etc/raddb/mods-enabled/pap

including configuration file /usr/local/etc/raddb/mods-enabled/radutmp

including configuration file /usr/local/etc/raddb/mods-enabled/unix

including configuration file /usr/local/etc/raddb/mods-enabled/passwd

including configuration file /usr/local/etc/raddb/mods-enabled/replicate

including configuration file /usr/local/etc/raddb/mods-enabled/realm

including configuration file /usr/local/etc/raddb/mods-enabled/unpack

including configuration file /usr/local/etc/raddb/mods-enabled/expiration

including configuration file /usr/local/etc/raddb/mods-enabled/echo

including configuration file
/usr/local/etc/raddb/mods-enabled/dynamic_clients

including configuration file /usr/local/etc/raddb/mods-enabled/dhcp

including configuration file /usr/local/etc/raddb/mods-enabled/detail.log

including configuration file /usr/local/etc/raddb/mods-enabled/detail

including configuration file /usr/local/etc/raddb/mods-enabled/logintime

including configuration file /usr/local/etc/raddb/mods-enabled/linelog

including configuration file /usr/local/etc/raddb/mods-enabled/expr

including configuration file /usr/local/etc/raddb/mods-enabled/sradutmp

including files in directory /usr/local/etc/raddb/policy.d/

including configuration file /usr/local/etc/raddb/policy.d/filter

including configuration file /usr/local/etc/raddb/policy.d/canonicalization

including configuration file /usr/local/etc/raddb/policy.d/eap

including configuration file /usr/local/etc/raddb/policy.d/control

including configuration file /usr/local/etc/raddb/policy.d/abfab-tr

including configuration file /usr/local/etc/raddb/policy.d/cui

including configuration file /usr/local/etc/raddb/policy.d/debug

including configuration file /usr/local/etc/raddb/policy.d/operator-name

including configuration file /usr/local/etc/raddb/policy.d/dhcp

including configuration file /usr/local/etc/raddb/policy.d/accounting

including files in directory /usr/local/etc/raddb/sites-enabled/

including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel

including configuration file /usr/local/etc/raddb/sites-enabled/default

main {

 security {

        allow_core_dumps = no

 }

        name = "radiusd"

        prefix = "/usr/local"

        localstatedir = "/usr/local/var"

        logdir = "/usr/local/var/log/radius"

        run_dir = "/usr/local/var/run/radiusd"

}

main {

        name = "radiusd"

        prefix = "/usr/local"

        localstatedir = "/usr/local/var"

        sbindir = "/usr/local/sbin"

        logdir = "/usr/local/var/log/radius"

        run_dir = "/usr/local/var/run/radiusd"

        libdir = "/usr/local/lib"

        radacctdir = "/usr/local/var/log/radius/radacct"

        hostname_lookups = no

        max_request_time = 30

        cleanup_delay = 5

        max_requests = 16384

        pidfile = "/usr/local/var/run/radiusd/radiusd.pid"

        checkrad = "/usr/local/sbin/checkrad"

        debug_level = 0

        proxy_requests = yes

 log {

        stripped_names = no

        auth = no

        auth_badpass = no

        auth_goodpass = no

        colourise = yes

        msg_denied = "You are already logged in - access denied"

 }

 resources {

 }

 security {

        max_attributes = 200

        reject_delay = 1.000000

        status_server = yes

        allow_vulnerable_openssl = "no"

 }

}

radiusd: #### Loading Realms and Home Servers ####

 proxy server {

        retry_delay = 5

        retry_count = 3

        default_fallback = no

        dead_time = 120

        wake_all_if_all_dead = no

 }

 home_server localhost {

        ipaddr = 127.0.0.1

        port = 1812

        type = "auth"

        secret = <<< secret >>>

        response_window = 20.000000

        response_timeouts = 1

        max_outstanding = 65536

        zombie_period = 40

        status_check = "status-server"

        ping_interval = 30

        check_interval = 30

        check_timeout = 4

        num_answers_to_alive = 3

        revive_interval = 120

  limit {

        max_connections = 16

        max_requests = 0

        lifetime = 0

        idle_timeout = 0

  }

  coa {

        irt = 2

        mrt = 16

        mrc = 5

        mrd = 30

  }

 }

 home_server_pool my_auth_failover {

        type = fail-over

        home_server = localhost

 }

 realm example.com {

        auth_pool = my_auth_failover

 }

 realm LOCAL {

 }

radiusd: #### Loading Clients ####

 client localhost {

        ipaddr = 127.0.0.1

        require_message_authenticator = no

        secret = <<< secret >>>

        nas_type = "other"

        proto = "*"

  limit {

        max_connections = 16

        lifetime = 0

        idle_timeout = 30

  }

 }

 client localhost_ipv6 {

        ipv6addr = ::1

        require_message_authenticator = no

        secret = <<< secret >>>

  limit {

        max_connections = 16

        lifetime = 0

        idle_timeout = 30

  }

 }

 client rbb {

        ipaddr = 192.168.1.0/24

        require_message_authenticator = no

        secret = <<< secret >>>

  limit {

        max_connections = 16

        lifetime = 0

        idle_timeout = 30

  }

 }

Debugger not attached

 # Creating Auth-Type = PAP

 # Creating Auth-Type = CHAP

 # Creating Auth-Type = MS-CHAP

 # Creating Auth-Type = ntlm_auth

 # Creating Auth-Type = eap

 # Creating Auth-Type = digest

radiusd: #### Instantiating modules ####

 modules {

  # Loaded module rlm_attr_filter

  # Loading module "attr_filter.post-proxy" from file
/usr/local/etc/raddb/mods-enabled/attr_filter

  attr_filter attr_filter.post-proxy {

        filename = "/usr/local/etc/raddb/mods-config/attr_filter/post-proxy"

        key = "%{Realm}"

        relaxed = no

  }

  # Loading module "attr_filter.pre-proxy" from file
/usr/local/etc/raddb/mods-enabled/attr_filter

  attr_filter attr_filter.pre-proxy {

        filename = "/usr/local/etc/raddb/mods-config/attr_filter/pre-proxy"

        key = "%{Realm}"

        relaxed = no

  }

  # Loading module "attr_filter.access_reject" from file
/usr/local/etc/raddb/mods-enabled/attr_filter

  attr_filter attr_filter.access_reject {

        filename =
"/usr/local/etc/raddb/mods-config/attr_filter/access_reject"

        key = "%{User-Name}"

        relaxed = no

  }

  # Loading module "attr_filter.access_challenge" from file
/usr/local/etc/raddb/mods-enabled/attr_filter

  attr_filter attr_filter.access_challenge {

        filename =
"/usr/local/etc/raddb/mods-config/attr_filter/access_challenge"

        key = "%{User-Name}"

        relaxed = no

  }

  # Loading module "attr_filter.accounting_response" from file
/usr/local/etc/raddb/mods-enabled/attr_filter

  attr_filter attr_filter.accounting_response {

        filename =
"/usr/local/etc/raddb/mods-config/attr_filter/accounting_response"

        key = "%{User-Name}"

        relaxed = no

  }

  # Loaded module rlm_chap

  # Loading module "chap" from file /usr/local/etc/raddb/mods-enabled/chap

  # Loaded module rlm_preprocess

  # Loading module "preprocess" from file
/usr/local/etc/raddb/mods-enabled/preprocess

  preprocess {

        huntgroups =
"/usr/local/etc/raddb/mods-config/preprocess/huntgroups"

        hints = "/usr/local/etc/raddb/mods-config/preprocess/hints"

        with_ascend_hack = no

        ascend_channels_per_line = 23

        with_ntdomain_hack = no

        with_specialix_jetstream_hack = no

        with_cisco_vsa_hack = no

        with_alvarion_vsa_hack = no

  }

  # Loaded module rlm_soh

  # Loading module "soh" from file /usr/local/etc/raddb/mods-enabled/soh

  soh {

        dhcp = yes

  }

  # Loaded module rlm_always

  # Loading module "reject" from file
/usr/local/etc/raddb/mods-enabled/always

  always reject {

        rcode = "reject"

        simulcount = 0

        mpp = no

  }

  # Loading module "fail" from file /usr/local/etc/raddb/mods-enabled/always

  always fail {

        rcode = "fail"

        simulcount = 0

        mpp = no

  }

  # Loading module "ok" from file /usr/local/etc/raddb/mods-enabled/always

  always ok {

        rcode = "ok"

        simulcount = 0

        mpp = no

  }

  # Loading module "handled" from file
/usr/local/etc/raddb/mods-enabled/always

  always handled {

        rcode = "handled"

        simulcount = 0

        mpp = no

  }

  # Loading module "invalid" from file
/usr/local/etc/raddb/mods-enabled/always

  always invalid {

        rcode = "invalid"

        simulcount = 0

        mpp = no

  }

  # Loading module "userlock" from file
/usr/local/etc/raddb/mods-enabled/always

  always userlock {

        rcode = "userlock"

        simulcount = 0

        mpp = no

  }

  # Loading module "notfound" from file
/usr/local/etc/raddb/mods-enabled/always

  always notfound {

        rcode = "notfound"

        simulcount = 0

        mpp = no

  }

  # Loading module "noop" from file /usr/local/etc/raddb/mods-enabled/always

  always noop {

        rcode = "noop"

        simulcount = 0

        mpp = no

  }

  # Loading module "updated" from file
/usr/local/etc/raddb/mods-enabled/always

  always updated {

        rcode = "updated"

        simulcount = 0

        mpp = no

  }

  # Loaded module rlm_mschap

  # Loading module "mschap" from file
/usr/local/etc/raddb/mods-enabled/mschap

  mschap {

        use_mppe = yes

        require_encryption = no

        require_strong = no

        with_ntdomain_hack = yes

        ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name:-None}
--domain=%{%{mschap:NT-Domain}:-MYREALDOMAIN}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"

   passchange {

   }

        allow_retry = yes

  }

  # Loaded module rlm_eap

  # Loading module "eap" from file /usr/local/etc/raddb/mods-enabled/eap

  eap {

        default_eap_type = "peap"

        timer_expire = 60

        ignore_unknown_eap_types = no

        cisco_accounting_username_bug = no

        max_sessions = 16384

  }

  # Loaded module rlm_utf8

  # Loading module "utf8" from file /usr/local/etc/raddb/mods-enabled/utf8

  # Loaded module rlm_cache

  # Loading module "cache_eap" from file
/usr/local/etc/raddb/mods-enabled/cache_eap

  cache cache_eap {

        driver = "rlm_cache_rbtree"

        key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"

        ttl = 15

        max_entries = 0

        epoch = 0

        add_stats = no

  }

  # Loaded module rlm_files

  # Loading module "files" from file /usr/local/etc/raddb/mods-enabled/files

  files {

        filename = "/usr/local/etc/raddb/mods-config/files/authorize"

        acctusersfile = "/usr/local/etc/raddb/mods-config/files/accounting"

        preproxy_usersfile =
"/usr/local/etc/raddb/mods-config/files/pre-proxy"

  }

  # Loaded module rlm_exec

  # Loading module "exec" from file /usr/local/etc/raddb/mods-enabled/exec

  exec {

        wait = no

        input_pairs = "request"

        shell_escape = yes

        timeout = 10

  }

  # Loaded module rlm_digest

  # Loading module "digest" from file
/usr/local/etc/raddb/mods-enabled/digest

  # Loading module "ntlm_auth" from file
/usr/local/etc/raddb/mods-enabled/ntlm_auth

  exec ntlm_auth {

        wait = yes

        program = "/usr/bin/ntlm_auth --request-nt-key
--domain=MYREALDOMAIN --username=%{mschap:User-Name}
--password=%{User-Password}"

        shell_escape = yes

  }

  # Loaded module rlm_pap

  # Loading module "pap" from file /usr/local/etc/raddb/mods-enabled/pap

  pap {

        normalise = yes

  }

  # Loaded module rlm_radutmp

  # Loading module "radutmp" from file
/usr/local/etc/raddb/mods-enabled/radutmp

  radutmp {

        filename = "/usr/local/var/log/radius/radutmp"

        username = "%{User-Name}"

        case_sensitive = yes

        check_with_nas = yes

        permissions = 384

        caller_id = yes

  }

  # Loaded module rlm_unix

  # Loading module "unix" from file /usr/local/etc/raddb/mods-enabled/unix

  unix {

        radwtmp = "/usr/local/var/log/radius/radwtmp"

  }

Creating attribute Unix-Group

  # Loaded module rlm_passwd

  # Loading module "etc_passwd" from file
/usr/local/etc/raddb/mods-enabled/passwd

  passwd etc_passwd {

        filename = "/etc/passwd"

        format = "*User-Name:Crypt-Password:"

        delimiter = ":"

        ignore_nislike = no

        ignore_empty = yes

        allow_multiple_keys = no

        hash_size = 100

  }

  # Loaded module rlm_replicate

  # Loading module "replicate" from file
/usr/local/etc/raddb/mods-enabled/replicate

  # Loaded module rlm_realm

  # Loading module "IPASS" from file /usr/local/etc/raddb/mods-enabled/realm

  realm IPASS {

        format = "prefix"

        delimiter = "/"

        ignore_default = no

        ignore_null = no

  }

  # Loading module "suffix" from file
/usr/local/etc/raddb/mods-enabled/realm

  realm suffix {

        format = "suffix"

        delimiter = "@"

        ignore_default = no

        ignore_null = no

  }

  # Loading module "realmpercent" from file
/usr/local/etc/raddb/mods-enabled/realm

  realm realmpercent {

        format = "suffix"

        delimiter = "%"

        ignore_default = no

        ignore_null = no

  }

  # Loading module "ntdomain" from file
/usr/local/etc/raddb/mods-enabled/realm

  realm ntdomain {

        format = "prefix"

        delimiter = "\\"

        ignore_default = no

        ignore_null = no

  }

  # Loaded module rlm_unpack

  # Loading module "unpack" from file
/usr/local/etc/raddb/mods-enabled/unpack

  # Loaded module rlm_expiration

  # Loading module "expiration" from file
/usr/local/etc/raddb/mods-enabled/expiration

  # Loading module "echo" from file /usr/local/etc/raddb/mods-enabled/echo

  exec echo {

        wait = yes

        program = "/bin/echo %{User-Name}"

        input_pairs = "request"

        output_pairs = "reply"

        shell_escape = yes

  }

  # Loaded module rlm_dynamic_clients

  # Loading module "dynamic_clients" from file
/usr/local/etc/raddb/mods-enabled/dynamic_clients

  # Loaded module rlm_dhcp

  # Loading module "dhcp" from file /usr/local/etc/raddb/mods-enabled/dhcp

  # Loaded module rlm_detail

  # Loading module "auth_log" from file
/usr/local/etc/raddb/mods-enabled/detail.log

  detail auth_log {

        filename =
"/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"

        header = "%t"

        permissions = 384

        locking = no

        escape_filenames = no

        log_packet_header = no

  }

  # Loading module "reply_log" from file
/usr/local/etc/raddb/mods-enabled/detail.log

  detail reply_log {

        filename =
"/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"

        header = "%t"

        permissions = 384

        locking = no

        escape_filenames = no

        log_packet_header = no

  }

  # Loading module "pre_proxy_log" from file
/usr/local/etc/raddb/mods-enabled/detail.log

  detail pre_proxy_log {

        filename =
"/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"

        header = "%t"

        permissions = 384

        locking = no

        escape_filenames = no

        log_packet_header = no

  }

  # Loading module "post_proxy_log" from file
/usr/local/etc/raddb/mods-enabled/detail.log

  detail post_proxy_log {

        filename =
"/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"

        header = "%t"

        permissions = 384

        locking = no

        escape_filenames = no

        log_packet_header = no

  }

  # Loading module "detail" from file
/usr/local/etc/raddb/mods-enabled/detail

  detail {

        filename =
"/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"

        header = "%t"

        permissions = 384

        locking = no

        escape_filenames = no

        log_packet_header = no

  }

  # Loaded module rlm_logintime

  # Loading module "logintime" from file
/usr/local/etc/raddb/mods-enabled/logintime

  logintime {

        minimum_timeout = 60

  }

  # Loaded module rlm_linelog

  # Loading module "linelog" from file
/usr/local/etc/raddb/mods-enabled/linelog

  linelog {

        filename = "/usr/local/var/log/radius/linelog"

        escape_filenames = no

        syslog_severity = "info"

        permissions = 384

        format = "This is a log message for %{User-Name}"

        reference = "messages.%{%{reply:Packet-Type}:-default}"

  }

  # Loading module "log_accounting" from file
/usr/local/etc/raddb/mods-enabled/linelog

  linelog log_accounting {

        filename = "/usr/local/var/log/radius/linelog-accounting"

        escape_filenames = no

        syslog_severity = "info"

        permissions = 384

        format = ""

        reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"

  }

  # Loaded module rlm_expr

  # Loading module "expr" from file /usr/local/etc/raddb/mods-enabled/expr

  expr {

        safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_:
/äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"

  }

  # Loading module "sradutmp" from file
/usr/local/etc/raddb/mods-enabled/sradutmp

  radutmp sradutmp {

        filename = "/usr/local/var/log/radius/sradutmp"

        username = "%{User-Name}"

        case_sensitive = yes

        check_with_nas = yes

        permissions = 420

        caller_id = no

  }

  instantiate {

  }

  # Instantiating module "attr_filter.post-proxy" from file
/usr/local/etc/raddb/mods-enabled/attr_filter

reading pairlist file
/usr/local/etc/raddb/mods-config/attr_filter/post-proxy

  # Instantiating module "attr_filter.pre-proxy" from file
/usr/local/etc/raddb/mods-enabled/attr_filter

reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/pre-proxy

  # Instantiating module "attr_filter.access_reject" from file
/usr/local/etc/raddb/mods-enabled/attr_filter

reading pairlist file
/usr/local/etc/raddb/mods-config/attr_filter/access_reject

[/usr/local/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item
"FreeRADIUS-Response-Delay"  found in filter list for realm "DEFAULT".

[/usr/local/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item
"FreeRADIUS-Response-Delay-USec"     found in filter list for realm
"DEFAULT".

  # Instantiating module "attr_filter.access_challenge" from file
/usr/local/etc/raddb/mods-enabled/attr_filter

reading pairlist file
/usr/local/etc/raddb/mods-config/attr_filter/access_challenge

  # Instantiating module "attr_filter.accounting_response" from file
/usr/local/etc/raddb/mods-enabled/attr_filter

reading pairlist file
/usr/local/etc/raddb/mods-config/attr_filter/accounting_response

  # Instantiating module "preprocess" from file
/usr/local/etc/raddb/mods-enabled/preprocess

reading pairlist file /usr/local/etc/raddb/mods-config/preprocess/huntgroups

reading pairlist file /usr/local/etc/raddb/mods-config/preprocess/hints

  # Instantiating module "reject" from file
/usr/local/etc/raddb/mods-enabled/always

  # Instantiating module "fail" from file
/usr/local/etc/raddb/mods-enabled/always

  # Instantiating module "ok" from file
/usr/local/etc/raddb/mods-enabled/always

  # Instantiating module "handled" from file
/usr/local/etc/raddb/mods-enabled/always

  # Instantiating module "invalid" from file
/usr/local/etc/raddb/mods-enabled/always

  # Instantiating module "userlock" from file
/usr/local/etc/raddb/mods-enabled/always

  # Instantiating module "notfound" from file
/usr/local/etc/raddb/mods-enabled/always

  # Instantiating module "noop" from file
/usr/local/etc/raddb/mods-enabled/always

  # Instantiating module "updated" from file
/usr/local/etc/raddb/mods-enabled/always

  # Instantiating module "mschap" from file
/usr/local/etc/raddb/mods-enabled/mschap

rlm_mschap (mschap): authenticating by calling 'ntlm_auth'

  # Instantiating module "eap" from file
/usr/local/etc/raddb/mods-enabled/eap

   # Linked to sub-module rlm_eap_md5

   # Linked to sub-module rlm_eap_leap

   # Linked to sub-module rlm_eap_gtc

   gtc {

        challenge = "Password: "

        auth_type = "PAP"

   }

   # Linked to sub-module rlm_eap_tls

   tls {

        tls = "tls-common"

   }

   tls-config tls-common {

        verify_depth = 0

        ca_path = "/usr/local/etc/raddb/certs"

        pem_file_type = yes

        private_key_file = "/usr/local/etc/raddb/certs/server.pem"

        certificate_file = "/usr/local/etc/raddb/certs/server.pem"

        ca_file = "/usr/local/etc/raddb/certs/ca.pem"

        private_key_password = <<< secret >>>

        dh_file = "/usr/local/etc/raddb/certs/dh"

        random_file = "/dev/urandom"

        fragment_size = 1024

        include_length = yes

        auto_chain = yes

        check_crl = no

        check_all_crl = no

        cipher_list = "DEFAULT"

        ecdh_curve = "prime256v1"

    cache {

        enable = yes

        lifetime = 24

        max_entries = 255

    }

    verify {

        skip_if_ocsp_ok = no

    }

    ocsp {

        enable = no

        override_cert_url = yes

        url = "http://127.0.0.1/ocsp/"

        use_nonce = yes

        timeout = 0

        softfail = no

    }

   }

   # Linked to sub-module rlm_eap_ttls

   ttls {

        tls = "tls-common"

        default_eap_type = "md5"

        copy_request_to_tunnel = no

        use_tunneled_reply = no

        virtual_server = "inner-tunnel"

        include_length = yes

        require_client_cert = no

   }

tls: Using cached TLS configuration from previous invocation

   # Linked to sub-module rlm_eap_peap

   peap {

        tls = "tls-common"

        default_eap_type = "mschapv2"

        copy_request_to_tunnel = no

        use_tunneled_reply = no

        proxy_tunneled_request_as_eap = yes

        virtual_server = "inner-tunnel"

        soh = no

        require_client_cert = no

   }

tls: Using cached TLS configuration from previous invocation

   # Linked to sub-module rlm_eap_mschapv2

   mschapv2 {

        with_ntdomain_hack = no

        send_error = no

   }

  # Instantiating module "cache_eap" from file
/usr/local/etc/raddb/mods-enabled/cache_eap

rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree)
loaded and linked

  # Instantiating module "files" from file
/usr/local/etc/raddb/mods-enabled/files

reading pairlist file /usr/local/etc/raddb/mods-config/files/authorize

reading pairlist file /usr/local/etc/raddb/mods-config/files/accounting

reading pairlist file /usr/local/etc/raddb/mods-config/files/pre-proxy

  # Instantiating module "pap" from file
/usr/local/etc/raddb/mods-enabled/pap

  # Instantiating module "etc_passwd" from file
/usr/local/etc/raddb/mods-enabled/passwd

rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no

  # Instantiating module "IPASS" from file
/usr/local/etc/raddb/mods-enabled/realm

  # Instantiating module "suffix" from file
/usr/local/etc/raddb/mods-enabled/realm

  # Instantiating module "realmpercent" from file
/usr/local/etc/raddb/mods-enabled/realm

  # Instantiating module "ntdomain" from file
/usr/local/etc/raddb/mods-enabled/realm

  # Instantiating module "expiration" from file
/usr/local/etc/raddb/mods-enabled/expiration

  # Instantiating module "auth_log" from file
/usr/local/etc/raddb/mods-enabled/detail.log

rlm_detail (auth_log): 'User-Password' suppressed, will not appear in
detail output

  # Instantiating module "reply_log" from file
/usr/local/etc/raddb/mods-enabled/detail.log

  # Instantiating module "pre_proxy_log" from file
/usr/local/etc/raddb/mods-enabled/detail.log

  # Instantiating module "post_proxy_log" from file
/usr/local/etc/raddb/mods-enabled/detail.log

  # Instantiating module "detail" from file
/usr/local/etc/raddb/mods-enabled/detail

  # Instantiating module "logintime" from file
/usr/local/etc/raddb/mods-enabled/logintime

  # Instantiating module "linelog" from file
/usr/local/etc/raddb/mods-enabled/linelog

  # Instantiating module "log_accounting" from file
/usr/local/etc/raddb/mods-enabled/linelog

 } # modules

radiusd: #### Loading Virtual Servers ####

server { # from file /usr/local/etc/raddb/radiusd.conf

} # server

server inner-tunnel { # from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel

 # Loading authenticate {...}

 # Loading authorize {...}

Ignoring "sql" (see raddb/mods-available/README.rst)

Ignoring "ldap" (see raddb/mods-available/README.rst)

 # Loading session {...}

 # Loading post-proxy {...}

 # Loading post-auth {...}

} # server inner-tunnel

server default { # from file /usr/local/etc/raddb/sites-enabled/default

 # Loading authenticate {...}

 # Loading authorize {...}

 # Loading preacct {...}

 # Loading accounting {...}

 # Loading post-proxy {...}

 # Loading post-auth {...}

} # server default

radiusd: #### Opening IP addresses and Ports ####

listen {

        type = "auth"

        ipaddr = 127.0.0.1

        port = 18120

}

listen {

        type = "auth"

        ipaddr = *

        port = 0

   limit {

        max_connections = 16

        lifetime = 0

        idle_timeout = 30

   }

}

listen {

        type = "acct"

        ipaddr = *

        port = 0

   limit {

        max_connections = 16

        lifetime = 0

        idle_timeout = 30

   }

}

listen {

        type = "auth"

        ipv6addr = ::

        port = 0

   limit {

        max_connections = 16

        lifetime = 0

        idle_timeout = 30

   }

}

listen {

        type = "acct"

        ipv6addr = ::

        port = 0

   limit {

        max_connections = 16

        lifetime = 0

        idle_timeout = 30

   }

}

Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel

Listening on auth address * port 1812 bound to server default

Listening on acct address * port 1813 bound to server default

Listening on auth address :: port 1812 bound to server default

Listening on acct address :: port 1813 bound to server default

Listening on proxy address * port 53418

Listening on proxy address :: port 37259

Ready to process requests

(0) Received Access-Request Id 39 from 192.168.1.103:52056 to
192.168.1.26:1812 length 179

(0)   User-Name = "MYREALUSER"

(0)   NAS-IP-Address = 192.168.1.103

(0)   NAS-Identifier = "0418d68032b7"

(0)   NAS-Port = 0

(0)   Called-Station-Id = "04-18-D6-82-32-B7:Test_betis"

(0)   Calling-Station-Id = "28-E3-47-0E-0A-F7"

(0)   Framed-MTU = 1400

(0)   NAS-Port-Type = Wireless-802.11

(0)   Connect-Info = "CONNECT 0Mbps 802.11b"

(0)   EAP-Message = 0x02ec0010016a6f73652e63657065726f

(0)   Message-Authenticator = 0x169c8d9ad784903f1bd0b583a26ca507

(0) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default

(0)   authorize {

(0)     policy filter_username {

(0)       if (&User-Name) {

(0)       if (&User-Name)  -> TRUE

(0)       if (&User-Name)  {

(0)         if (&User-Name =~ / /) {

(0)         if (&User-Name =~ / /)  -> FALSE

(0)         if (&User-Name =~ /@[^@]*@/ ) {

(0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE

(0)         if (&User-Name =~ /\.\./ ) {

(0)         if (&User-Name =~ /\.\./ )  -> FALSE

(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {

(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE

(0)         if (&User-Name =~ /\.$/)  {

(0)         if (&User-Name =~ /\.$/)   -> FALSE

(0)         if (&User-Name =~ /@\./)  {

(0)         if (&User-Name =~ /@\./)   -> FALSE

(0)       } # if (&User-Name)  = notfound

(0)     } # policy filter_username = notfound

(0)     [preprocess] = ok

(0)     [chap] = noop

(0)     [mschap] = noop

(0)     [digest] = noop

(0) suffix: Checking for suffix after "@"

(0) suffix: No '@' in User-Name = "MYREALUSER", looking up realm NULL

(0) suffix: No such realm "NULL"

(0)     [suffix] = noop

(0) eap: Peer sent EAP Response (code 2) ID 236 length 16

(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize

(0)     [eap] = ok

(0)   } # authorize = ok

(0) Found Auth-Type = eap

(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default

(0)   authenticate {

(0) eap: Peer sent packet with method EAP Identity (1)

(0) eap: Calling submodule eap_peap to process data

(0) eap_peap: Initiating new EAP-TLS session

(0) eap_peap: Flushing SSL sessions (of #0)

(0) eap_peap: [eaptls start] = request

(0) eap: Sending EAP Request (code 1) ID 237 length 6

(0) eap: EAP session adding &reply:State = 0x213be1f821d6f8f8

(0)     [eap] = handled

(0)   } # authenticate = handled

(0) Using Post-Auth-Type Challenge

(0) Post-Auth-Type sub-section not found.  Ignoring.

(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default

(0) Sent Access-Challenge Id 39 from 192.168.1.26:1812 to
192.168.1.103:52056 length 0

(0)   EAP-Message = 0x01ed00061920

(0)   Message-Authenticator = 0x00000000000000000000000000000000

(0)   State = 0x213be1f821d6f8f8b05101e28231c08a

(0) Finished request

Waking up in 4.9 seconds.

(1) Received Access-Request Id 40 from 192.168.1.103:52056 to
192.168.1.26:1812 length 286

(1)   User-Name = "MYREALUSER"

(1)   NAS-IP-Address = 192.168.1.103

(1)   NAS-Identifier = "0418d68032b7"

(1)   NAS-Port = 0

(1)   Called-Station-Id = "04-18-D6-82-32-B7:Test_betis"

(1)   Calling-Station-Id = "28-E3-47-0E-0A-F7"

(1)   Framed-MTU = 1400

(1)   NAS-Port-Type = Wireless-802.11

(1)   Connect-Info = "CONNECT 0Mbps 802.11b"

(1)   EAP-Message =
0x02ed006919800000005f160301005a01000056030157358d6168584ad09fa0f105559e3bb09c3b9eaac367f5c0d41a4db455974cd6000018002f00350005000ac013c014c009c00a003200380013000401000015ff01000100000a0006000400170018000b00020100

(1)   State = 0x213be1f821d6f8f8b05101e28231c08a

(1)   Message-Authenticator = 0xdaf55d9f2e9ce4b1739c2e1db02ead0b

(1) session-state: No cached attributes

(1) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default

(1)   authorize {

(1)     policy filter_username {

(1)       if (&User-Name) {

(1)       if (&User-Name)  -> TRUE

(1)       if (&User-Name)  {

(1)         if (&User-Name =~ / /) {

(1)         if (&User-Name =~ / /)  -> FALSE

(1)         if (&User-Name =~ /@[^@]*@/ ) {

(1)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE

(1)         if (&User-Name =~ /\.\./ ) {

(1)         if (&User-Name =~ /\.\./ )  -> FALSE

(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {

(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE

(1)         if (&User-Name =~ /\.$/)  {

(1)         if (&User-Name =~ /\.$/)   -> FALSE

(1)         if (&User-Name =~ /@\./)  {

(1)         if (&User-Name =~ /@\./)   -> FALSE

(1)       } # if (&User-Name)  = notfound

(1)     } # policy filter_username = notfound

(1)     [preprocess] = ok

(1)     [chap] = noop

(1)     [mschap] = noop

(1)     [digest] = noop

(1) suffix: Checking for suffix after "@"

(1) suffix: No '@' in User-Name = "MYREALUSER", looking up realm NULL

(1) suffix: No such realm "NULL"

(1)     [suffix] = noop

(1) eap: Peer sent EAP Response (code 2) ID 237 length 105

(1) eap: Continuing tunnel setup

(1)     [eap] = ok

(1)   } # authorize = ok

(1) Found Auth-Type = eap

(1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default

(1)   authenticate {

(1) eap: Expiring EAP session with state 0x213be1f821d6f8f8

(1) eap: Finished EAP session with state 0x213be1f821d6f8f8

(1) eap: Previous EAP request found for state 0x213be1f821d6f8f8, released
from the list

(1) eap: Peer sent packet with method EAP PEAP (25)

(1) eap: Calling submodule eap_peap to process data

(1) eap_peap: Continuing EAP-TLS

(1) eap_peap: Peer indicated complete TLS record size will be 95 bytes

(1) eap_peap: Got complete TLS record (95 bytes)

(1) eap_peap: [eaptls verify] = length included

(1) eap_peap: (other): before/accept initialization

(1) eap_peap: TLS_accept: before/accept initialization

(1) eap_peap: <<< recv TLS 1.0 Handshake [length 005a], ClientHello

(1) eap_peap: TLS_accept: unknown state

(1) eap_peap: >>> send TLS 1.0 Handshake [length 0051], ServerHello

(1) eap_peap: TLS_accept: unknown state

(1) eap_peap: >>> send TLS 1.0 Handshake [length 08d3], Certificate

(1) eap_peap: TLS_accept: unknown state

(1) eap_peap: >>> send TLS 1.0 Handshake [length 0004], ServerHelloDone

(1) eap_peap: TLS_accept: unknown state

(1) eap_peap: TLS_accept: unknown state

(1) eap_peap: TLS_accept: unknown state

(1) eap_peap: TLS_accept: Need to read more data: unknown state

(1) eap_peap: TLS_accept: Need to read more data: unknown state

(1) eap_peap: In SSL Handshake Phase

(1) eap_peap: In SSL Accept mode

(1) eap_peap: [eaptls process] = handled

(1) eap: Sending EAP Request (code 1) ID 238 length 1004

(1) eap: EAP session adding &reply:State = 0x213be1f820d5f8f8

(1)     [eap] = handled

(1)   } # authenticate = handled

(1) Using Post-Auth-Type Challenge

(1) Post-Auth-Type sub-section not found.  Ignoring.

(1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default

(1) Sent Access-Challenge Id 40 from 192.168.1.26:1812 to
192.168.1.103:52056 length 0

(1)   EAP-Message =
0x01ee03ec19c00000093716030100510200004d030117f97f399f7607013c81be95e916b853f0af8940fe00483d24d292acc04d6c96202ed977ab59e2b1fb53c6c9b03bfdb057bcbeae26a2ded9b658a86b7c856222e8002f000005ff0100010016030108d30b0008cf0008cc0003de308203da308202c2

(1)   Message-Authenticator = 0x00000000000000000000000000000000

(1)   State = 0x213be1f820d5f8f8b05101e28231c08a

(1) Finished request

Waking up in 4.9 seconds.

(2) Received Access-Request Id 41 from 192.168.1.103:52056 to
192.168.1.26:1812 length 187

(2)   User-Name = "MYREALUSER"

(2)   NAS-IP-Address = 192.168.1.103

(2)   NAS-Identifier = "0418d68032b7"

(2)   NAS-Port = 0

(2)   Called-Station-Id = "04-18-D6-82-32-B7:Test_betis"

(2)   Calling-Station-Id = "28-E3-47-0E-0A-F7"

(2)   Framed-MTU = 1400

(2)   NAS-Port-Type = Wireless-802.11

(2)   Connect-Info = "CONNECT 0Mbps 802.11b"

(2)   EAP-Message = 0x02ee00061900

(2)   State = 0x213be1f820d5f8f8b05101e28231c08a

(2)   Message-Authenticator = 0xcecba156154f172e720424669959ad3f

(2) session-state: No cached attributes

(2) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default

(2)   authorize {

(2)     policy filter_username {

(2)       if (&User-Name) {

(2)       if (&User-Name)  -> TRUE

(2)       if (&User-Name)  {

(2)         if (&User-Name =~ / /) {

(2)         if (&User-Name =~ / /)  -> FALSE

(2)         if (&User-Name =~ /@[^@]*@/ ) {

(2)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE

(2)         if (&User-Name =~ /\.\./ ) {

(2)         if (&User-Name =~ /\.\./ )  -> FALSE

(2)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {

(2)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE

(2)         if (&User-Name =~ /\.$/)  {

(2)         if (&User-Name =~ /\.$/)   -> FALSE

(2)         if (&User-Name =~ /@\./)  {

(2)         if (&User-Name =~ /@\./)   -> FALSE

(2)       } # if (&User-Name)  = notfound

(2)     } # policy filter_username = notfound

(2)     [preprocess] = ok

(2)     [chap] = noop

(2)     [mschap] = noop

(2)     [digest] = noop

(2) suffix: Checking for suffix after "@"

(2) suffix: No '@' in User-Name = "MYREALUSER", looking up realm NULL

(2) suffix: No such realm "NULL"

(2)     [suffix] = noop

(2) eap: Peer sent EAP Response (code 2) ID 238 length 6

(2) eap: Continuing tunnel setup

(2)     [eap] = ok

(2)   } # authorize = ok

(2) Found Auth-Type = eap

(2) # Executing group from file /usr/local/etc/raddb/sites-enabled/default

(2)   authenticate {

(2) eap: Expiring EAP session with state 0x213be1f820d5f8f8

(2) eap: Finished EAP session with state 0x213be1f820d5f8f8

(2) eap: Previous EAP request found for state 0x213be1f820d5f8f8, released
from the list

(2) eap: Peer sent packet with method EAP PEAP (25)

(2) eap: Calling submodule eap_peap to process data

(2) eap_peap: Continuing EAP-TLS

(2) eap_peap: Peer ACKed our handshake fragment

(2) eap_peap: [eaptls verify] = request

(2) eap_peap: [eaptls process] = handled

(2) eap: Sending EAP Request (code 1) ID 239 length 1000

(2) eap: EAP session adding &reply:State = 0x213be1f823d4f8f8

(2)     [eap] = handled

(2)   } # authenticate = handled

(2) Using Post-Auth-Type Challenge

(2) Post-Auth-Type sub-section not found.  Ignoring.

(2) # Executing group from file /usr/local/etc/raddb/sites-enabled/default

(2) Sent Access-Challenge Id 41 from 192.168.1.26:1812 to
192.168.1.103:52056 length 0

(2)   EAP-Message =
0x01ef03e81940deae09109e56ad849054396ba17da89f127c950c93e7bcbc602b4c0d2adc5323d898d7aad12ad21d9c0afb4ea7378e65a806dc48f3e4ae3e253b1d3c52917d8495e53bab97b882d3c0a5e36bd0d617508e184937cb00df053f568a4657224164530004e8308204e4308203cca003020102

(2)   Message-Authenticator = 0x00000000000000000000000000000000

(2)   State = 0x213be1f823d4f8f8b05101e28231c08a

(2) Finished request

Waking up in 4.9 seconds.

(3) Received Access-Request Id 42 from 192.168.1.103:52056 to
192.168.1.26:1812 length 187

(3)   User-Name = "MYREALUSER"

(3)   NAS-IP-Address = 192.168.1.103

(3)   NAS-Identifier = "0418d68032b7"

(3)   NAS-Port = 0

(3)   Called-Station-Id = "04-18-D6-82-32-B7:Test_betis"

(3)   Calling-Station-Id = "28-E3-47-0E-0A-F7"

(3)   Framed-MTU = 1400

(3)   NAS-Port-Type = Wireless-802.11

(3)   Connect-Info = "CONNECT 0Mbps 802.11b"

(3)   EAP-Message = 0x02ef00061900

(3)   State = 0x213be1f823d4f8f8b05101e28231c08a

(3)   Message-Authenticator = 0x5f3f688d970d1bdfa3e872dc559c4c02

(3) session-state: No cached attributes

(3) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default

(3)   authorize {

(3)     policy filter_username {

(3)       if (&User-Name) {

(3)       if (&User-Name)  -> TRUE

(3)       if (&User-Name)  {

(3)         if (&User-Name =~ / /) {

(3)         if (&User-Name =~ / /)  -> FALSE

(3)         if (&User-Name =~ /@[^@]*@/ ) {

(3)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE

(3)         if (&User-Name =~ /\.\./ ) {

(3)         if (&User-Name =~ /\.\./ )  -> FALSE

(3)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {

(3)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE

(3)         if (&User-Name =~ /\.$/)  {

(3)         if (&User-Name =~ /\.$/)   -> FALSE

(3)         if (&User-Name =~ /@\./)  {

(3)         if (&User-Name =~ /@\./)   -> FALSE

(3)       } # if (&User-Name)  = notfound

(3)     } # policy filter_username = notfound

(3)     [preprocess] = ok

(3)     [chap] = noop

(3)     [mschap] = noop

(3)     [digest] = noop

(3) suffix: Checking for suffix after "@"

(3) suffix: No '@' in User-Name = "MYREALUSER", looking up realm NULL

(3) suffix: No such realm "NULL"

(3)     [suffix] = noop

(3) eap: Peer sent EAP Response (code 2) ID 239 length 6

(3) eap: Continuing tunnel setup

(3)     [eap] = ok

(3)   } # authorize = ok

(3) Found Auth-Type = eap

(3) # Executing group from file /usr/local/etc/raddb/sites-enabled/default

(3)   authenticate {

(3) eap: Expiring EAP session with state 0x213be1f823d4f8f8

(3) eap: Finished EAP session with state 0x213be1f823d4f8f8

(3) eap: Previous EAP request found for state 0x213be1f823d4f8f8, released
from the list

(3) eap: Peer sent packet with method EAP PEAP (25)

(3) eap: Calling submodule eap_peap to process data

(3) eap_peap: Continuing EAP-TLS

(3) eap_peap: Peer ACKed our handshake fragment

(3) eap_peap: [eaptls verify] = request

(3) eap_peap: [eaptls process] = handled

(3) eap: Sending EAP Request (code 1) ID 240 length 377

(3) eap: EAP session adding &reply:State = 0x213be1f822cbf8f8

(3)     [eap] = handled

(3)   } # authenticate = handled

(3) Using Post-Auth-Type Challenge

(3) Post-Auth-Type sub-section not found.  Ignoring.

(3) # Executing group from file /usr/local/etc/raddb/sites-enabled/default

(3) Sent Access-Challenge Id 42 from 192.168.1.26:1812 to
192.168.1.103:52056 length 0

(3)   EAP-Message =
0x01f0017919007479820900b42a350d68446398300f0603551d130101ff040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e6f72672f6578616d706c655f63612e63726c300d06092a864886f70d01010b050003820101007ca83bdbc26445

(3)   Message-Authenticator = 0x00000000000000000000000000000000

(3)   State = 0x213be1f822cbf8f8b05101e28231c08a

(3) Finished request

Waking up in 4.9 seconds.

(4) Received Access-Request Id 43 from 192.168.1.103:52056 to
192.168.1.26:1812 length 198

(4)   User-Name = "MYREALUSER"

(4)   NAS-IP-Address = 192.168.1.103

(4)   NAS-Identifier = "0418d68032b7"

(4)   NAS-Port = 0

(4)   Called-Station-Id = "04-18-D6-82-32-B7:Test_betis"

(4)   Calling-Station-Id = "28-E3-47-0E-0A-F7"

(4)   Framed-MTU = 1400

(4)   NAS-Port-Type = Wireless-802.11

(4)   Connect-Info = "CONNECT 0Mbps 802.11b"

(4)   EAP-Message = 0x02f0001119800000000715030100020230

(4)   State = 0x213be1f822cbf8f8b05101e28231c08a

(4)   Message-Authenticator = 0x7eeb20ed0df98fc783a20041297e8bf5

(4) session-state: No cached attributes

(4) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default

(4)   authorize {

(4)     policy filter_username {

(4)       if (&User-Name) {

(4)       if (&User-Name)  -> TRUE

(4)       if (&User-Name)  {

(4)         if (&User-Name =~ / /) {

(4)         if (&User-Name =~ / /)  -> FALSE

(4)         if (&User-Name =~ /@[^@]*@/ ) {

(4)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE

(4)         if (&User-Name =~ /\.\./ ) {

(4)         if (&User-Name =~ /\.\./ )  -> FALSE

(4)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {

(4)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE

(4)         if (&User-Name =~ /\.$/)  {

(4)         if (&User-Name =~ /\.$/)   -> FALSE

(4)         if (&User-Name =~ /@\./)  {

(4)         if (&User-Name =~ /@\./)   -> FALSE

(4)       } # if (&User-Name)  = notfound

(4)     } # policy filter_username = notfound

(4)     [preprocess] = ok

(4)     [chap] = noop

(4)     [mschap] = noop

(4)     [digest] = noop

(4) suffix: Checking for suffix after "@"

(4) suffix: No '@' in User-Name = "MYREALUSER", looking up realm NULL

(4) suffix: No such realm "NULL"

(4)     [suffix] = noop

(4) eap: Peer sent EAP Response (code 2) ID 240 length 17

(4) eap: Continuing tunnel setup

(4)     [eap] = ok

(4)   } # authorize = ok

(4) Found Auth-Type = eap

(4) # Executing group from file /usr/local/etc/raddb/sites-enabled/default

(4)   authenticate {

(4) eap: Expiring EAP session with state 0x213be1f822cbf8f8

(4) eap: Finished EAP session with state 0x213be1f822cbf8f8

(4) eap: Previous EAP request found for state 0x213be1f822cbf8f8, released
from the list

(4) eap: Peer sent packet with method EAP PEAP (25)

(4) eap: Calling submodule eap_peap to process data

(4) eap_peap: Continuing EAP-TLS

(4) eap_peap: Peer indicated complete TLS record size will be 7 bytes

(4) eap_peap: Got complete TLS record (7 bytes)

(4) eap_peap: [eaptls verify] = length included

(4) eap_peap: <<< recv TLS 1.0 Alert [length 0002], fatal unknown_ca

(4) eap_peap: ERROR: TLS Alert read:fatal:unknown CA

(4) eap_peap: ERROR: TLS_accept: Failed in unknown state

(4) eap_peap: ERROR: SSL says: error:14094418:SSL
routines:ssl3_read_bytes:tlsv1 alert unknown ca

(4) eap_peap: ERROR: SSL_read failed inside of TLS (-1), TLS session failed

(4) eap_peap: ERROR: TLS receive handshake failed during operation

(4) eap_peap: ERROR: [eaptls process] = fail

(4) eap: ERROR: Failed continuing EAP PEAP (25) session.  EAP sub-module
failed

(4) eap: Sending EAP Failure (code 4) ID 240 length 4

(4) eap: Failed in EAP select

(4)     [eap] = invalid

(4)   } # authenticate = invalid

(4) Failed to authenticate the user

(4) Using Post-Auth-Type Reject

(4) # Executing group from file /usr/local/etc/raddb/sites-enabled/default

(4)   Post-Auth-Type REJECT {

(4) attr_filter.access_reject: EXPAND %{User-Name}

(4) attr_filter.access_reject:    --> MYREALUSER

(4) attr_filter.access_reject: Matched entry DEFAULT at line 11

(4)     [attr_filter.access_reject] = updated

(4)     [eap] = noop

(4)     policy remove_reply_message_if_eap {

(4)       if (&reply:EAP-Message && &reply:Reply-Message) {

(4)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE

(4)       else {

(4)         [noop] = noop

(4)       } # else = noop

(4)     } # policy remove_reply_message_if_eap = noop

(4)   } # Post-Auth-Type REJECT = updated

(4) Delaying response for 1.000000 seconds

Waking up in 0.3 seconds.

Waking up in 0.6 seconds.

(4) Sending delayed response

(4) Sent Access-Reject Id 43 from 192.168.1.26:1812 to 192.168.1.103:52056
length 44

(4)   EAP-Message = 0x04f00004

(4)   Message-Authenticator = 0x00000000000000000000000000000000

Waking up in 3.9 seconds.

(5) Received Access-Request Id 44 from 192.168.1.103:52056 to
192.168.1.26:1812 length 169

(5)   User-Name = "MYREALDOMAIN"

(5)   NAS-IP-Address = 192.168.1.103

(5)   NAS-Identifier = "0418d68032b7"

(5)   NAS-Port = 0

(5)   Called-Station-Id = "04-18-D6-82-32-B7:Test_betis"

(5)   Calling-Station-Id = "28-E3-47-0E-0A-F7"

(5)   Framed-MTU = 1400

(5)   NAS-Port-Type = Wireless-802.11

(5)   Connect-Info = "CONNECT 0Mbps 802.11b"

(5)   EAP-Message = 0x02fa000b01736f6c74656c

(5)   Message-Authenticator = 0xaf25fda9c2b97c696a3a1b54d88ba8ca

(5) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default

(5)   authorize {

(5)     policy filter_username {

(5)       if (&User-Name) {

(5)       if (&User-Name)  -> TRUE

(5)       if (&User-Name)  {

(5)         if (&User-Name =~ / /) {

(5)         if (&User-Name =~ / /)  -> FALSE

(5)         if (&User-Name =~ /@[^@]*@/ ) {

(5)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE

(5)         if (&User-Name =~ /\.\./ ) {

(5)         if (&User-Name =~ /\.\./ )  -> FALSE

(5)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {

(5)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE

(5)         if (&User-Name =~ /\.$/)  {

(5)         if (&User-Name =~ /\.$/)   -> FALSE

(5)         if (&User-Name =~ /@\./)  {

(5)         if (&User-Name =~ /@\./)   -> FALSE

(5)       } # if (&User-Name)  = notfound

(5)     } # policy filter_username = notfound

(5)     [preprocess] = ok

(5)     [chap] = noop

(5)     [mschap] = noop

(5)     [digest] = noop

(5) suffix: Checking for suffix after "@"

(5) suffix: No '@' in User-Name = "MYREALDOMAIN", looking up realm NULL

(5) suffix: No such realm "NULL"

(5)     [suffix] = noop

(5) eap: Peer sent EAP Response (code 2) ID 250 length 11

(5) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize

(5)     [eap] = ok

(5)   } # authorize = ok

(5) Found Auth-Type = eap

(5) # Executing group from file /usr/local/etc/raddb/sites-enabled/default

(5)   authenticate {

(5) eap: Peer sent packet with method EAP Identity (1)

(5) eap: Calling submodule eap_peap to process data

(5) eap_peap: Initiating new EAP-TLS session

(5) eap_peap: [eaptls start] = request

(5) eap: Sending EAP Request (code 1) ID 251 length 6

(5) eap: EAP session adding &reply:State = 0xf20a0301f2f11a12

(5)     [eap] = handled

(5)   } # authenticate = handled

(5) Using Post-Auth-Type Challenge

(5) Post-Auth-Type sub-section not found.  Ignoring.

(5) # Executing group from file /usr/local/etc/raddb/sites-enabled/default

(5) Sent Access-Challenge Id 44 from 192.168.1.26:1812 to
192.168.1.103:52056 length 0

(5)   EAP-Message = 0x01fb00061920

(5)   Message-Authenticator = 0x00000000000000000000000000000000

(5)   State = 0xf20a0301f2f11a12b0e0c11e2bbab466

(5) Finished request

Waking up in 2.7 seconds.

(6) Received Access-Request Id 45 from 192.168.1.103:52056 to
192.168.1.26:1812 length 182

(6)   User-Name = "MYREALDOMAIN"

(6)   NAS-IP-Address = 192.168.1.103

(6)   NAS-Identifier = "0418d68032b7"

(6)   NAS-Port = 0

(6)   Called-Station-Id = "04-18-D6-82-32-B7:Test_betis"

(6)   Calling-Station-Id = "28-E3-47-0E-0A-F7"

(6)   Framed-MTU = 1400

(6)   NAS-Port-Type = Wireless-802.11

(6)   Connect-Info = "CONNECT 0Mbps 802.11b"

(6)   EAP-Message = 0x02fb00060311

(6)   State = 0xf20a0301f2f11a12b0e0c11e2bbab466

(6)   Message-Authenticator = 0x8a7e70008c3bf52db7042bc5fc7410bf

(6) session-state: No cached attributes

(6) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default

(6)   authorize {

(6)     policy filter_username {

(6)       if (&User-Name) {

(6)       if (&User-Name)  -> TRUE

(6)       if (&User-Name)  {

(6)         if (&User-Name =~ / /) {

(6)         if (&User-Name =~ / /)  -> FALSE

(6)         if (&User-Name =~ /@[^@]*@/ ) {

(6)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE

(6)         if (&User-Name =~ /\.\./ ) {

(6)         if (&User-Name =~ /\.\./ )  -> FALSE

(6)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {

(6)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE

(6)         if (&User-Name =~ /\.$/)  {

(6)         if (&User-Name =~ /\.$/)   -> FALSE

(6)         if (&User-Name =~ /@\./)  {

(6)         if (&User-Name =~ /@\./)   -> FALSE

(6)       } # if (&User-Name)  = notfound

(6)     } # policy filter_username = notfound

(6)     [preprocess] = ok

(6)     [chap] = noop

(6)     [mschap] = noop

(6)     [digest] = noop

(6) suffix: Checking for suffix after "@"

(6) suffix: No '@' in User-Name = "MYREALDOMAIN", looking up realm NULL

(6) suffix: No such realm "NULL"

(6)     [suffix] = noop

(6) eap: Peer sent EAP Response (code 2) ID 251 length 6

(6) eap: No EAP Start, assuming it's an on-going EAP conversation

(6)     [eap] = updated

(6)     [files] = noop

(6)     [expiration] = noop

(6)     [logintime] = noop

(6) pap: WARNING: No "known good" password found for the user.  Not setting
Auth-Type

(6) pap: WARNING: Authentication will fail unless a "known good" password
is available

(6)     [pap] = noop

(6)   } # authorize = updated

(6) Found Auth-Type = eap

(6) # Executing group from file /usr/local/etc/raddb/sites-enabled/default

(6)   authenticate {

(6) eap: Expiring EAP session with state 0xf20a0301f2f11a12

(6) eap: Finished EAP session with state 0xf20a0301f2f11a12

(6) eap: Previous EAP request found for state 0xf20a0301f2f11a12, released
from the list

(6) eap: Peer sent packet with method EAP NAK (3)

(6) eap: Found mutually acceptable type LEAP (17)

(6) eap: Calling submodule eap_leap to process data

(6) eap_leap: Stage 2

(6) eap_leap: Issuing AP Challenge

(6) eap_leap: ERROR: Successfully initiated

(6) eap: Sending EAP Request (code 1) ID 252 length 22

(6) eap: EAP session adding &reply:State = 0xf20a0301f3f61212

(6)     [eap] = handled

(6)   } # authenticate = handled

(6) Using Post-Auth-Type Challenge

(6) Post-Auth-Type sub-section not found.  Ignoring.

(6) # Executing group from file /usr/local/etc/raddb/sites-enabled/default

(6) Sent Access-Challenge Id 45 from 192.168.1.26:1812 to
192.168.1.103:52056 length 0

(6)   EAP-Message = 0x01fc00161101000846a35641fcdf0b48736f6c74656c

(6)   Message-Authenticator = 0x00000000000000000000000000000000

(6)   State = 0xf20a0301f3f61212b0e0c11e2bbab466

(6) Finished request

Waking up in 2.7 seconds.

(7) Received Access-Request Id 46 from 192.168.1.103:52056 to
192.168.1.26:1812 length 214

(7)   User-Name = "MYREALDOMAIN"

(7)   NAS-IP-Address = 192.168.1.103

(7)   NAS-Identifier = "0418d68032b7"

(7)   NAS-Port = 0

(7)   Called-Station-Id = "04-18-D6-82-32-B7:Test_betis"

(7)   Calling-Station-Id = "28-E3-47-0E-0A-F7"

(7)   Framed-MTU = 1400

(7)   NAS-Port-Type = Wireless-802.11

(7)   Connect-Info = "CONNECT 0Mbps 802.11b"

(7)   EAP-Message =
0x02fc002611010018dd952ffac3a648e2d0da9ff39d9652f607297d7837811c77736f6c74656c

(7)   State = 0xf20a0301f3f61212b0e0c11e2bbab466

(7)   Message-Authenticator = 0xf5a04a8e118baddb17c2aab8a38c046b

(7) session-state: No cached attributes

(7) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default

(7)   authorize {

(7)     policy filter_username {

(7)       if (&User-Name) {

(7)       if (&User-Name)  -> TRUE

(7)       if (&User-Name)  {

(7)         if (&User-Name =~ / /) {

(7)         if (&User-Name =~ / /)  -> FALSE

(7)         if (&User-Name =~ /@[^@]*@/ ) {

(7)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE

(7)         if (&User-Name =~ /\.\./ ) {

(7)         if (&User-Name =~ /\.\./ )  -> FALSE

(7)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {

(7)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE

(7)         if (&User-Name =~ /\.$/)  {

(7)         if (&User-Name =~ /\.$/)   -> FALSE

(7)         if (&User-Name =~ /@\./)  {

(7)         if (&User-Name =~ /@\./)   -> FALSE

(7)       } # if (&User-Name)  = notfound

(7)     } # policy filter_username = notfound

(7)     [preprocess] = ok

(7)     [chap] = noop

(7)     [mschap] = noop

(7)     [digest] = noop

(7) suffix: Checking for suffix after "@"

(7) suffix: No '@' in User-Name = "MYREALDOMAIN", looking up realm NULL

(7) suffix: No such realm "NULL"

(7)     [suffix] = noop

(7) eap: Peer sent EAP Response (code 2) ID 252 length 38

(7) eap: No EAP Start, assuming it's an on-going EAP conversation

(7)     [eap] = updated

(7)     [files] = noop

(7)     [expiration] = noop

(7)     [logintime] = noop

(7) pap: WARNING: No "known good" password found for the user.  Not setting
Auth-Type

(7) pap: WARNING: Authentication will fail unless a "known good" password
is available

(7)     [pap] = noop

(7)   } # authorize = updated

(7) Found Auth-Type = eap

(7) # Executing group from file /usr/local/etc/raddb/sites-enabled/default

(7)   authenticate {

(7) eap: Expiring EAP session with state 0xf20a0301f3f61212

(7) eap: Finished EAP session with state 0xf20a0301f3f61212

(7) eap: Previous EAP request found for state 0xf20a0301f3f61212, released
from the list

(7) eap: Peer sent packet with method EAP LEAP (17)

(7) eap: Calling submodule eap_leap to process data

(7) eap_leap: ERROR: No Cleartext-Password or NT-Password configured for
this user

(7) eap: ERROR: Failed continuing EAP LEAP (17) session.  EAP sub-module
failed

(7) eap: Sending EAP Failure (code 4) ID 252 length 4

(7) eap: Failed in EAP select

(7)     [eap] = invalid

(7)   } # authenticate = invalid

(7) Failed to authenticate the user

(7) Using Post-Auth-Type Reject

(7) # Executing group from file /usr/local/etc/raddb/sites-enabled/default

(7)   Post-Auth-Type REJECT {

(7) attr_filter.access_reject: EXPAND %{User-Name}

(7) attr_filter.access_reject:    --> MYREALDOMAIN

(7) attr_filter.access_reject: Matched entry DEFAULT at line 11

(7)     [attr_filter.access_reject] = updated

(7)     [eap] = noop

(7)     policy remove_reply_message_if_eap {

(7)       if (&reply:EAP-Message && &reply:Reply-Message) {

(7)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE

(7)       else {

(7)         [noop] = noop

(7)       } # else = noop

(7)     } # policy remove_reply_message_if_eap = noop

(7)   } # Post-Auth-Type REJECT = updated

(7) Delaying response for 1.000000 seconds

Waking up in 0.3 seconds.

Waking up in 0.6 seconds.

(7) Sending delayed response

(7) Sent Access-Reject Id 46 from 192.168.1.26:1812 to 192.168.1.103:52056
length 44

(7)   EAP-Message = 0x04fc0004

(7)   Message-Authenticator = 0x00000000000000000000000000000000

Waking up in 1.7 seconds.

(0) Cleaning up request packet ID 39 with timestamp +25

(1) Cleaning up request packet ID 40 with timestamp +25

(2) Cleaning up request packet ID 41 with timestamp +25

(3) Cleaning up request packet ID 42 with timestamp +25

(4) Cleaning up request packet ID 43 with timestamp +25

Waking up in 2.1 seconds.

(5) Cleaning up request packet ID 44 with timestamp +27

(6) Cleaning up request packet ID 45 with timestamp +27

(7) Cleaning up request packet ID 46 with timestamp +27

Ready to process requests


More information about the Freeradius-Users mailing list