Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
January 2008
- 188 participants
- 243 discussions
> You can use the "hints" file to do what you want. It does *not* say
> you can only use prefix & suffix matching.
I was referring to the following in the sample hints file:
# Matching can take place with the the Prefix and Suffix
# attributes, just like in the "users" file.
# These attributes operate ONLY on the username, though.
And this in the doc/README file:
Customize the /etc/raddb/hints file. This file is used to give users a
different login type based on a prefix/suffix of their loginname. For
example, logging in as "user" may result in a rlogin session to a Unix
system, and logging in as "Puser" could start a PPP session.
Is there another document that describes matching on other attributes
and how to add new attributes to the request. I think these paragraphs
need updating. Are you saying I can do this in hints:
DEFAULT Cisco-AVPair == "", My-Group := "RadioIP-MAU"
DEFAULT Cisco-AVPair == "ssid=(.*)", My-Group := "Wireless %{1}"
DEFAULT My-Group := "Unknown source"
That is, does hints work just like the users file, except it adds any
new attributes to the request? If so, this is exactly what I need! If
the syntax or usage is off, can you correct me.
Thanks Alan.
4
4
Hi People
First thank you, I been reading this mailing list for some time and I found
it great source of help
I want to share some info with you and than ask a question
We are slowly moving here into Java and starting to have Diameter
requirements
I found OpenBloX Java Diameter a great source of help (i think its GPL)and
it seems to meet our requirements (*
http://sourceforge.net/projects/openblox/**) *
as anyone else been using it, I will be happy for some feedback
I guess this is the right place for a feedback with so many AAA gurus around
J so sorry again for my post
Thanks In advance
RP
4
4
I build it by adding rlm_opendirectory to the ./src/modules/stable file.
Then, run:
make distclean
./configure <stuff>
etc…
Everything you need should be on the desktop OS. Let me know if that
is not the case.
If you are on desktop, you'll probably want to set up a service access
list.
The magic group name that gets set up by the admin tools is:
com.apple.access_radius.
- Steven
On Jan 22, 2008, at 7:54 AM, freeradius-users-request(a)lists.freeradius.org
wrote:
> From: Info <info(a)sparkmediagroup.com>
> Date: January 22, 2008 7:50:57 AM PST
> To: FreeRadius users mailing list <freeradius-users(a)lists.freeradius.org
> >
> Subject: rlm_opendirectory (FR 2.0.0)
> Reply-To: FreeRadius users mailing list <freeradius-users(a)lists.freeradius.org
> >
>
>
> Hello all,
>
> Quick Qs about the experimental rlm_opendirectory module:
>
> * Has anyone built in this module successfully?
>
> * Is it possible to add this in without the other experimental
> modules and, if so, what is the proper flag? (Note, I've tried on
> separate runs --with-rlm_opendirectory, --enable-rlm_opendirectory,
> and --with-modules="rlm_opendirectory" seemingly to no avail.)
>
> * Does the module need to be built against a server version of the
> Framework or should I be able to build this from the libraries on
> any os x workstation?
>
> Cheers,
>
> Jim
14
31
Hi!
I have a Domino (6.5.4FP3) ldap which I would like to use as a backend
for freeradius.
My clients (winxp) uses eap-mschapv2, would it be possible for
freeradius to match the password from the domino with the one supplied
by the client?
If it ain't possible what would it take to achieve it?
I'm sorry if the question has been asked too many times, but I can't
find a answer on the net or in this list....
Thanks
-CP
3
4
Hello Everyone,
I need help setting up custom replies for each NAS in my organization. I.E
I have NAS A and NAS B
When NAS A communicates with our Radius Server (Freeradius) I want to send
back Tunnel attributes on domain matching. (i.e *(a)domain.com - a set of
tunnel attributes Service-Type, Tunnel-Password, Tunnel-Type...etc - not
user specific).
When NAS B communicates with our Radius I want to send back specific
information about the user it's requesting (i.e user(a)domain.com - Framed-IP,
Framed-Netmask...etc)
Since both requests are addressed to domain.com how can I selectively allow
only certain responses to NAS A and others to NAS B?
Thanks for the help
Adrian Boros
5
23
29 Feb '08
hello everybody,
i try many time to resolve this pb but i dont found the solution.
my configuration is:
freeradius-1.1.1 on fedora6+ nas switch cisco3560+ and wind xp client.
On wireless, my configuration work, when i use NAS AP of cisco1200.
But when i use my configuration to authenticate xp on lan network only: its not work.
i saw on debug -X -A, that freeradius receive ACCES_REQUEST but when he send ACCES_CHALLENGE he cannot.
on trame analysis on freerdaius, i saw that he cannot send on the port that the switch tel him to send.
i m blocked on this step, and i cannot found the solution.
on my configuration, i use users: "users" "password" only
i havent active directory. on my switch, i dont make vlan.
can some one help me.
thanks for all
_________________________________________________________________
Découvrez de nouvelles façons de rester en contact grâce à Windows Live! Visitez la Cité @ Live dès aujourd’hui!
http://www.tonadresselive.ca/?icid=LIVEIDFRCA006
2
2
18 Feb '08
Hi!
I'm trying to setup the following scheme:
[win_xp]-----[Wi-Fi AP with WPA]-------[FreeRADIUS]--------[home RADIUS server]
FreeRADIUS: 1.1.7
Users being connected to access point must be authenticated against EAP-PEAP-MS-CHAPv2 protocol.
Home RADIUS server can do only MS-CHAPv2 authorization and knows nothing about EAP.
To pass extracted MS-CHAPv2 request from PEAP tunnel I've turned off proxy_tunneled_request_as_eap:
---------eap.conf-------------
peap {
default_eap_type = mschapv2
copy_request_to_tunnel = yes
use_tunneled_reply = yes
proxy_tunneled_request_as_eap = no
}
--------users-----------------
aaa FreeRADIUS-Proxied-To == 127.0.0.1, Proxy-To-Realm := "xxx"
Fall-Through := No
--------proxy.conf------------
realm xxx {
type = radius
authhost = 192.168.2.80:1812
accthost = 192.168.2.80:1813
secret = pretty_secret
}
------------------------------
Authorization requests are being proxied from FreeRADIUS to home RADIUS server as plain MS-CHAPv2.
Home server authorizes client and passes back MS-MPPE-*-Keys. But FreeRADIUS discards all MS-CHAPv2 attributes from
proxy reply just saying "rlm_eap_mschapv2: Authentication succeeded.".
Here is the response from home server:
rad_recv: Access-Accept packet from host 192.168.2.80:1812, id=0, length=262
Wed Jan 30 15:03:33 2008 : Debug: proxy: de-allocating 5002a8c0:1812 0
Reply-Message = "ACCESS: GRANTED"
Reply-Message = "AGREEMENT-ID: 587986"
Framed-IP-Address = 192.168.2.56
Framed-IP-Netmask = 255.255.255.255
Framed-Protocol = PPP
MS-CHAP2-Success = 0x00533d37354142314531443945333538353133414541334245443244314630344333384533363742384232
MS-MPPE-Encryption-Policy = 0x00000001
MS-MPPE-Encryption-Types = 0x00000006
MS-MPPE-Recv-Key = 0xadfa59550658460011ffff6aee8df748
MS-MPPE-Send-Key = 0x2f62bd6b536d9e6141790bf5c477a5b8
Service-Type = Framed-User
Reply-Message = "STATUS: 0.00000000"
and the response to Wi-Fi AP before tunnel:
PEAP: Final reply from tunneled session code 11
Reply-Message = "ACCESS: GRANTED"
Reply-Message = "AGREEMENT-ID: 587986"
Framed-IP-Address = 192.168.2.56
Framed-IP-Netmask = 255.255.255.255
Framed-Protocol = PPP
Service-Type = Framed-User
Reply-Message = "STATUS: 0.00000000"
EAP-Message = 0x010700331a0306002e533d37354142314531443945333538353133414541334245443244314630344333384533363742384232
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xbb336a79c074253ad516aa753953f8aa
There is no MS-CHAP2-Success attribute here. So no "rlm_eap_peap: Success" at the end of challenge and no
Access-Accept packet being sent to Wi-Fi AP.
When username is configured locally (i.e. with no proxying request to home server), everything works fine.
Does anyone have such working scheme here?
Please find complete log attached.
--
Best wishes,
Dmitry Sergienko (SDA104-RIPE)
Trifle Co., Ltd.
Wed Jan 30 16:21:17 2008 : Info: Starting - reading configuration files ...
Wed Jan 30 16:21:17 2008 : Debug: reread_config: reading radiusd.conf
Wed Jan 30 16:21:17 2008 : Debug: Config: including file: /etc/freeradius/proxy.conf
Wed Jan 30 16:21:17 2008 : Debug: Config: including file: /etc/freeradius/clients.conf
Wed Jan 30 16:21:17 2008 : Debug: Config: including file: /etc/freeradius/snmp.conf
Wed Jan 30 16:21:17 2008 : Debug: Config: including file: /etc/freeradius/eap.conf
Wed Jan 30 16:21:17 2008 : Debug: Config: including file: /etc/freeradius/sql.conf
Wed Jan 30 16:21:17 2008 : Debug: main: prefix = "/usr"
Wed Jan 30 16:21:17 2008 : Debug: main: localstatedir = "/var"
Wed Jan 30 16:21:17 2008 : Debug: main: logdir = "/var/log/freeradius"
Wed Jan 30 16:21:17 2008 : Debug: main: libdir = "/usr/lib/freeradius"
Wed Jan 30 16:21:17 2008 : Debug: main: radacctdir = "/var/log/freeradius/radacct"
Wed Jan 30 16:21:17 2008 : Debug: main: hostname_lookups = no
Wed Jan 30 16:21:17 2008 : Debug: main: snmp = no
Wed Jan 30 16:21:17 2008 : Debug: main: max_request_time = 30
Wed Jan 30 16:21:17 2008 : Debug: main: cleanup_delay = 5
Wed Jan 30 16:21:17 2008 : Debug: main: max_requests = 1024
Wed Jan 30 16:21:17 2008 : Debug: main: delete_blocked_requests = 0
Wed Jan 30 16:21:17 2008 : Debug: main: port = 0
Wed Jan 30 16:21:17 2008 : Debug: main: allow_core_dumps = no
Wed Jan 30 16:21:17 2008 : Debug: main: log_stripped_names = no
Wed Jan 30 16:21:17 2008 : Debug: main: log_file = "/var/log/freeradius/radius.log"
Wed Jan 30 16:21:17 2008 : Debug: main: log_auth = no
Wed Jan 30 16:21:17 2008 : Debug: main: log_auth_badpass = no
Wed Jan 30 16:21:17 2008 : Debug: main: log_auth_goodpass = no
Wed Jan 30 16:21:17 2008 : Debug: main: pidfile = "/var/run/freeradius/freeradius.pid"
Wed Jan 30 16:21:17 2008 : Debug: main: user = "freerad"
Wed Jan 30 16:21:17 2008 : Debug: main: group = "freerad"
Wed Jan 30 16:21:17 2008 : Debug: main: usercollide = no
Wed Jan 30 16:21:17 2008 : Debug: main: lower_user = "no"
Wed Jan 30 16:21:17 2008 : Debug: main: lower_pass = "no"
Wed Jan 30 16:21:17 2008 : Debug: main: nospace_user = "no"
Wed Jan 30 16:21:17 2008 : Debug: main: nospace_pass = "no"
Wed Jan 30 16:21:17 2008 : Debug: main: checkrad = "/usr/sbin/checkrad"
Wed Jan 30 16:21:17 2008 : Debug: main: proxy_requests = yes
Wed Jan 30 16:21:17 2008 : Debug: proxy: retry_delay = 5
Wed Jan 30 16:21:17 2008 : Debug: proxy: retry_count = 3
Wed Jan 30 16:21:17 2008 : Debug: proxy: synchronous = no
Wed Jan 30 16:21:17 2008 : Debug: proxy: default_fallback = yes
Wed Jan 30 16:21:17 2008 : Debug: proxy: dead_time = 120
Wed Jan 30 16:21:17 2008 : Debug: proxy: post_proxy_authorize = no
Wed Jan 30 16:21:17 2008 : Debug: proxy: wake_all_if_all_dead = no
Wed Jan 30 16:21:17 2008 : Debug: security: max_attributes = 200
Wed Jan 30 16:21:17 2008 : Debug: security: reject_delay = 1
Wed Jan 30 16:21:17 2008 : Debug: security: status_server = no
Wed Jan 30 16:21:17 2008 : Debug: main: debug_level = 0
Wed Jan 30 16:21:17 2008 : Debug: read_config_files: reading dictionary
Wed Jan 30 16:21:17 2008 : Debug: read_config_files: reading naslist
Wed Jan 30 16:21:17 2008 : Debug: read_config_files: reading clients
Wed Jan 30 16:21:17 2008 : Debug: read_config_files: reading realms
Wed Jan 30 16:21:17 2008 : Debug: radiusd: entering modules setup
Wed Jan 30 16:21:17 2008 : Debug: Module: Library search path is /usr/lib/freeradius
Wed Jan 30 16:21:17 2008 : Debug: Module: Loaded exec
Wed Jan 30 16:21:17 2008 : Debug: exec: wait = yes
Wed Jan 30 16:21:17 2008 : Debug: exec: program = "(null)"
Wed Jan 30 16:21:17 2008 : Debug: exec: input_pairs = "request"
Wed Jan 30 16:21:17 2008 : Debug: exec: output_pairs = "(null)"
Wed Jan 30 16:21:17 2008 : Debug: exec: packet_type = "(null)"
Wed Jan 30 16:21:17 2008 : Info: rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Wed Jan 30 16:21:17 2008 : Debug: Module: Instantiated exec (exec)
Wed Jan 30 16:21:17 2008 : Debug: Module: Loaded expr
Wed Jan 30 16:21:17 2008 : Debug: Module: Instantiated expr (expr)
Wed Jan 30 16:21:17 2008 : Debug: Module: Loaded PAP
Wed Jan 30 16:21:17 2008 : Debug: pap: encryption_scheme = "crypt"
Wed Jan 30 16:21:17 2008 : Debug: pap: auto_header = yes
Wed Jan 30 16:21:17 2008 : Debug: Module: Instantiated pap (pap)
Wed Jan 30 16:21:17 2008 : Debug: Module: Loaded CHAP
Wed Jan 30 16:21:17 2008 : Debug: Module: Instantiated chap (chap)
Wed Jan 30 16:21:17 2008 : Debug: Module: Loaded MS-CHAP
Wed Jan 30 16:21:17 2008 : Debug: mschap: use_mppe = yes
Wed Jan 30 16:21:17 2008 : Debug: mschap: require_encryption = no
Wed Jan 30 16:21:17 2008 : Debug: mschap: require_strong = no
Wed Jan 30 16:21:17 2008 : Debug: mschap: with_ntdomain_hack = no
Wed Jan 30 16:21:17 2008 : Debug: mschap: passwd = "(null)"
Wed Jan 30 16:21:17 2008 : Debug: mschap: ntlm_auth = "(null)"
Wed Jan 30 16:21:17 2008 : Debug: Module: Instantiated mschap (mschap)
Wed Jan 30 16:21:17 2008 : Debug: Module: Loaded System
Wed Jan 30 16:21:17 2008 : Debug: unix: cache = no
Wed Jan 30 16:21:17 2008 : Debug: unix: passwd = "(null)"
Wed Jan 30 16:21:17 2008 : Debug: unix: shadow = "/etc/shadow"
Wed Jan 30 16:21:17 2008 : Debug: unix: group = "(null)"
Wed Jan 30 16:21:17 2008 : Debug: unix: radwtmp = "/var/log/freeradius/radwtmp"
Wed Jan 30 16:21:17 2008 : Debug: unix: usegroup = no
Wed Jan 30 16:21:17 2008 : Debug: unix: cache_reload = 600
Wed Jan 30 16:21:17 2008 : Debug: Module: Instantiated unix (unix)
Wed Jan 30 16:21:17 2008 : Debug: Module: Loaded eap
Wed Jan 30 16:21:17 2008 : Debug: eap: default_eap_type = "peap"
Wed Jan 30 16:21:17 2008 : Debug: eap: timer_expire = 60
Wed Jan 30 16:21:17 2008 : Debug: eap: ignore_unknown_eap_types = no
Wed Jan 30 16:21:17 2008 : Debug: eap: cisco_accounting_username_bug = no
Wed Jan 30 16:21:17 2008 : Debug: rlm_eap: Loaded and initialized type md5
Wed Jan 30 16:21:17 2008 : Debug: rlm_eap: Loaded and initialized type leap
Wed Jan 30 16:21:17 2008 : Debug: gtc: challenge = "Password: "
Wed Jan 30 16:21:17 2008 : Debug: gtc: auth_type = "PAP"
Wed Jan 30 16:21:17 2008 : Debug: rlm_eap: Loaded and initialized type gtc
Wed Jan 30 16:21:17 2008 : Debug: tls: rsa_key_exchange = no
Wed Jan 30 16:21:17 2008 : Debug: tls: dh_key_exchange = yes
Wed Jan 30 16:21:17 2008 : Debug: tls: rsa_key_length = 512
Wed Jan 30 16:21:17 2008 : Debug: tls: dh_key_length = 512
Wed Jan 30 16:21:17 2008 : Debug: tls: verify_depth = 0
Wed Jan 30 16:21:17 2008 : Debug: tls: CA_path = "(null)"
Wed Jan 30 16:21:17 2008 : Debug: tls: pem_file_type = yes
Wed Jan 30 16:21:17 2008 : Debug: tls: private_key_file = "/etc/freeradius/certs/cert-srv.pem"
Wed Jan 30 16:21:17 2008 : Debug: tls: certificate_file = "/etc/freeradius/certs/cert-srv.pem"
Wed Jan 30 16:21:17 2008 : Debug: tls: CA_file = "/etc/freeradius/certs/demoCA/cacert.pem"
Wed Jan 30 16:21:17 2008 : Debug: tls: private_key_password = "whatever"
Wed Jan 30 16:21:17 2008 : Debug: tls: dh_file = "/etc/freeradius/certs/dh"
Wed Jan 30 16:21:17 2008 : Debug: tls: random_file = "/etc/freeradius/certs/random"
Wed Jan 30 16:21:17 2008 : Debug: tls: fragment_size = 1024
Wed Jan 30 16:21:17 2008 : Debug: tls: include_length = yes
Wed Jan 30 16:21:17 2008 : Debug: tls: check_crl = no
Wed Jan 30 16:21:17 2008 : Debug: tls: check_cert_cn = "(null)"
Wed Jan 30 16:21:17 2008 : Debug: tls: cipher_list = "(null)"
Wed Jan 30 16:21:17 2008 : Debug: tls: check_cert_issuer = "(null)"
Wed Jan 30 16:21:17 2008 : Info: rlm_eap_tls: Loading the certificate file as a chain
Wed Jan 30 16:21:17 2008 : Info: WARNING: rlm_eap_tls: Unable to set DH parameters. DH cipher suites may not work!
Wed Jan 30 16:21:17 2008 : Debug: WARNING: Fix this by running the OpenSSL command listed in eap.conf
Wed Jan 30 16:21:17 2008 : Debug: rlm_eap: Loaded and initialized type tls
Wed Jan 30 16:21:17 2008 : Debug: peap: default_eap_type = "mschapv2"
Wed Jan 30 16:21:17 2008 : Debug: peap: copy_request_to_tunnel = no
Wed Jan 30 16:21:17 2008 : Debug: peap: use_tunneled_reply = no
Wed Jan 30 16:21:17 2008 : Debug: peap: proxy_tunneled_request_as_eap = no
Wed Jan 30 16:21:17 2008 : Debug: rlm_eap: Loaded and initialized type peap
Wed Jan 30 16:21:17 2008 : Debug: mschapv2: with_ntdomain_hack = no
Wed Jan 30 16:21:17 2008 : Debug: rlm_eap: Loaded and initialized type mschapv2
Wed Jan 30 16:21:17 2008 : Debug: Module: Instantiated eap (eap)
Wed Jan 30 16:21:17 2008 : Debug: Module: Loaded preprocess
Wed Jan 30 16:21:17 2008 : Debug: preprocess: huntgroups = "/etc/freeradius/huntgroups"
Wed Jan 30 16:21:17 2008 : Debug: preprocess: hints = "/etc/freeradius/hints"
Wed Jan 30 16:21:17 2008 : Debug: preprocess: with_ascend_hack = no
Wed Jan 30 16:21:17 2008 : Debug: preprocess: ascend_channels_per_line = 23
Wed Jan 30 16:21:17 2008 : Debug: preprocess: with_ntdomain_hack = no
Wed Jan 30 16:21:17 2008 : Debug: preprocess: with_specialix_jetstream_hack = no
Wed Jan 30 16:21:17 2008 : Debug: preprocess: with_cisco_vsa_hack = no
Wed Jan 30 16:21:17 2008 : Debug: preprocess: with_alvarion_vsa_hack = no
Wed Jan 30 16:21:17 2008 : Debug: Module: Instantiated preprocess (preprocess)
Wed Jan 30 16:21:17 2008 : Debug: Module: Loaded detail
Wed Jan 30 16:21:17 2008 : Debug: detail: detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d"
Wed Jan 30 16:21:17 2008 : Debug: detail: detailperm = 384
Wed Jan 30 16:21:17 2008 : Debug: detail: dirperm = 493
Wed Jan 30 16:21:17 2008 : Debug: detail: locking = no
Wed Jan 30 16:21:17 2008 : Debug: Module: Instantiated detail (auth_log)
Wed Jan 30 16:21:17 2008 : Debug: Module: Loaded attr_filter
Wed Jan 30 16:21:17 2008 : Debug: attr_filter: attrsfile = "/etc/freeradius/attrs"
Wed Jan 30 16:21:17 2008 : Error: rlm_attr_filter: Authorize method will be deprecated.
Wed Jan 30 16:21:17 2008 : Debug: Module: Instantiated attr_filter (attr_filter)
Wed Jan 30 16:21:17 2008 : Debug: Module: Loaded realm
Wed Jan 30 16:21:17 2008 : Debug: realm: format = "suffix"
Wed Jan 30 16:21:17 2008 : Debug: realm: delimiter = "@"
Wed Jan 30 16:21:17 2008 : Debug: realm: ignore_default = no
Wed Jan 30 16:21:17 2008 : Debug: realm: ignore_null = no
Wed Jan 30 16:21:17 2008 : Debug: Module: Instantiated realm (suffix)
Wed Jan 30 16:21:17 2008 : Debug: Module: Loaded files
Wed Jan 30 16:21:17 2008 : Debug: files: usersfile = "/etc/freeradius/users"
Wed Jan 30 16:21:17 2008 : Debug: files: acctusersfile = "/etc/freeradius/acct_users"
Wed Jan 30 16:21:17 2008 : Debug: files: preproxy_usersfile = "/etc/freeradius/preproxy_users"
Wed Jan 30 16:21:17 2008 : Debug: files: compat = "no"
Wed Jan 30 16:21:17 2008 : Debug: Module: Instantiated files (files)
Wed Jan 30 16:21:17 2008 : Debug: Module: Loaded Acct-Unique-Session-Id
Wed Jan 30 16:21:17 2008 : Debug: acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
Wed Jan 30 16:21:17 2008 : Debug: Module: Instantiated acct_unique (acct_unique)
Wed Jan 30 16:21:17 2008 : Debug: detail: detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
Wed Jan 30 16:21:17 2008 : Debug: detail: detailperm = 384
Wed Jan 30 16:21:17 2008 : Debug: detail: dirperm = 493
Wed Jan 30 16:21:17 2008 : Debug: detail: locking = no
Wed Jan 30 16:21:17 2008 : Debug: Module: Instantiated detail (detail)
Wed Jan 30 16:21:17 2008 : Debug: Module: Loaded radutmp
Wed Jan 30 16:21:17 2008 : Debug: radutmp: filename = "/var/log/freeradius/radutmp"
Wed Jan 30 16:21:17 2008 : Debug: radutmp: username = "%{User-Name}"
Wed Jan 30 16:21:17 2008 : Debug: radutmp: case_sensitive = yes
Wed Jan 30 16:21:17 2008 : Debug: radutmp: check_with_nas = yes
Wed Jan 30 16:21:17 2008 : Debug: radutmp: perm = 384
Wed Jan 30 16:21:17 2008 : Debug: radutmp: callerid = yes
Wed Jan 30 16:21:17 2008 : Debug: Module: Instantiated radutmp (radutmp)
Wed Jan 30 16:21:17 2008 : Debug: detail: detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d"
Wed Jan 30 16:21:17 2008 : Debug: detail: detailperm = 384
Wed Jan 30 16:21:17 2008 : Debug: detail: dirperm = 493
Wed Jan 30 16:21:17 2008 : Debug: detail: locking = no
Wed Jan 30 16:21:17 2008 : Debug: Module: Instantiated detail (pre_proxy_log)
Wed Jan 30 16:21:17 2008 : Debug: detail: detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/post-proxy-detail-%Y%m%d"
Wed Jan 30 16:21:17 2008 : Debug: detail: detailperm = 384
Wed Jan 30 16:21:17 2008 : Debug: detail: dirperm = 493
Wed Jan 30 16:21:17 2008 : Debug: detail: locking = no
Wed Jan 30 16:21:17 2008 : Debug: Module: Instantiated detail (post_proxy_log)
Wed Jan 30 16:21:17 2008 : Debug: detail: detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d"
Wed Jan 30 16:21:17 2008 : Debug: detail: detailperm = 384
Wed Jan 30 16:21:17 2008 : Debug: detail: dirperm = 493
Wed Jan 30 16:21:17 2008 : Debug: detail: locking = no
Wed Jan 30 16:21:17 2008 : Debug: Module: Instantiated detail (reply_log)
Wed Jan 30 16:21:17 2008 : Debug: Listening on authentication *:1812
Wed Jan 30 16:21:17 2008 : Debug: Listening on accounting *:1813
Wed Jan 30 16:21:17 2008 : Debug: Listening on proxy *:1814
Wed Jan 30 16:21:17 2008 : Info: Ready to process requests.
rad_recv: Access-Request packet from host 192.168.2.28:1032, id=0, length=184
Message-Authenticator = 0x95738e03d1fb1c0ceba98dbdf1ab912f
Service-Type = Framed-User
User-Name = "aaa"
Framed-MTU = 1488
Called-Station-Id = "00-15-E9-AE-B2-BF:WLAN"
Calling-Station-Id = "00-17-9A-82-C7-7B"
NAS-Identifier = "WLAN Access Point"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x0200000801616161
NAS-IP-Address = 192.168.2.28
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
Wed Jan 30 16:21:23 2008 : Debug: Processing the authorize section of radiusd.conf
Wed Jan 30 16:21:23 2008 : Debug: modcall: entering group authorize for request 0
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 0
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 0
Wed Jan 30 16:21:23 2008 : Debug: modcall[authorize]: module "preprocess" returns ok for request 0
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: calling auth_log (rlm_detail) for request 0
Wed Jan 30 16:21:23 2008 : Debug: radius_xlat: '/var/log/freeradius/radacct/192.168.2.28/auth-detail-20080130'
Wed Jan 30 16:21:23 2008 : Debug: rlm_detail: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.2.28/auth-detail-20080130
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: returned from auth_log (rlm_detail) for request 0
Wed Jan 30 16:21:23 2008 : Debug: modcall[authorize]: module "auth_log" returns ok for request 0
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: calling attr_filter (rlm_attr_filter) for request 0
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: returned from attr_filter (rlm_attr_filter) for request 0
Wed Jan 30 16:21:23 2008 : Debug: modcall[authorize]: module "attr_filter" returns noop for request 0
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: calling chap (rlm_chap) for request 0
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: returned from chap (rlm_chap) for request 0
Wed Jan 30 16:21:23 2008 : Debug: modcall[authorize]: module "chap" returns noop for request 0
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 0
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 0
Wed Jan 30 16:21:23 2008 : Debug: modcall[authorize]: module "mschap" returns noop for request 0
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: calling suffix (rlm_realm) for request 0
Wed Jan 30 16:21:23 2008 : Debug: rlm_realm: No '@' in User-Name = "aaa", looking up realm NULL
Wed Jan 30 16:21:23 2008 : Debug: rlm_realm: No such realm "NULL"
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: returned from suffix (rlm_realm) for request 0
Wed Jan 30 16:21:23 2008 : Debug: modcall[authorize]: module "suffix" returns noop for request 0
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 0
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap: EAP packet type response id 0 length 8
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 0
Wed Jan 30 16:21:23 2008 : Debug: modcall[authorize]: module "eap" returns updated for request 0
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: calling files (rlm_files) for request 0
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: returned from files (rlm_files) for request 0
Wed Jan 30 16:21:23 2008 : Debug: modcall[authorize]: module "files" returns notfound for request 0
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: calling pap (rlm_pap) for request 0
Wed Jan 30 16:21:23 2008 : Debug: rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this.
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: returned from pap (rlm_pap) for request 0
Wed Jan 30 16:21:23 2008 : Debug: modcall[authorize]: module "pap" returns noop for request 0
Wed Jan 30 16:21:23 2008 : Debug: modcall: leaving group authorize (returns updated) for request 0
Wed Jan 30 16:21:23 2008 : Debug: rad_check_password: Found Auth-Type EAP
Wed Jan 30 16:21:23 2008 : Debug: auth: type "EAP"
Wed Jan 30 16:21:23 2008 : Debug: Processing the authenticate section of radiusd.conf
Wed Jan 30 16:21:23 2008 : Debug: modcall: entering group authenticate for request 0
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authenticate]: calling eap (rlm_eap) for request 0
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap: EAP Identity
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap: processing type tls
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap_tls: Initiate
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap_tls: Start returned 1
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authenticate]: returned from eap (rlm_eap) for request 0
Wed Jan 30 16:21:23 2008 : Debug: modcall[authenticate]: module "eap" returns handled for request 0
Wed Jan 30 16:21:23 2008 : Debug: modcall: leaving group authenticate (returns handled) for request 0
Sending Access-Challenge of id 0 to 192.168.2.28 port 1032
EAP-Message = 0x010100061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x5db289aaf7d6fa0ebe901707a31e963c
Wed Jan 30 16:21:23 2008 : Debug: Finished request 0
Wed Jan 30 16:21:23 2008 : Debug: Going to the next request
Wed Jan 30 16:21:23 2008 : Debug: --- Walking the entire request list ---
Wed Jan 30 16:21:23 2008 : Debug: Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.2.28:1032, id=1, length=306
Message-Authenticator = 0x47b000110073bbb08377c494b4bd16ef
Service-Type = Framed-User
User-Name = "aaa"
Framed-MTU = 1488
State = 0x5db289aaf7d6fa0ebe901707a31e963c
Called-Station-Id = "00-15-E9-AE-B2-BF:WLAN"
Calling-Station-Id = "00-17-9A-82-C7-7B"
NAS-Identifier = "WLAN Access Point"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x0201007019800000006616030100610100005d030147a087e3be36eef7e3c8558ad9836ef8545a57ad4ecd31cb1dee537f0217d0a0203285b3ca15b5bc19c4dc749138750ef06e349d1b28dc3864c757ae2d531b31bb001600040005000a000900640062000300060013001200630100
NAS-IP-Address = 192.168.2.28
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
Wed Jan 30 16:21:23 2008 : Debug: Processing the authorize section of radiusd.conf
Wed Jan 30 16:21:23 2008 : Debug: modcall: entering group authorize for request 1
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 1
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 1
Wed Jan 30 16:21:23 2008 : Debug: modcall[authorize]: module "preprocess" returns ok for request 1
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: calling auth_log (rlm_detail) for request 1
Wed Jan 30 16:21:23 2008 : Debug: radius_xlat: '/var/log/freeradius/radacct/192.168.2.28/auth-detail-20080130'
Wed Jan 30 16:21:23 2008 : Debug: rlm_detail: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.2.28/auth-detail-20080130
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: returned from auth_log (rlm_detail) for request 1
Wed Jan 30 16:21:23 2008 : Debug: modcall[authorize]: module "auth_log" returns ok for request 1
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: calling attr_filter (rlm_attr_filter) for request 1
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: returned from attr_filter (rlm_attr_filter) for request 1
Wed Jan 30 16:21:23 2008 : Debug: modcall[authorize]: module "attr_filter" returns noop for request 1
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: calling chap (rlm_chap) for request 1
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: returned from chap (rlm_chap) for request 1
Wed Jan 30 16:21:23 2008 : Debug: modcall[authorize]: module "chap" returns noop for request 1
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 1
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 1
Wed Jan 30 16:21:23 2008 : Debug: modcall[authorize]: module "mschap" returns noop for request 1
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: calling suffix (rlm_realm) for request 1
Wed Jan 30 16:21:23 2008 : Debug: rlm_realm: No '@' in User-Name = "aaa", looking up realm NULL
Wed Jan 30 16:21:23 2008 : Debug: rlm_realm: No such realm "NULL"
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: returned from suffix (rlm_realm) for request 1
Wed Jan 30 16:21:23 2008 : Debug: modcall[authorize]: module "suffix" returns noop for request 1
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 1
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap: EAP packet type response id 1 length 112
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 1
Wed Jan 30 16:21:23 2008 : Debug: modcall[authorize]: module "eap" returns updated for request 1
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: calling files (rlm_files) for request 1
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: returned from files (rlm_files) for request 1
Wed Jan 30 16:21:23 2008 : Debug: modcall[authorize]: module "files" returns notfound for request 1
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: calling pap (rlm_pap) for request 1
Wed Jan 30 16:21:23 2008 : Debug: rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this.
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: returned from pap (rlm_pap) for request 1
Wed Jan 30 16:21:23 2008 : Debug: modcall[authorize]: module "pap" returns noop for request 1
Wed Jan 30 16:21:23 2008 : Debug: modcall: leaving group authorize (returns updated) for request 1
Wed Jan 30 16:21:23 2008 : Debug: rad_check_password: Found Auth-Type EAP
Wed Jan 30 16:21:23 2008 : Debug: auth: type "EAP"
Wed Jan 30 16:21:23 2008 : Debug: Processing the authenticate section of radiusd.conf
Wed Jan 30 16:21:23 2008 : Debug: modcall: entering group authenticate for request 1
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authenticate]: calling eap (rlm_eap) for request 1
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap: Request found, released from the list
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap: EAP/peap
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap: processing type peap
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap_peap: Authenticate
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap_tls: processing TLS
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap_tls: Length Included
Wed Jan 30 16:21:23 2008 : Debug: eaptls_verify returned 11
Wed Jan 30 16:21:23 2008 : Debug: (other): before/accept initialization
Wed Jan 30 16:21:23 2008 : Debug: TLS_accept: before/accept initialization
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap_tls: <<< TLS 1.0 Handshake [length 0061], ClientHello
Wed Jan 30 16:21:23 2008 : Debug: TLS_accept: SSLv3 read client hello A
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
Wed Jan 30 16:21:23 2008 : Debug: TLS_accept: SSLv3 write server hello A
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap_tls: >>> TLS 1.0 Handshake [length 0694], Certificate
Wed Jan 30 16:21:23 2008 : Debug: TLS_accept: SSLv3 write certificate A
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
Wed Jan 30 16:21:23 2008 : Debug: TLS_accept: SSLv3 write server done A
Wed Jan 30 16:21:23 2008 : Debug: TLS_accept: SSLv3 flush data
Wed Jan 30 16:21:23 2008 : Debug: TLS_accept: Need to read more data: SSLv3 read client certificate A
Wed Jan 30 16:21:23 2008 : Debug: In SSL Handshake Phase
Wed Jan 30 16:21:23 2008 : Debug: In SSL Accept mode
Wed Jan 30 16:21:23 2008 : Debug: eaptls_process returned 13
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap_peap: EAPTLS_HANDLED
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authenticate]: returned from eap (rlm_eap) for request 1
Wed Jan 30 16:21:23 2008 : Debug: modcall[authenticate]: module "eap" returns handled for request 1
Wed Jan 30 16:21:23 2008 : Debug: modcall: leaving group authenticate (returns handled) for request 1
Sending Access-Challenge of id 1 to 192.168.2.28 port 1032
EAP-Message = 0x0102040a19c0000006f1160301004a02000046030147a087e30fe5927afc6e913fc013cdd64421ade59e5e48e0081dec52246dfb5620406d860bab150a348618c2468f0782195f2b7bad6e69a157ff5bbefb9bf70b6e00040016030106940b00069000068d0002cd308202c930820232a003020102020102300d06092a864886f70d010104050030819f310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010060355040b13096c6f63616c686f7374311b301906035504031312436c69656e74206365
EAP-Message = 0x7274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c652e636f6d301e170d3034303132353133323631305a170d3035303132343133323631305a30819b310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010060355040b13096c6f63616c686f73743119301706035504031310526f6f74206365727469666963617465311f301d06092a864886f70d0109011610726f6f74406578616d706c652e636f6d30819f300d06092a864886f70d010101050003
EAP-Message = 0x818d0030818902818100dac525422bfedb082629a2cba44b3449c90d0ab462fb72c8434a782098863d7eb7d7e70028c2b7ad555a51cc756cf4fa1d7091615ab450d5289553ae6616aff014a55085d6b8fb4aee98638e426175cdd36c665c63cda177d34920eb30585edc8773999c2980f81ad4638bbbea1c82d054023db7ef24a3ec1c3f6241a903d7f30203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101040500038181007a2d921b1cf13bf2982a9178ec9ede6d88edc178a2e8bd40a0a06fb6f0769957884cd7084537083496fd184165293f583c8e8240eb68e042c94b15752e4c07e80d09
EAP-Message = 0x779afa3dd55c24fa54ac292d77205d1c2477ed30d59f57caf9bd21ff2a8d16cc0911c50e4f295763fcb60efa3c3d2d0e43850f6e6fbe284902f6e83503650003ba308203b63082031fa003020102020100300d06092a864886f70d010104050030819f310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010060355040b13096c6f63616c686f7374311b301906035504031312436c69656e742063657274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c
EAP-Message = 0x652e636f6d301e170d3034303132353133323630375a
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x5708202a97e43ae72b2b2c71ba80ada9
Wed Jan 30 16:21:23 2008 : Debug: Finished request 1
Wed Jan 30 16:21:23 2008 : Debug: Going to the next request
Wed Jan 30 16:21:23 2008 : Debug: Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.2.28:1032, id=2, length=200
Message-Authenticator = 0xc8c00d8115a81d1ef2d1975cd7b7815b
Service-Type = Framed-User
User-Name = "aaa"
Framed-MTU = 1488
State = 0x5708202a97e43ae72b2b2c71ba80ada9
Called-Station-Id = "00-15-E9-AE-B2-BF:WLAN"
Calling-Station-Id = "00-17-9A-82-C7-7B"
NAS-Identifier = "WLAN Access Point"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x020200061900
NAS-IP-Address = 192.168.2.28
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
Wed Jan 30 16:21:23 2008 : Debug: Processing the authorize section of radiusd.conf
Wed Jan 30 16:21:23 2008 : Debug: modcall: entering group authorize for request 2
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 2
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 2
Wed Jan 30 16:21:23 2008 : Debug: modcall[authorize]: module "preprocess" returns ok for request 2
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: calling auth_log (rlm_detail) for request 2
Wed Jan 30 16:21:23 2008 : Debug: radius_xlat: '/var/log/freeradius/radacct/192.168.2.28/auth-detail-20080130'
Wed Jan 30 16:21:23 2008 : Debug: rlm_detail: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.2.28/auth-detail-20080130
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: returned from auth_log (rlm_detail) for request 2
Wed Jan 30 16:21:23 2008 : Debug: modcall[authorize]: module "auth_log" returns ok for request 2
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: calling attr_filter (rlm_attr_filter) for request 2
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: returned from attr_filter (rlm_attr_filter) for request 2
Wed Jan 30 16:21:23 2008 : Debug: modcall[authorize]: module "attr_filter" returns noop for request 2
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: calling chap (rlm_chap) for request 2
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: returned from chap (rlm_chap) for request 2
Wed Jan 30 16:21:23 2008 : Debug: modcall[authorize]: module "chap" returns noop for request 2
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 2
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 2
Wed Jan 30 16:21:23 2008 : Debug: modcall[authorize]: module "mschap" returns noop for request 2
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: calling suffix (rlm_realm) for request 2
Wed Jan 30 16:21:23 2008 : Debug: rlm_realm: No '@' in User-Name = "aaa", looking up realm NULL
Wed Jan 30 16:21:23 2008 : Debug: rlm_realm: No such realm "NULL"
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: returned from suffix (rlm_realm) for request 2
Wed Jan 30 16:21:23 2008 : Debug: modcall[authorize]: module "suffix" returns noop for request 2
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 2
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap: EAP packet type response id 2 length 6
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 2
Wed Jan 30 16:21:23 2008 : Debug: modcall[authorize]: module "eap" returns updated for request 2
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: calling files (rlm_files) for request 2
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: returned from files (rlm_files) for request 2
Wed Jan 30 16:21:23 2008 : Debug: modcall[authorize]: module "files" returns notfound for request 2
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: calling pap (rlm_pap) for request 2
Wed Jan 30 16:21:23 2008 : Debug: rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this.
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: returned from pap (rlm_pap) for request 2
Wed Jan 30 16:21:23 2008 : Debug: modcall[authorize]: module "pap" returns noop for request 2
Wed Jan 30 16:21:23 2008 : Debug: modcall: leaving group authorize (returns updated) for request 2
Wed Jan 30 16:21:23 2008 : Debug: rad_check_password: Found Auth-Type EAP
Wed Jan 30 16:21:23 2008 : Debug: auth: type "EAP"
Wed Jan 30 16:21:23 2008 : Debug: Processing the authenticate section of radiusd.conf
Wed Jan 30 16:21:23 2008 : Debug: modcall: entering group authenticate for request 2
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authenticate]: calling eap (rlm_eap) for request 2
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap: Request found, released from the list
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap: EAP/peap
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap: processing type peap
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap_peap: Authenticate
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap_tls: processing TLS
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap_tls: Received EAP-TLS ACK message
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap_tls: ack handshake fragment handler
Wed Jan 30 16:21:23 2008 : Debug: eaptls_verify returned 1
Wed Jan 30 16:21:23 2008 : Debug: eaptls_process returned 13
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap_peap: EAPTLS_HANDLED
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authenticate]: returned from eap (rlm_eap) for request 2
Wed Jan 30 16:21:23 2008 : Debug: modcall[authenticate]: module "eap" returns handled for request 2
Wed Jan 30 16:21:23 2008 : Debug: modcall: leaving group authenticate (returns handled) for request 2
Sending Access-Challenge of id 2 to 192.168.2.28 port 1032
EAP-Message = 0x010302f71900170d3036303132343133323630375a30819f310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010060355040b13096c6f63616c686f7374311b301906035504031312436c69656e742063657274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c652e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100d4c5b19724f164acf1ffb189db1c8fbff4f14396ea7cb1e90f78d69451725377895dfe52ccb99b41e8
EAP-Message = 0x0ddeb58b127a943f4f58cbc562878192fbdc6fece9f871e7c130d35cf5188817e9b133249edd2a1c75d31043ae87553cec7a77ef26aa7d74281db9b77e17c6446c5dd9b188b43250ca0229963722a123a726b00b4027fd0203010001a381ff3081fc301d0603551d0e0416041468d36d3e1ee7bc9d5a057021c363da1365d1ade33081cc0603551d230481c43081c1801468d36d3e1ee7bc9d5a057021c363da1365d1ade3a181a5a481a230819f310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010
EAP-Message = 0x060355040b13096c6f63616c686f7374311b301906035504031312436c69656e742063657274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c652e636f6d820100300c0603551d13040530030101ff300d06092a864886f70d01010405000381810033c00b66b1e579ef73a06798252dab8d5e5511fc00fd276d80d12f834777c6743fdc2743fca1507704e4bc0979e4f60ac3ad9ee83e6f347369229d1f77229ba2e982359da563024a00163dba6d6c986c0bad28af85132ff8f0d76501bf1b7c2dff658ce1e62c01997b6e64e3e8d4373354ce9912847651539063b85bbc5485c516030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xe6496d844bf69bdcdb1602289e985d94
Wed Jan 30 16:21:23 2008 : Debug: Finished request 2
Wed Jan 30 16:21:23 2008 : Debug: Going to the next request
Wed Jan 30 16:21:23 2008 : Debug: Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.2.28:1032, id=3, length=386
Message-Authenticator = 0x50eaac0ad7a2fe459a874501a98ac64b
Service-Type = Framed-User
User-Name = "aaa"
Framed-MTU = 1488
State = 0xe6496d844bf69bdcdb1602289e985d94
Called-Station-Id = "00-15-E9-AE-B2-BF:WLAN"
Calling-Station-Id = "00-17-9A-82-C7-7B"
NAS-Identifier = "WLAN Access Point"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x020300c01980000000b61603010086100000820080bac89a3ea71151d7ad09a69ff4ea8bc2951547167c8ea167fa9c3650285c4b106263fbff6b6b52bbbd6ec2c9eb4b9eb1a19d949ed96f2d81ee59cde3e388b26f6bc5285b71dcf6965e8ced6b59007420c47ac570b12d170c3bf9d3d3a133004a8e7fe37bf4fe4e27ed41982a8eec19682e20fa680c9bd41339e28477bce1d0581403010001011603010020fea0deb5a460a2665fc5b24deae99e753a3ba1a12c198817bb33422ec05227ee
NAS-IP-Address = 192.168.2.28
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
Wed Jan 30 16:21:23 2008 : Debug: Processing the authorize section of radiusd.conf
Wed Jan 30 16:21:23 2008 : Debug: modcall: entering group authorize for request 3
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 3
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 3
Wed Jan 30 16:21:23 2008 : Debug: modcall[authorize]: module "preprocess" returns ok for request 3
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: calling auth_log (rlm_detail) for request 3
Wed Jan 30 16:21:23 2008 : Debug: radius_xlat: '/var/log/freeradius/radacct/192.168.2.28/auth-detail-20080130'
Wed Jan 30 16:21:23 2008 : Debug: rlm_detail: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.2.28/auth-detail-20080130
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: returned from auth_log (rlm_detail) for request 3
Wed Jan 30 16:21:23 2008 : Debug: modcall[authorize]: module "auth_log" returns ok for request 3
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: calling attr_filter (rlm_attr_filter) for request 3
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: returned from attr_filter (rlm_attr_filter) for request 3
Wed Jan 30 16:21:23 2008 : Debug: modcall[authorize]: module "attr_filter" returns noop for request 3
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: calling chap (rlm_chap) for request 3
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: returned from chap (rlm_chap) for request 3
Wed Jan 30 16:21:23 2008 : Debug: modcall[authorize]: module "chap" returns noop for request 3
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 3
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 3
Wed Jan 30 16:21:23 2008 : Debug: modcall[authorize]: module "mschap" returns noop for request 3
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: calling suffix (rlm_realm) for request 3
Wed Jan 30 16:21:23 2008 : Debug: rlm_realm: No '@' in User-Name = "aaa", looking up realm NULL
Wed Jan 30 16:21:23 2008 : Debug: rlm_realm: No such realm "NULL"
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: returned from suffix (rlm_realm) for request 3
Wed Jan 30 16:21:23 2008 : Debug: modcall[authorize]: module "suffix" returns noop for request 3
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 3
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap: EAP packet type response id 3 length 192
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 3
Wed Jan 30 16:21:23 2008 : Debug: modcall[authorize]: module "eap" returns updated for request 3
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: calling files (rlm_files) for request 3
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: returned from files (rlm_files) for request 3
Wed Jan 30 16:21:23 2008 : Debug: modcall[authorize]: module "files" returns notfound for request 3
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: calling pap (rlm_pap) for request 3
Wed Jan 30 16:21:23 2008 : Debug: rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this.
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: returned from pap (rlm_pap) for request 3
Wed Jan 30 16:21:23 2008 : Debug: modcall[authorize]: module "pap" returns noop for request 3
Wed Jan 30 16:21:23 2008 : Debug: modcall: leaving group authorize (returns updated) for request 3
Wed Jan 30 16:21:23 2008 : Debug: rad_check_password: Found Auth-Type EAP
Wed Jan 30 16:21:23 2008 : Debug: auth: type "EAP"
Wed Jan 30 16:21:23 2008 : Debug: Processing the authenticate section of radiusd.conf
Wed Jan 30 16:21:23 2008 : Debug: modcall: entering group authenticate for request 3
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authenticate]: calling eap (rlm_eap) for request 3
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap: Request found, released from the list
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap: EAP/peap
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap: processing type peap
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap_peap: Authenticate
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap_tls: processing TLS
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap_tls: Length Included
Wed Jan 30 16:21:23 2008 : Debug: eaptls_verify returned 11
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
Wed Jan 30 16:21:23 2008 : Debug: TLS_accept: SSLv3 read client key exchange A
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001]
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished
Wed Jan 30 16:21:23 2008 : Debug: TLS_accept: SSLv3 read finished A
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001]
Wed Jan 30 16:21:23 2008 : Debug: TLS_accept: SSLv3 write change cipher spec A
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished
Wed Jan 30 16:21:23 2008 : Debug: TLS_accept: SSLv3 write finished A
Wed Jan 30 16:21:23 2008 : Debug: TLS_accept: SSLv3 flush data
Wed Jan 30 16:21:23 2008 : Debug: (other): SSL negotiation finished successfully
Wed Jan 30 16:21:23 2008 : Debug: SSL Connection Established
Wed Jan 30 16:21:23 2008 : Debug: eaptls_process returned 13
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap_peap: EAPTLS_HANDLED
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authenticate]: returned from eap (rlm_eap) for request 3
Wed Jan 30 16:21:23 2008 : Debug: modcall[authenticate]: module "eap" returns handled for request 3
Wed Jan 30 16:21:23 2008 : Debug: modcall: leaving group authenticate (returns handled) for request 3
Sending Access-Challenge of id 3 to 192.168.2.28 port 1032
EAP-Message = 0x0104003119001403010001011603010020a562e906ef0e8bcc20bdf677cf9488ea9f72210f343b6b2764f4751c5ec28418
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x3882c9b17babca451a6ccc9e89a82d1e
Wed Jan 30 16:21:23 2008 : Debug: Finished request 3
Wed Jan 30 16:21:23 2008 : Debug: Going to the next request
Wed Jan 30 16:21:23 2008 : Debug: Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.2.28:1032, id=4, length=200
Message-Authenticator = 0x3d2571581a9de91e3544ff7994b3bc4c
Service-Type = Framed-User
User-Name = "aaa"
Framed-MTU = 1488
State = 0x3882c9b17babca451a6ccc9e89a82d1e
Called-Station-Id = "00-15-E9-AE-B2-BF:WLAN"
Calling-Station-Id = "00-17-9A-82-C7-7B"
NAS-Identifier = "WLAN Access Point"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x020400061900
NAS-IP-Address = 192.168.2.28
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
Wed Jan 30 16:21:23 2008 : Debug: Processing the authorize section of radiusd.conf
Wed Jan 30 16:21:23 2008 : Debug: modcall: entering group authorize for request 4
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 4
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 4
Wed Jan 30 16:21:23 2008 : Debug: modcall[authorize]: module "preprocess" returns ok for request 4
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: calling auth_log (rlm_detail) for request 4
Wed Jan 30 16:21:23 2008 : Debug: radius_xlat: '/var/log/freeradius/radacct/192.168.2.28/auth-detail-20080130'
Wed Jan 30 16:21:23 2008 : Debug: rlm_detail: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.2.28/auth-detail-20080130
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: returned from auth_log (rlm_detail) for request 4
Wed Jan 30 16:21:23 2008 : Debug: modcall[authorize]: module "auth_log" returns ok for request 4
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: calling attr_filter (rlm_attr_filter) for request 4
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: returned from attr_filter (rlm_attr_filter) for request 4
Wed Jan 30 16:21:23 2008 : Debug: modcall[authorize]: module "attr_filter" returns noop for request 4
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: calling chap (rlm_chap) for request 4
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: returned from chap (rlm_chap) for request 4
Wed Jan 30 16:21:23 2008 : Debug: modcall[authorize]: module "chap" returns noop for request 4
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 4
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 4
Wed Jan 30 16:21:23 2008 : Debug: modcall[authorize]: module "mschap" returns noop for request 4
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: calling suffix (rlm_realm) for request 4
Wed Jan 30 16:21:23 2008 : Debug: rlm_realm: No '@' in User-Name = "aaa", looking up realm NULL
Wed Jan 30 16:21:23 2008 : Debug: rlm_realm: No such realm "NULL"
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: returned from suffix (rlm_realm) for request 4
Wed Jan 30 16:21:23 2008 : Debug: modcall[authorize]: module "suffix" returns noop for request 4
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 4
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap: EAP packet type response id 4 length 6
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 4
Wed Jan 30 16:21:23 2008 : Debug: modcall[authorize]: module "eap" returns updated for request 4
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: calling files (rlm_files) for request 4
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: returned from files (rlm_files) for request 4
Wed Jan 30 16:21:23 2008 : Debug: modcall[authorize]: module "files" returns notfound for request 4
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: calling pap (rlm_pap) for request 4
Wed Jan 30 16:21:23 2008 : Debug: rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this.
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: returned from pap (rlm_pap) for request 4
Wed Jan 30 16:21:23 2008 : Debug: modcall[authorize]: module "pap" returns noop for request 4
Wed Jan 30 16:21:23 2008 : Debug: modcall: leaving group authorize (returns updated) for request 4
Wed Jan 30 16:21:23 2008 : Debug: rad_check_password: Found Auth-Type EAP
Wed Jan 30 16:21:23 2008 : Debug: auth: type "EAP"
Wed Jan 30 16:21:23 2008 : Debug: Processing the authenticate section of radiusd.conf
Wed Jan 30 16:21:23 2008 : Debug: modcall: entering group authenticate for request 4
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authenticate]: calling eap (rlm_eap) for request 4
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap: Request found, released from the list
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap: EAP/peap
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap: processing type peap
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap_peap: Authenticate
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap_tls: processing TLS
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap_tls: Received EAP-TLS ACK message
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap_tls: ack handshake is finished
Wed Jan 30 16:21:23 2008 : Debug: eaptls_verify returned 3
Wed Jan 30 16:21:23 2008 : Debug: eaptls_process returned 3
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap_peap: EAPTLS_SUCCESS
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authenticate]: returned from eap (rlm_eap) for request 4
Wed Jan 30 16:21:23 2008 : Debug: modcall[authenticate]: module "eap" returns handled for request 4
Wed Jan 30 16:21:23 2008 : Debug: modcall: leaving group authenticate (returns handled) for request 4
Sending Access-Challenge of id 4 to 192.168.2.28 port 1032
EAP-Message = 0x0105002019001703010015a003beb410bd42441cf8049fc078150a1f62dc13a5
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x6472259ba53a52a47938bbb75daab0fc
Wed Jan 30 16:21:23 2008 : Debug: Finished request 4
Wed Jan 30 16:21:23 2008 : Debug: Going to the next request
Wed Jan 30 16:21:23 2008 : Debug: Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.2.28:1032, id=5, length=225
Message-Authenticator = 0xfa8d3e5d9994f240fd0ef4158a8c9246
Service-Type = Framed-User
User-Name = "aaa"
Framed-MTU = 1488
State = 0x6472259ba53a52a47938bbb75daab0fc
Called-Station-Id = "00-15-E9-AE-B2-BF:WLAN"
Calling-Station-Id = "00-17-9A-82-C7-7B"
NAS-Identifier = "WLAN Access Point"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x0205001f19001703010014f2094e78f3e975f48718cbb7d270c92bdeb7b1a5
NAS-IP-Address = 192.168.2.28
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
Wed Jan 30 16:21:23 2008 : Debug: Processing the authorize section of radiusd.conf
Wed Jan 30 16:21:23 2008 : Debug: modcall: entering group authorize for request 5
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 5
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 5
Wed Jan 30 16:21:23 2008 : Debug: modcall[authorize]: module "preprocess" returns ok for request 5
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: calling auth_log (rlm_detail) for request 5
Wed Jan 30 16:21:23 2008 : Debug: radius_xlat: '/var/log/freeradius/radacct/192.168.2.28/auth-detail-20080130'
Wed Jan 30 16:21:23 2008 : Debug: rlm_detail: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.2.28/auth-detail-20080130
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: returned from auth_log (rlm_detail) for request 5
Wed Jan 30 16:21:23 2008 : Debug: modcall[authorize]: module "auth_log" returns ok for request 5
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: calling attr_filter (rlm_attr_filter) for request 5
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: returned from attr_filter (rlm_attr_filter) for request 5
Wed Jan 30 16:21:23 2008 : Debug: modcall[authorize]: module "attr_filter" returns noop for request 5
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: calling chap (rlm_chap) for request 5
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: returned from chap (rlm_chap) for request 5
Wed Jan 30 16:21:23 2008 : Debug: modcall[authorize]: module "chap" returns noop for request 5
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 5
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 5
Wed Jan 30 16:21:23 2008 : Debug: modcall[authorize]: module "mschap" returns noop for request 5
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: calling suffix (rlm_realm) for request 5
Wed Jan 30 16:21:23 2008 : Debug: rlm_realm: No '@' in User-Name = "aaa", looking up realm NULL
Wed Jan 30 16:21:23 2008 : Debug: rlm_realm: No such realm "NULL"
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: returned from suffix (rlm_realm) for request 5
Wed Jan 30 16:21:23 2008 : Debug: modcall[authorize]: module "suffix" returns noop for request 5
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 5
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap: EAP packet type response id 5 length 31
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 5
Wed Jan 30 16:21:23 2008 : Debug: modcall[authorize]: module "eap" returns updated for request 5
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: calling files (rlm_files) for request 5
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: returned from files (rlm_files) for request 5
Wed Jan 30 16:21:23 2008 : Debug: modcall[authorize]: module "files" returns notfound for request 5
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: calling pap (rlm_pap) for request 5
Wed Jan 30 16:21:23 2008 : Debug: rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this.
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: returned from pap (rlm_pap) for request 5
Wed Jan 30 16:21:23 2008 : Debug: modcall[authorize]: module "pap" returns noop for request 5
Wed Jan 30 16:21:23 2008 : Debug: modcall: leaving group authorize (returns updated) for request 5
Wed Jan 30 16:21:23 2008 : Debug: rad_check_password: Found Auth-Type EAP
Wed Jan 30 16:21:23 2008 : Debug: auth: type "EAP"
Wed Jan 30 16:21:23 2008 : Debug: Processing the authenticate section of radiusd.conf
Wed Jan 30 16:21:23 2008 : Debug: modcall: entering group authenticate for request 5
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authenticate]: calling eap (rlm_eap) for request 5
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap: Request found, released from the list
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap: EAP/peap
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap: processing type peap
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap_peap: Authenticate
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap_tls: processing TLS
Wed Jan 30 16:21:23 2008 : Debug: eaptls_verify returned 7
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap_tls: Done initial handshake
Wed Jan 30 16:21:23 2008 : Debug: eaptls_process returned 7
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap_peap: EAPTLS_OK
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap_peap: Session established. Decoding tunneled attributes.
PEAP tunnel data in 0000: 01 61 61 61
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap_peap: Identity - aaa
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap_peap: Tunneled data is valid.
PEAP: Got tunneled EAP-Message
EAP-Message = 0x0205000801616161
Wed Jan 30 16:21:23 2008 : Debug: PEAP: Got tunneled identity of aaa
Wed Jan 30 16:21:23 2008 : Debug: PEAP: Setting default EAP type for tunneled EAP session.
Wed Jan 30 16:21:23 2008 : Debug: PEAP: Setting User-Name to aaa
PEAP: Sending tunneled request
EAP-Message = 0x0205000801616161
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "aaa"
Wed Jan 30 16:21:23 2008 : Debug: Processing the authorize section of radiusd.conf
Wed Jan 30 16:21:23 2008 : Debug: modcall: entering group authorize for request 5
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 5
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 5
Wed Jan 30 16:21:23 2008 : Debug: modcall[authorize]: module "preprocess" returns ok for request 5
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: calling auth_log (rlm_detail) for request 5
Wed Jan 30 16:21:23 2008 : Debug: radius_xlat: '/var/log/freeradius/radacct/127.0.0.1/auth-detail-20080130'
Wed Jan 30 16:21:23 2008 : Debug: rlm_detail: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/127.0.0.1/auth-detail-20080130
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: returned from auth_log (rlm_detail) for request 5
Wed Jan 30 16:21:23 2008 : Debug: modcall[authorize]: module "auth_log" returns ok for request 5
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: calling attr_filter (rlm_attr_filter) for request 5
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: returned from attr_filter (rlm_attr_filter) for request 5
Wed Jan 30 16:21:23 2008 : Debug: modcall[authorize]: module "attr_filter" returns noop for request 5
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: calling chap (rlm_chap) for request 5
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: returned from chap (rlm_chap) for request 5
Wed Jan 30 16:21:23 2008 : Debug: modcall[authorize]: module "chap" returns noop for request 5
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 5
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 5
Wed Jan 30 16:21:23 2008 : Debug: modcall[authorize]: module "mschap" returns noop for request 5
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: calling suffix (rlm_realm) for request 5
Wed Jan 30 16:21:23 2008 : Debug: rlm_realm: No '@' in User-Name = "aaa", looking up realm NULL
Wed Jan 30 16:21:23 2008 : Debug: rlm_realm: No such realm "NULL"
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: returned from suffix (rlm_realm) for request 5
Wed Jan 30 16:21:23 2008 : Debug: modcall[authorize]: module "suffix" returns noop for request 5
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 5
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap: EAP packet type response id 5 length 8
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 5
Wed Jan 30 16:21:23 2008 : Debug: modcall[authorize]: module "eap" returns updated for request 5
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: calling files (rlm_files) for request 5
Wed Jan 30 16:21:23 2008 : Debug: users: Matched entry aaa at line 85
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: returned from files (rlm_files) for request 5
Wed Jan 30 16:21:23 2008 : Debug: modcall[authorize]: module "files" returns ok for request 5
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: calling pap (rlm_pap) for request 5
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: returned from pap (rlm_pap) for request 5
Wed Jan 30 16:21:23 2008 : Debug: modcall[authorize]: module "pap" returns noop for request 5
Wed Jan 30 16:21:23 2008 : Debug: modcall: leaving group authorize (returns updated) for request 5
PEAP: Got tunneled reply RADIUS code 0
Wed Jan 30 16:21:23 2008 : Debug: PEAP: Calling authenticate in order to initiate tunneled EAP session.
Wed Jan 30 16:21:23 2008 : Debug: Processing the authenticate section of radiusd.conf
Wed Jan 30 16:21:23 2008 : Debug: modcall: entering group authenticate for request 5
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authenticate]: calling eap (rlm_eap) for request 5
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap: EAP Identity
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap: processing type mschapv2
Wed Jan 30 16:21:23 2008 : Info: rlm_eap_mschapv2: Issuing Challenge
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authenticate]: returned from eap (rlm_eap) for request 5
Wed Jan 30 16:21:23 2008 : Debug: modcall[authenticate]: module "eap" returns handled for request 5
Wed Jan 30 16:21:23 2008 : Debug: modcall: leaving group authenticate (returns handled) for request 5
Wed Jan 30 16:21:23 2008 : Debug: PEAP: Cancelling proxy to realm xxx until the tunneled EAP session has been established
PEAP: Processing from tunneled session code 0x80147040 11
EAP-Message = 0x0106001d1a0106001810d705730f12a9595b41ac811cc23eab54616161
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x767993fd4ad4ebf861acdf27ec0a3a8e
Wed Jan 30 16:21:23 2008 : Debug: PEAP: Got tunneled Access-Challenge
PEAP tunnel data out 0000: 1a 01 06 00 18 10 d7 05 73 0f 12 a9 59 5b 41 ac
PEAP tunnel data out 0010: 81 1c c2 3e ab 54 61 61 61
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authenticate]: returned from eap (rlm_eap) for request 5
Wed Jan 30 16:21:23 2008 : Debug: modcall[authenticate]: module "eap" returns handled for request 5
Wed Jan 30 16:21:23 2008 : Debug: modcall: leaving group authenticate (returns handled) for request 5
Sending Access-Challenge of id 5 to 192.168.2.28 port 1032
EAP-Message = 0x01060034190017030100291f8fadaf8be94d9469a30a78fcc2ae5503135fb3588b426d80237b5bb96cd390128aaaeab9af12f9f3
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x46e3664e4d1315184ed1a50e6dc819b3
Wed Jan 30 16:21:23 2008 : Debug: Finished request 5
Wed Jan 30 16:21:23 2008 : Debug: Going to the next request
Wed Jan 30 16:21:23 2008 : Debug: Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.2.28:1032, id=6, length=279
Message-Authenticator = 0xf24acb657d7e9f0ea425095ba74e861b
Service-Type = Framed-User
User-Name = "aaa"
Framed-MTU = 1488
State = 0x46e3664e4d1315184ed1a50e6dc819b3
Called-Station-Id = "00-15-E9-AE-B2-BF:WLAN"
Calling-Station-Id = "00-17-9A-82-C7-7B"
NAS-Identifier = "WLAN Access Point"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x020600551900170301004aba2524bee95d3df9b8b22f2250e4c4314a0e52353fd9037b6d96d8010f9811be0f665cae244749d9b0f10fa2d28d5660564fe27284e1f3d92a4222360cf90d70f12d193a481852d84bbe
NAS-IP-Address = 192.168.2.28
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
Wed Jan 30 16:21:23 2008 : Debug: Processing the authorize section of radiusd.conf
Wed Jan 30 16:21:23 2008 : Debug: modcall: entering group authorize for request 6
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 6
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 6
Wed Jan 30 16:21:23 2008 : Debug: modcall[authorize]: module "preprocess" returns ok for request 6
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: calling auth_log (rlm_detail) for request 6
Wed Jan 30 16:21:23 2008 : Debug: radius_xlat: '/var/log/freeradius/radacct/192.168.2.28/auth-detail-20080130'
Wed Jan 30 16:21:23 2008 : Debug: rlm_detail: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.2.28/auth-detail-20080130
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: returned from auth_log (rlm_detail) for request 6
Wed Jan 30 16:21:23 2008 : Debug: modcall[authorize]: module "auth_log" returns ok for request 6
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: calling attr_filter (rlm_attr_filter) for request 6
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: returned from attr_filter (rlm_attr_filter) for request 6
Wed Jan 30 16:21:23 2008 : Debug: modcall[authorize]: module "attr_filter" returns noop for request 6
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: calling chap (rlm_chap) for request 6
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: returned from chap (rlm_chap) for request 6
Wed Jan 30 16:21:23 2008 : Debug: modcall[authorize]: module "chap" returns noop for request 6
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 6
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 6
Wed Jan 30 16:21:23 2008 : Debug: modcall[authorize]: module "mschap" returns noop for request 6
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: calling suffix (rlm_realm) for request 6
Wed Jan 30 16:21:23 2008 : Debug: rlm_realm: No '@' in User-Name = "aaa", looking up realm NULL
Wed Jan 30 16:21:23 2008 : Debug: rlm_realm: No such realm "NULL"
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: returned from suffix (rlm_realm) for request 6
Wed Jan 30 16:21:23 2008 : Debug: modcall[authorize]: module "suffix" returns noop for request 6
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 6
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap: EAP packet type response id 6 length 85
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 6
Wed Jan 30 16:21:23 2008 : Debug: modcall[authorize]: module "eap" returns updated for request 6
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: calling files (rlm_files) for request 6
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: returned from files (rlm_files) for request 6
Wed Jan 30 16:21:23 2008 : Debug: modcall[authorize]: module "files" returns notfound for request 6
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: calling pap (rlm_pap) for request 6
Wed Jan 30 16:21:23 2008 : Debug: rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this.
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: returned from pap (rlm_pap) for request 6
Wed Jan 30 16:21:23 2008 : Debug: modcall[authorize]: module "pap" returns noop for request 6
Wed Jan 30 16:21:23 2008 : Debug: modcall: leaving group authorize (returns updated) for request 6
Wed Jan 30 16:21:23 2008 : Debug: rad_check_password: Found Auth-Type EAP
Wed Jan 30 16:21:23 2008 : Debug: auth: type "EAP"
Wed Jan 30 16:21:23 2008 : Debug: Processing the authenticate section of radiusd.conf
Wed Jan 30 16:21:23 2008 : Debug: modcall: entering group authenticate for request 6
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authenticate]: calling eap (rlm_eap) for request 6
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap: Request found, released from the list
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap: EAP/peap
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap: processing type peap
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap_peap: Authenticate
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap_tls: processing TLS
Wed Jan 30 16:21:23 2008 : Debug: eaptls_verify returned 7
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap_tls: Done initial handshake
Wed Jan 30 16:21:23 2008 : Debug: eaptls_process returned 7
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap_peap: EAPTLS_OK
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap_peap: Session established. Decoding tunneled attributes.
PEAP tunnel data in 0000: 1a 02 06 00 39 31 54 3b ff a8 dd c0 94 f4 dd 7d
PEAP tunnel data in 0010: 68 d5 83 58 3c ef 00 00 00 00 00 00 00 00 37 cc
PEAP tunnel data in 0020: 3c cd 31 b8 76 ad 62 b6 16 4c bb b4 7f 0f 87 d0
PEAP tunnel data in 0030: 4f 4c 21 56 a1 3d 00 61 61 61
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap_peap: EAP type mschapv2
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap_peap: Tunneled data is valid.
PEAP: Got tunneled EAP-Message
EAP-Message = 0x0206003e1a0206003931543bffa8ddc094f4dd7d68d583583cef000000000000000037cc3ccd31b876ad62b6164cbbb47f0f87d04f4c2156a13d00616161
Wed Jan 30 16:21:23 2008 : Debug: PEAP: Setting User-Name to aaa
Wed Jan 30 16:21:23 2008 : Debug: PEAP: Adding old state with 76 79
PEAP: Sending tunneled request
EAP-Message = 0x0206003e1a0206003931543bffa8ddc094f4dd7d68d583583cef000000000000000037cc3ccd31b876ad62b6164cbbb47f0f87d04f4c2156a13d00616161
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "aaa"
State = 0x767993fd4ad4ebf861acdf27ec0a3a8e
Wed Jan 30 16:21:23 2008 : Debug: Processing the authorize section of radiusd.conf
Wed Jan 30 16:21:23 2008 : Debug: modcall: entering group authorize for request 6
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 6
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 6
Wed Jan 30 16:21:23 2008 : Debug: modcall[authorize]: module "preprocess" returns ok for request 6
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: calling auth_log (rlm_detail) for request 6
Wed Jan 30 16:21:23 2008 : Debug: radius_xlat: '/var/log/freeradius/radacct/127.0.0.1/auth-detail-20080130'
Wed Jan 30 16:21:23 2008 : Debug: rlm_detail: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/127.0.0.1/auth-detail-20080130
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: returned from auth_log (rlm_detail) for request 6
Wed Jan 30 16:21:23 2008 : Debug: modcall[authorize]: module "auth_log" returns ok for request 6
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: calling attr_filter (rlm_attr_filter) for request 6
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: returned from attr_filter (rlm_attr_filter) for request 6
Wed Jan 30 16:21:23 2008 : Debug: modcall[authorize]: module "attr_filter" returns noop for request 6
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: calling chap (rlm_chap) for request 6
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: returned from chap (rlm_chap) for request 6
Wed Jan 30 16:21:23 2008 : Debug: modcall[authorize]: module "chap" returns noop for request 6
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 6
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 6
Wed Jan 30 16:21:23 2008 : Debug: modcall[authorize]: module "mschap" returns noop for request 6
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: calling suffix (rlm_realm) for request 6
Wed Jan 30 16:21:23 2008 : Debug: rlm_realm: No '@' in User-Name = "aaa", looking up realm NULL
Wed Jan 30 16:21:23 2008 : Debug: rlm_realm: No such realm "NULL"
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: returned from suffix (rlm_realm) for request 6
Wed Jan 30 16:21:23 2008 : Debug: modcall[authorize]: module "suffix" returns noop for request 6
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 6
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap: EAP packet type response id 6 length 62
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 6
Wed Jan 30 16:21:23 2008 : Debug: modcall[authorize]: module "eap" returns updated for request 6
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: calling files (rlm_files) for request 6
Wed Jan 30 16:21:23 2008 : Debug: users: Matched entry aaa at line 85
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: returned from files (rlm_files) for request 6
Wed Jan 30 16:21:23 2008 : Debug: modcall[authorize]: module "files" returns ok for request 6
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: calling pap (rlm_pap) for request 6
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: returned from pap (rlm_pap) for request 6
Wed Jan 30 16:21:23 2008 : Debug: modcall[authorize]: module "pap" returns noop for request 6
Wed Jan 30 16:21:23 2008 : Debug: modcall: leaving group authorize (returns updated) for request 6
PEAP: Got tunneled reply RADIUS code 0
Wed Jan 30 16:21:23 2008 : Debug: PEAP: Calling authenticate in order to initiate tunneled EAP session.
Wed Jan 30 16:21:23 2008 : Debug: Processing the authenticate section of radiusd.conf
Wed Jan 30 16:21:23 2008 : Debug: modcall: entering group authenticate for request 6
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authenticate]: calling eap (rlm_eap) for request 6
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap: Request found, released from the list
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap: EAP/mschapv2
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap: processing type mschapv2
Wed Jan 30 16:21:23 2008 : Debug: Not-EAP proxy set. Not composing EAP
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authenticate]: returned from eap (rlm_eap) for request 6
Wed Jan 30 16:21:23 2008 : Debug: modcall[authenticate]: module "eap" returns handled for request 6
Wed Jan 30 16:21:23 2008 : Debug: modcall: leaving group authenticate (returns handled) for request 6
Wed Jan 30 16:21:23 2008 : Debug: PEAP: Tunneled authentication will be proxied to xxx
Wed Jan 30 16:21:23 2008 : Debug: PEAP: Remembering to do EAP-MS-CHAP-V2 post-proxy.
Wed Jan 30 16:21:23 2008 : Debug: Tunneled session will be proxied. Not doing EAP.
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authenticate]: returned from eap (rlm_eap) for request 6
Wed Jan 30 16:21:23 2008 : Debug: modcall[authenticate]: module "eap" returns handled for request 6
Wed Jan 30 16:21:23 2008 : Debug: modcall: leaving group authenticate (returns handled) for request 6
Wed Jan 30 16:21:23 2008 : Debug: Processing the pre-proxy section of radiusd.conf
Wed Jan 30 16:21:23 2008 : Debug: modcall: entering group pre-proxy for request 6
Wed Jan 30 16:21:23 2008 : Debug: modsingle[pre-proxy]: calling files (rlm_files) for request 6
Wed Jan 30 16:21:23 2008 : Debug: preproxy_users: Matched entry DEFAULT at line 33
Wed Jan 30 16:21:23 2008 : Debug: modsingle[pre-proxy]: returned from files (rlm_files) for request 6
Wed Jan 30 16:21:23 2008 : Debug: modcall[pre-proxy]: module "files" returns ok for request 6
Wed Jan 30 16:21:23 2008 : Debug: modsingle[pre-proxy]: calling pre_proxy_log (rlm_detail) for request 6
Wed Jan 30 16:21:23 2008 : Debug: radius_xlat: '/var/log/freeradius/radacct/192.168.2.28/pre-proxy-detail-20080130'
Wed Jan 30 16:21:23 2008 : Debug: rlm_detail: /var/log/freeradius/radacct/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.2.28/pre-proxy-detail-20080130
Wed Jan 30 16:21:23 2008 : Debug: modsingle[pre-proxy]: returned from pre_proxy_log (rlm_detail) for request 6
Wed Jan 30 16:21:23 2008 : Debug: modcall[pre-proxy]: module "pre_proxy_log" returns ok for request 6
Wed Jan 30 16:21:23 2008 : Debug: modcall: leaving group pre-proxy (returns ok) for request 6
Wed Jan 30 16:21:23 2008 : Debug: proxy: creating 5002a8c0:1812
Wed Jan 30 16:21:23 2008 : Debug: proxy: allocating 5002a8c0:1812 0
Sending Access-Request of id 0 to 192.168.2.80 port 1812
User-Name = "aaa"
NAS-IP-Address = 127.0.0.1
MS-CHAP-Challenge = 0xd705730f12a9595b41ac811cc23eab54
MS-CHAP2-Response = 0x0661543bffa8ddc094f4dd7d68d583583cef000000000000000037cc3ccd31b876ad62b6164cbbb47f0f87d04f4c2156a13d
Proxy-State = 0x36
Service-Type := BOSS4-HomeNet-VPN
Wed Jan 30 16:21:23 2008 : Debug: Waking up in 6 seconds...
rad_recv: Access-Accept packet from host 192.168.2.80:1812, id=0, length=262
Wed Jan 30 16:21:23 2008 : Debug: proxy: de-allocating 5002a8c0:1812 0
Reply-Message = "ACCESS: GRANTED"
Reply-Message = "AGREEMENT-ID: 587986"
Framed-IP-Address = 192.168.2.56
Framed-IP-Netmask = 255.255.255.255
Framed-Protocol = PPP
MS-CHAP2-Success = 0x00533d46344538343746453843323736414341453537393637343835343143384642303742334633303739
MS-MPPE-Encryption-Policy = 0x00000001
MS-MPPE-Encryption-Types = 0x00000006
MS-MPPE-Recv-Key = 0x6b79482763300b5dece7d6ac717d8a21
MS-MPPE-Send-Key = 0xe23347a646ed9a7a19693881f99ebb37
Service-Type = Framed-User
Reply-Message = "STATUS: 0.00000000"
Wed Jan 30 16:21:23 2008 : Debug: Processing the post-proxy section of radiusd.conf
Wed Jan 30 16:21:23 2008 : Debug: modcall: entering group post-proxy for request 6
Wed Jan 30 16:21:23 2008 : Debug: modsingle[post-proxy]: calling post_proxy_log (rlm_detail) for request 6
Wed Jan 30 16:21:23 2008 : Debug: radius_xlat: '/var/log/freeradius/radacct/192.168.2.28/post-proxy-detail-20080130'
Wed Jan 30 16:21:23 2008 : Debug: rlm_detail: /var/log/freeradius/radacct/%{Client-IP-Address}/post-proxy-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.2.28/post-proxy-detail-20080130
Wed Jan 30 16:21:23 2008 : Debug: modsingle[post-proxy]: returned from post_proxy_log (rlm_detail) for request 6
Wed Jan 30 16:21:23 2008 : Debug: modcall[post-proxy]: module "post_proxy_log" returns ok for request 6
Wed Jan 30 16:21:23 2008 : Debug: modsingle[post-proxy]: calling eap (rlm_eap) for request 6
Wed Jan 30 16:21:23 2008 : Debug: PEAP: Passing reply from proxy back into the tunnel.
Wed Jan 30 16:21:23 2008 : Debug: PEAP: Passing reply back for EAP-MS-CHAP-V2 0x801453f8 2
Wed Jan 30 16:21:23 2008 : Debug: Processing the post-proxy section of radiusd.conf
Wed Jan 30 16:21:23 2008 : Debug: modcall: entering group post-proxy for request 6
Wed Jan 30 16:21:23 2008 : Debug: modsingle[post-proxy]: calling post_proxy_log (rlm_detail) for request 6
Wed Jan 30 16:21:23 2008 : Debug: modsingle[post-proxy]: returned from post_proxy_log (rlm_detail) for request 6
Wed Jan 30 16:21:23 2008 : Debug: modcall[post-proxy]: module "post_proxy_log" returns noop for request 6
Wed Jan 30 16:21:23 2008 : Debug: modsingle[post-proxy]: calling eap (rlm_eap) for request 6
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap_mschapv2: Passing reply from proxy back into the tunnel 0x801453f8 2.
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap_mschapv2: Authentication succeeded.
Wed Jan 30 16:21:23 2008 : Debug: MSCHAP Success
Wed Jan 30 16:21:23 2008 : Debug: modsingle[post-proxy]: returned from eap (rlm_eap) for request 6
Wed Jan 30 16:21:23 2008 : Debug: modcall[post-proxy]: module "eap" returns ok for request 6
Wed Jan 30 16:21:23 2008 : Debug: modcall: leaving group post-proxy (returns ok) for request 6
Wed Jan 30 16:21:23 2008 : Debug: POST-PROXY 2
Wed Jan 30 16:21:23 2008 : Debug: Processing the post-auth section of radiusd.conf
Wed Jan 30 16:21:23 2008 : Debug: modcall: entering group post-auth for request 6
Wed Jan 30 16:21:23 2008 : Debug: modsingle[post-auth]: calling reply_log (rlm_detail) for request 6
Wed Jan 30 16:21:23 2008 : Debug: radius_xlat: '/var/log/freeradius/radacct/127.0.0.1/reply-detail-20080130'
Wed Jan 30 16:21:23 2008 : Debug: rlm_detail: /var/log/freeradius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d expands to /var/log/freeradius/radacct/127.0.0.1/reply-detail-20080130
Wed Jan 30 16:21:23 2008 : Debug: modsingle[post-auth]: returned from reply_log (rlm_detail) for request 6
Wed Jan 30 16:21:23 2008 : Debug: modcall[post-auth]: module "reply_log" returns ok for request 6
Wed Jan 30 16:21:23 2008 : Debug: modcall: leaving group post-auth (returns ok) for request 6
Wed Jan 30 16:21:23 2008 : Debug: POST-AUTH 2
PEAP: Final reply from tunneled session code 11
Reply-Message = "ACCESS: GRANTED"
Reply-Message = "AGREEMENT-ID: 587986"
Framed-IP-Address = 192.168.2.56
Framed-IP-Netmask = 255.255.255.255
Framed-Protocol = PPP
Service-Type = Framed-User
Reply-Message = "STATUS: 0.00000000"
EAP-Message = 0x010700331a0306002e533d46344538343746453843323736414341453537393637343835343143384642303742334633303739
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x2e6847c5eb9a59e5f7cdbc3d8f082a8f
Wed Jan 30 16:21:23 2008 : Debug: PEAP: Got reply 11
PEAP: Processing from tunneled session code 0x80144e58 11
Reply-Message = "ACCESS: GRANTED"
Reply-Message = "AGREEMENT-ID: 587986"
Framed-IP-Address = 192.168.2.56
Framed-IP-Netmask = 255.255.255.255
Framed-Protocol = PPP
Service-Type = Framed-User
Reply-Message = "STATUS: 0.00000000"
EAP-Message = 0x010700331a0306002e533d46344538343746453843323736414341453537393637343835343143384642303742334633303739
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x2e6847c5eb9a59e5f7cdbc3d8f082a8f
Wed Jan 30 16:21:23 2008 : Debug: PEAP: Got tunneled Access-Challenge
PEAP tunnel data out 0000: 1a 03 06 00 2e 53 3d 46 34 45 38 34 37 46 45 38
PEAP tunnel data out 0010: 43 32 37 36 41 43 41 45 35 37 39 36 37 34 38 35
PEAP tunnel data out 0020: 34 31 43 38 46 42 30 37 42 33 46 33 30 37 39
Wed Jan 30 16:21:23 2008 : Debug: PEAP: Reply was handled
Wed Jan 30 16:21:23 2008 : Debug: modsingle[post-proxy]: returned from eap (rlm_eap) for request 6
Wed Jan 30 16:21:23 2008 : Debug: modcall[post-proxy]: module "eap" returns ok for request 6
Wed Jan 30 16:21:23 2008 : Debug: modcall: leaving group post-proxy (returns ok) for request 6
Sending Access-Challenge of id 6 to 192.168.2.28 port 1032
EAP-Message = 0x0107004a1900170301003f3cbae61fe7c97a3500bb9b7aa65a7ebf4dfde9f637ba2a0f53ed7e91716066ab1dac2c590f7476689bf80aacf390629dd56a9d5e9df17b60819fc23938d207
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x8f6fded6f73f89f6c871aa78026be3fe
Wed Jan 30 16:21:23 2008 : Debug: Finished request 6
Wed Jan 30 16:21:23 2008 : Debug: Going to the next request
Wed Jan 30 16:21:23 2008 : Debug: Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.2.28:1032, id=7, length=223
Message-Authenticator = 0xdf76dfa6cb666f43cae3f55e797a4b95
Service-Type = Framed-User
User-Name = "aaa"
Framed-MTU = 1488
State = 0x8f6fded6f73f89f6c871aa78026be3fe
Called-Station-Id = "00-15-E9-AE-B2-BF:WLAN"
Calling-Station-Id = "00-17-9A-82-C7-7B"
NAS-Identifier = "WLAN Access Point"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x0207001d19001703010012156f46fa75527ef68f17bb704f8dba1532f7
NAS-IP-Address = 192.168.2.28
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
Wed Jan 30 16:21:23 2008 : Debug: Processing the authorize section of radiusd.conf
Wed Jan 30 16:21:23 2008 : Debug: modcall: entering group authorize for request 7
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 7
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 7
Wed Jan 30 16:21:23 2008 : Debug: modcall[authorize]: module "preprocess" returns ok for request 7
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: calling auth_log (rlm_detail) for request 7
Wed Jan 30 16:21:23 2008 : Debug: radius_xlat: '/var/log/freeradius/radacct/192.168.2.28/auth-detail-20080130'
Wed Jan 30 16:21:23 2008 : Debug: rlm_detail: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.2.28/auth-detail-20080130
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: returned from auth_log (rlm_detail) for request 7
Wed Jan 30 16:21:23 2008 : Debug: modcall[authorize]: module "auth_log" returns ok for request 7
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: calling attr_filter (rlm_attr_filter) for request 7
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: returned from attr_filter (rlm_attr_filter) for request 7
Wed Jan 30 16:21:23 2008 : Debug: modcall[authorize]: module "attr_filter" returns noop for request 7
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: calling chap (rlm_chap) for request 7
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: returned from chap (rlm_chap) for request 7
Wed Jan 30 16:21:23 2008 : Debug: modcall[authorize]: module "chap" returns noop for request 7
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 7
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 7
Wed Jan 30 16:21:23 2008 : Debug: modcall[authorize]: module "mschap" returns noop for request 7
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: calling suffix (rlm_realm) for request 7
Wed Jan 30 16:21:23 2008 : Debug: rlm_realm: No '@' in User-Name = "aaa", looking up realm NULL
Wed Jan 30 16:21:23 2008 : Debug: rlm_realm: No such realm "NULL"
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: returned from suffix (rlm_realm) for request 7
Wed Jan 30 16:21:23 2008 : Debug: modcall[authorize]: module "suffix" returns noop for request 7
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 7
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap: EAP packet type response id 7 length 29
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 7
Wed Jan 30 16:21:23 2008 : Debug: modcall[authorize]: module "eap" returns updated for request 7
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: calling files (rlm_files) for request 7
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: returned from files (rlm_files) for request 7
Wed Jan 30 16:21:23 2008 : Debug: modcall[authorize]: module "files" returns notfound for request 7
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: calling pap (rlm_pap) for request 7
Wed Jan 30 16:21:23 2008 : Debug: rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this.
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: returned from pap (rlm_pap) for request 7
Wed Jan 30 16:21:23 2008 : Debug: modcall[authorize]: module "pap" returns noop for request 7
Wed Jan 30 16:21:23 2008 : Debug: modcall: leaving group authorize (returns updated) for request 7
Wed Jan 30 16:21:23 2008 : Debug: rad_check_password: Found Auth-Type EAP
Wed Jan 30 16:21:23 2008 : Debug: auth: type "EAP"
Wed Jan 30 16:21:23 2008 : Debug: Processing the authenticate section of radiusd.conf
Wed Jan 30 16:21:23 2008 : Debug: modcall: entering group authenticate for request 7
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authenticate]: calling eap (rlm_eap) for request 7
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap: Request found, released from the list
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap: EAP/peap
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap: processing type peap
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap_peap: Authenticate
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap_tls: processing TLS
Wed Jan 30 16:21:23 2008 : Debug: eaptls_verify returned 7
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap_tls: Done initial handshake
Wed Jan 30 16:21:23 2008 : Debug: eaptls_process returned 7
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap_peap: EAPTLS_OK
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap_peap: Session established. Decoding tunneled attributes.
PEAP tunnel data in 0000: 1a 03
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap_peap: EAP type mschapv2
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap_peap: Tunneled data is valid.
PEAP: Got tunneled EAP-Message
EAP-Message = 0x020700061a03
Wed Jan 30 16:21:23 2008 : Debug: PEAP: Setting User-Name to aaa
Wed Jan 30 16:21:23 2008 : Debug: PEAP: Adding old state with 2e 68
PEAP: Sending tunneled request
EAP-Message = 0x020700061a03
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "aaa"
State = 0x2e6847c5eb9a59e5f7cdbc3d8f082a8f
Wed Jan 30 16:21:23 2008 : Debug: Processing the authorize section of radiusd.conf
Wed Jan 30 16:21:23 2008 : Debug: modcall: entering group authorize for request 7
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 7
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 7
Wed Jan 30 16:21:23 2008 : Debug: modcall[authorize]: module "preprocess" returns ok for request 7
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: calling auth_log (rlm_detail) for request 7
Wed Jan 30 16:21:23 2008 : Debug: radius_xlat: '/var/log/freeradius/radacct/127.0.0.1/auth-detail-20080130'
Wed Jan 30 16:21:23 2008 : Debug: rlm_detail: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/127.0.0.1/auth-detail-20080130
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: returned from auth_log (rlm_detail) for request 7
Wed Jan 30 16:21:23 2008 : Debug: modcall[authorize]: module "auth_log" returns ok for request 7
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: calling attr_filter (rlm_attr_filter) for request 7
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: returned from attr_filter (rlm_attr_filter) for request 7
Wed Jan 30 16:21:23 2008 : Debug: modcall[authorize]: module "attr_filter" returns noop for request 7
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: calling chap (rlm_chap) for request 7
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: returned from chap (rlm_chap) for request 7
Wed Jan 30 16:21:23 2008 : Debug: modcall[authorize]: module "chap" returns noop for request 7
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 7
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 7
Wed Jan 30 16:21:23 2008 : Debug: modcall[authorize]: module "mschap" returns noop for request 7
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: calling suffix (rlm_realm) for request 7
Wed Jan 30 16:21:23 2008 : Debug: rlm_realm: No '@' in User-Name = "aaa", looking up realm NULL
Wed Jan 30 16:21:23 2008 : Debug: rlm_realm: No such realm "NULL"
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: returned from suffix (rlm_realm) for request 7
Wed Jan 30 16:21:23 2008 : Debug: modcall[authorize]: module "suffix" returns noop for request 7
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 7
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap: EAP packet type response id 7 length 6
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 7
Wed Jan 30 16:21:23 2008 : Debug: modcall[authorize]: module "eap" returns updated for request 7
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: calling files (rlm_files) for request 7
Wed Jan 30 16:21:23 2008 : Debug: users: Matched entry aaa at line 85
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: returned from files (rlm_files) for request 7
Wed Jan 30 16:21:23 2008 : Debug: modcall[authorize]: module "files" returns ok for request 7
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: calling pap (rlm_pap) for request 7
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authorize]: returned from pap (rlm_pap) for request 7
Wed Jan 30 16:21:23 2008 : Debug: modcall[authorize]: module "pap" returns noop for request 7
Wed Jan 30 16:21:23 2008 : Debug: modcall: leaving group authorize (returns updated) for request 7
PEAP: Got tunneled reply RADIUS code 0
Wed Jan 30 16:21:23 2008 : Debug: PEAP: Calling authenticate in order to initiate tunneled EAP session.
Wed Jan 30 16:21:23 2008 : Debug: Processing the authenticate section of radiusd.conf
Wed Jan 30 16:21:23 2008 : Debug: modcall: entering group authenticate for request 7
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authenticate]: calling eap (rlm_eap) for request 7
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap: Request not found in the list
Wed Jan 30 16:21:23 2008 : Error: rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap: Failed in handler
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authenticate]: returned from eap (rlm_eap) for request 7
Wed Jan 30 16:21:23 2008 : Debug: modcall[authenticate]: module "eap" returns invalid for request 7
Wed Jan 30 16:21:23 2008 : Debug: modcall: leaving group authenticate (returns invalid) for request 7
Wed Jan 30 16:21:23 2008 : Debug: PEAP: Can't handle the return code 4
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap: Handler failed in EAP/peap
Wed Jan 30 16:21:23 2008 : Debug: rlm_eap: Failed in EAP select
Wed Jan 30 16:21:23 2008 : Debug: modsingle[authenticate]: returned from eap (rlm_eap) for request 7
Wed Jan 30 16:21:23 2008 : Debug: modcall[authenticate]: module "eap" returns invalid for request 7
Wed Jan 30 16:21:23 2008 : Debug: modcall: leaving group authenticate (returns invalid) for request 7
Wed Jan 30 16:21:23 2008 : Debug: auth: Failed to validate the user.
Wed Jan 30 16:21:23 2008 : Debug: Delaying request 7 for 1 seconds
Wed Jan 30 16:21:23 2008 : Debug: Finished request 7
Wed Jan 30 16:21:23 2008 : Debug: Going to the next request
Wed Jan 30 16:21:23 2008 : Debug: Waking up in 6 seconds...
3
17
...
>rlm_ldap: Added password {SSHA}F8XliBuxscoShNf0k7RxlC7niB7ISswp in check
items
...
>rlm_eap_md5: User-Password is required for EAP-MD5 authentication
...
You can't use encrypted passwords with EAP-MD5.
http://deployingradius.com/documents/protocols/compatibility.html
Ivan Kalik
Kalik Informatika ISP
5
10
OK Alan,
i`m not advanced freeradius user`s, i`m trying to learn this.
I just need help to configure, you can help me ?
My freeradius running ok, not show error messages, but not work....
The client (AP) associated in radius, my final client (notebook) associated on AP, but....nothing happens...
I search any documents about this, but anyone work.
What do you need to help me ? and you can do ?
I need this to my job, we are a ISP, and implanting radius, to authenticate clients....
Thanks, sorry to my poor english (I`m brazil)
Emerson
P.S If you or anyone can help me, above, my configuration files, radiusd.conf, sql.conf, eap.conf, clients.conf
****************************************************************************************************
##
## radiusd.conf -- FreeRADIUS server configuration file.
##
## http://www.freeradius.org/
## $Id: radiusd.conf.in,v 1.188.2.4.2.4 2005/12/28 19:51:07 aland Exp $
##
# The location of other config files and
# logfiles are declared in this file
#
# Also general configuration for modules can be done
# in this file, it is exported through the API to
# modules that ask for it.
#
# The configuration variables defined here are of the form ${foo}
# They are local to this file, and do not change from request to
# request.
#
# The per-request variables are of the form %{Attribute-Name}, and
# are taken from the values of the attribute in the incoming
# request. See 'doc/variables.txt' for more information.
prefix = /usr
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = ${prefix}/var
sbindir = ${exec_prefix}/sbin
logdir = /var/log
raddbdir = /etc/raddb
radacctdir = /var/log/radacct
# Location of config and logfiles.
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
#
# The logging messages for the server are appended to the
# tail of this file.
#
log_file = ${logdir}/radius.log
#
# libdir: Where to find the rlm_* modules.
#
# This should be automatically set at configuration time.
#
# If the server builds and installs, but fails at execution time
# with an 'undefined symbol' error, then you can use the libdir
# directive to work around the problem.
#
# The cause is usually that a library has been installed on your
# system in a place where the dynamic linker CANNOT find it. When
# executing as root (or another user), your personal environment MAY
# be set up to allow the dynamic linker to find the library. When
# executing as a daemon, FreeRADIUS MAY NOT have the same
# personalized configuration.
#
# To work around the problem, find out which library contains that symbol,
# and add the directory containing that library to the end of 'libdir',
# with a colon separating the directory names. NO spaces are allowed.
#
# e.g. libdir = /usr/local/lib:/opt/package/lib
#
# You can also try setting the LD_LIBRARY_PATH environment variable
# in a script which starts the server.
#
# If that does not work, then you can re-configure and re-build the
# server to NOT use shared libraries, via:
#
# ./configure --disable-shared
# make
# make install
#
libdir = ${exec_prefix}/lib
# pidfile: Where to place the PID of the RADIUS server.
#
# The server may be signalled while it's running by using this
# file.
#
# This file is written when ONLY running in daemon mode.
#
# e.g.: kill -HUP `cat /var/run/radiusd/radiusd.pid`
#
pidfile = ${run_dir}/radiusd.pid
# user/group: The name (or #number) of the user/group to run radiusd as.
#
# If these are commented out, the server will run as the user/group
# that started it. In order to change to a different user/group, you
# MUST be root ( or have root privleges ) to start the server.
#
# We STRONGLY recommend that you run the server with as few permissions
# as possible. That is, if you're not using shadow passwords, the
# user and group items below should be set to 'nobody'.
#
# On SCO (ODT 3) use "user = nouser" and "group = nogroup".
#
# NOTE that some kernels refuse to setgid(group) when the value of
# (unsigned)group is above 60000; don't use group nobody on these systems!
#
# On systems with shadow passwords, you might have to set 'group = shadow'
# for the server to be able to read the shadow password file. If you can
# authenticate users while in debug mode, but not in daemon mode, it may be
# that the debugging mode server is running as a user that can read the
# shadow info, and the user listed below can not.
#
#user = nobody
#group = nobody
# max_request_time: The maximum time (in seconds) to handle a request.
#
# Requests which take more time than this to process may be killed, and
# a REJECT message is returned.
#
# WARNING: If you notice that requests take a long time to be handled,
# then this MAY INDICATE a bug in the server, in one of the modules
# used to handle a request, OR in your local configuration.
#
# This problem is most often seen when using an SQL database. If it takes
# more than a second or two to receive an answer from the SQL database,
# then it probably means that you haven't indexed the database. See your
# SQL server documentation for more information.
#
# Useful range of values: 5 to 120
#
max_request_time = 30
# delete_blocked_requests: If the request takes MORE THAN 'max_request_time'
# to be handled, then maybe the server should delete it.
#
# If you're running in threaded, or thread pool mode, this setting
# should probably be 'no'. Setting it to 'yes' when using a threaded
# server MAY cause the server to crash!
#
delete_blocked_requests = no
# cleanup_delay: The time to wait (in seconds) before cleaning up
# a reply which was sent to the NAS.
#
# The RADIUS request is normally cached internally for a short period
# of time, after the reply is sent to the NAS. The reply packet may be
# lost in the network, and the NAS will not see it. The NAS will then
# re-send the request, and the server will respond quickly with the
# cached reply.
#
# If this value is set too low, then duplicate requests from the NAS
# MAY NOT be detected, and will instead be handled as seperate requests.
#
# If this value is set too high, then the server will cache too many
# requests, and some new requests may get blocked. (See 'max_requests'.)
#
# Useful range of values: 2 to 10
#
cleanup_delay = 5
# max_requests: The maximum number of requests which the server keeps
# track of. This should be 256 multiplied by the number of clients.
# e.g. With 4 clients, this number should be 1024.
#
# If this number is too low, then when the server becomes busy,
# it will not respond to any new requests, until the 'cleanup_delay'
# time has passed, and it has removed the old requests.
#
# If this number is set too high, then the server will use a bit more
# memory for no real benefit.
#
# If you aren't sure what it should be set to, it's better to set it
# too high than too low. Setting it to 1000 per client is probably
# the highest it should be.
#
# Useful range of values: 256 to infinity
#
max_requests = 1024
# bind_address: Make the server listen on a particular IP address, and
# send replies out from that address. This directive is most useful
# for machines with multiple IP addresses on one interface.
#
# It can either contain "*", or an IP address, or a fully qualified
# Internet domain name. The default is "*"
#
# As of 1.0, you can also use the "listen" directive. See below for
# more information.
#
bind_address = *
# port: Allows you to bind FreeRADIUS to a specific port.
#
# The default port that most NAS boxes use is 1645, which is historical.
# RFC 2138 defines 1812 to be the new port. Many new servers and
# NAS boxes use 1812, which can create interoperability problems.
#
# The port is defined here to be 0 so that the server will pick up
# the machine's local configuration for the radius port, as defined
# in /etc/services.
#
# If you want to use the default RADIUS port as defined on your server,
# (usually through 'grep radius /etc/services') set this to 0 (zero).
#
# A port given on the command-line via '-p' over-rides this one.
#
# As of 1.0, you can also use the "listen" directive. See below for
# more information.
#
port = 0
#
# By default, the server uses "bind_address" to listen to all IP's
# on a machine, or just one IP. The "port" configuration is used
# to select the authentication port used when listening on those
# addresses.
#
# If you want the server to listen on additional addresses, you can
# use the "listen" section. A sample section (commented out) is included
# below. This "listen" section duplicates the functionality of the
# "bind_address" and "port" configuration entries, but it only listens
# for authentication packets.
#
# If you comment out the "bind_address" and "port" configuration entries,
# then it becomes possible to make the server accept only accounting,
# or authentication packets. Previously, it always listened for both
# types of packets, and it was impossible to make it listen for only
# one type of packet.
#
#listen {
# IP address on which to listen.
# Allowed values are:
# dotted quad (1.2.3.4)
# hostname (radius.example.com)
# wildcard (*)
# ipaddr = *
# Port on which to listen.
# Allowed values are:
# integer port number (1812)
# 0 means "use /etc/services for the proper port"
# port = 0
# Type of packets to listen for.
# Allowed values are:
# auth listen for authentication packets
# acct listen for accounting packets
#
# type = auth
#}
# hostname_lookups: Log the names of clients or just their IP addresses
# e.g., www.freeradius.org (on) or 206.47.27.232 (off).
#
# The default is 'off' because it would be overall better for the net
# if people had to knowingly turn this feature on, since enabling it
# means that each client request will result in AT LEAST one lookup
# request to the nameserver. Enabling hostname_lookups will also
# mean that your server may stop randomly for 30 seconds from time
# to time, if the DNS requests take too long.
#
# Turning hostname lookups off also means that the server won't block
# for 30 seconds, if it sees an IP address which has no name associated
# with it.
#
# allowed values: {no, yes}
#
hostname_lookups = no
# Core dumps are a bad thing. This should only be set to 'yes'
# if you're debugging a problem with the server.
#
# allowed values: {no, yes}
#
allow_core_dumps = no
# Regular expressions
#
# These items are set at configure time. If they're set to "yes",
# then setting them to "no" turns off regular expression support.
#
# If they're set to "no" at configure time, then setting them to "yes"
# WILL NOT WORK. It will give you an error.
#
regular_expressions = yes
extended_expressions = yes
# Log the full User-Name attribute, as it was found in the request.
#
# allowed values: {no, yes}
#
log_stripped_names = no
# Log authentication requests to the log file.
#
# allowed values: {no, yes}
#
log_auth = yes
# Log passwords with the authentication requests.
# log_auth_badpass - logs password if it's rejected
# log_auth_goodpass - logs password if it's correct
#
# allowed values: {no, yes}
#
log_auth_badpass = yes
log_auth_goodpass = yes
# usercollide: Turn "username collision" code on and off. See the
# "doc/duplicate-users" file
#
# WARNING
# !!!!!!! Setting this to "yes" may result in the server behaving
# !!!!!!! strangely. The "username collision" code will ONLY work
# !!!!!!! with clear-text passwords. Even then, it may not do what
# !!!!!!! you want, or what you expect.
# !!!!!!!
# !!!!!!! We STRONGLY RECOMMEND that you do not use this feature,
# !!!!!!! and that you find another way of acheiving the same goal.
# !!!!!!!
# !!!!!!! e,g. module fail-over. See 'doc/configurable_failover'
# WARNING
#
usercollide = no
# lower_user / lower_pass:
# Lower case the username/password "before" or "after"
# attempting to authenticate.
#
# If "before", the server will first modify the request and then try
# to auth the user. If "after", the server will first auth using the
# values provided by the user. If that fails it will reprocess the
# request after modifying it as you specify below.
#
# This is as close as we can get to case insensitivity. It is the
# admin's job to ensure that the username on the auth db side is
# *also* lowercase to make this work
#
# Default is 'no' (don't lowercase values)
# Valid values = "before" / "after" / "no"
#
lower_user = no
lower_pass = no
# nospace_user / nospace_pass:
#
# Some users like to enter spaces in their username or password
# incorrectly. To save yourself the tech support call, you can
# eliminate those spaces here:
#
# Default is 'no' (don't remove spaces)
# Valid values = "before" / "after" / "no" (explanation above)
#
nospace_user = no
nospace_pass = no
# The program to execute to do concurrency checks.
checkrad = ${sbindir}/checkrad
# SECURITY CONFIGURATION
#
# There may be multiple methods of attacking on the server. This
# section holds the configuration items which minimize the impact
# of those attacks
#
security {
#
# max_attributes: The maximum number of attributes
# permitted in a RADIUS packet. Packets which have MORE
# than this number of attributes in them will be dropped.
#
# If this number is set too low, then no RADIUS packets
# will be accepted.
#
# If this number is set too high, then an attacker may be
# able to send a small number of packets which will cause
# the server to use all available memory on the machine.
#
# Setting this number to 0 means "allow any number of attributes"
max_attributes = 200
#
# delayed_reject: When sending an Access-Reject, it can be
# delayed for a few seconds. This may help slow down a DoS
# attack. It also helps to slow down people trying to brute-force
# crack a users password.
#
# Setting this number to 0 means "send rejects immediately"
#
# If this number is set higher than 'cleanup_delay', then the
# rejects will be sent at 'cleanup_delay' time, when the request
# is deleted from the internal cache of requests.
#
# Useful ranges: 1 to 5
reject_delay = 1
#
# status_server: Whether or not the server will respond
# to Status-Server requests.
#
# Normally this should be set to "no", because they're useless.
# See: http://www.freeradius.org/rfc/rfc2865.html#Keep-Alives
#
# However, certain NAS boxes may require them.
#
# When sent a Status-Server message, the server responds with
# an Access-Accept packet, containing a Reply-Message attribute,
# which is a string describing how long the server has been
# running.
#
status_server = no
}
# PROXY CONFIGURATION
#
# proxy_requests: Turns proxying of RADIUS requests on or off.
#
# The server has proxying turned on by default. If your system is NOT
# set up to proxy requests to another server, then you can turn proxying
# off here. This will save a small amount of resources on the server.
#
# If you have proxying turned off, and your configuration files say
# to proxy a request, then an error message will be logged.
#
# To disable proxying, change the "yes" to "no", and comment the
# $INCLUDE line.
#
# allowed values: {no, yes}
#
proxy_requests = yes
$INCLUDE ${confdir}/proxy.conf
# CLIENTS CONFIGURATION
#
# Client configuration is defined in "clients.conf".
#
# The 'clients.conf' file contains all of the information from the old
# 'clients' and 'naslist' configuration files. We recommend that you
# do NOT use 'client's or 'naslist', although they are still
# supported.
#
# Anything listed in 'clients.conf' will take precedence over the
# information from the old-style configuration files.
#
$INCLUDE ${confdir}/clients.conf
# SNMP CONFIGURATION
#
# Snmp configuration is only valid if SNMP support was enabled
# at compile time.
#
# To enable SNMP querying of the server, set the value of the
# 'snmp' attribute to 'yes'
#
snmp = no
$INCLUDE ${confdir}/snmp.conf
# THREAD POOL CONFIGURATION
#
# The thread pool is a long-lived group of threads which
# take turns (round-robin) handling any incoming requests.
#
# You probably want to have a few spare threads around,
# so that high-load situations can be handled immediately. If you
# don't have any spare threads, then the request handling will
# be delayed while a new thread is created, and added to the pool.
#
# You probably don't want too many spare threads around,
# otherwise they'll be sitting there taking up resources, and
# not doing anything productive.
#
# The numbers given below should be adequate for most situations.
#
thread pool {
# Number of servers to start initially --- should be a reasonable
# ballpark figure.
start_servers = 5
# Limit on the total number of servers running.
#
# If this limit is ever reached, clients will be LOCKED OUT, so it
# should NOT BE SET TOO LOW. It is intended mainly as a brake to
# keep a runaway server from taking the system with it as it spirals
# down...
#
# You may find that the server is regularly reaching the
# 'max_servers' number of threads, and that increasing
# 'max_servers' doesn't seem to make much difference.
#
# If this is the case, then the problem is MOST LIKELY that
# your back-end databases are taking too long to respond, and
# are preventing the server from responding in a timely manner.
#
# The solution is NOT do keep increasing the 'max_servers'
# value, but instead to fix the underlying cause of the
# problem: slow database, or 'hostname_lookups=yes'.
#
# For more information, see 'max_request_time', above.
#
max_servers = 32
# Server-pool size regulation. Rather than making you guess
# how many servers you need, FreeRADIUS dynamically adapts to
# the load it sees, that is, it tries to maintain enough
# servers to handle the current load, plus a few spare
# servers to handle transient load spikes.
#
# It does this by periodically checking how many servers are
# waiting for a request. If there are fewer than
# min_spare_servers, it creates a new spare. If there are
# more than max_spare_servers, some of the spares die off.
# The default values are probably OK for most sites.
#
min_spare_servers = 3
max_spare_servers = 10
# There may be memory leaks or resource allocation problems with
# the server. If so, set this value to 300 or so, so that the
# resources will be cleaned up periodically.
#
# This should only be necessary if there are serious bugs in the
# server which have not yet been fixed.
#
# '0' is a special value meaning 'infinity', or 'the servers never
# exit'
max_requests_per_server = 0
}
# MODULE CONFIGURATION
#
# The names and configuration of each module is located in this section.
#
# After the modules are defined here, they may be referred to by name,
# in other sections of this configuration file.
#
modules {
#
# Each module has a configuration as follows:
#
# name [ instance ] {
# config_item = value
# ...
# }
#
# The 'name' is used to load the 'rlm_name' library
# which implements the functionality of the module.
#
# The 'instance' is optional. To have two different instances
# of a module, it first must be referred to by 'name'.
# The different copies of the module are then created by
# inventing two 'instance' names, e.g. 'instance1' and 'instance2'
#
# The instance names can then be used in later configuration
# INSTEAD of the original 'name'. See the 'radutmp' configuration
# below for an example.
#
# PAP module to authenticate users based on their stored password
#
# Supports multiple encryption schemes
# clear: Clear text
# crypt: Unix crypt
# md5: MD5 ecnryption
# sha1: SHA1 encryption.
# DEFAULT: crypt
pap {
encryption_scheme = crypt
}
# CHAP module
#
# To authenticate requests containing a CHAP-Password attribute.
#
chap {
authtype = CHAP
}
# Pluggable Authentication Modules
#
# For Linux, see:
# http://www.kernel.org/pub/linux/libs/pam/index.html
#
# WARNING: On many systems, the system PAM libraries have
# memory leaks! We STRONGLY SUGGEST that you do not
# use PAM for authentication, due to those memory leaks.
#
pam {
#
# The name to use for PAM authentication.
# PAM looks in /etc/pam.d/${pam_auth_name}
# for it's configuration. See 'redhat/radiusd-pam'
# for a sample PAM configuration file.
#
# Note that any Pam-Auth attribute set in the 'authorize'
# section will over-ride this one.
#
pam_auth = radiusd
}
# Unix /etc/passwd style authentication
#
unix {
#
# Cache /etc/passwd, /etc/shadow, and /etc/group
#
# The default is to NOT cache them.
#
# For FreeBSD and NetBSD, you do NOT want to enable
# the cache, as it's password lookups are done via a
# database, so set this value to 'no'.
#
# Some systems (e.g. RedHat Linux with pam_pwbd) can
# take *seconds* to check a password, when th passwd
# file containing 1000's of entries. For those systems,
# you should set the cache value to 'yes', and set
# the locations of the 'passwd', 'shadow', and 'group'
# files, below.
#
# allowed values: {no, yes}
cache = no
# Reload the cache every 600 seconds (10mins). 0 to disable.
cache_reload = 600
#
# Define the locations of the normal passwd, shadow, and
# group files.
#
# 'shadow' is commented out by default, because not all
# systems have shadow passwords.
#
# To force the module to use the system password functions,
# instead of reading the files, leave the following entries
# commented out.
#
# This is required for some systems, like FreeBSD,
# and Mac OSX.
#
# passwd = /etc/passwd
# shadow = /etc/shadow
# group = /etc/group
#
# The location of the "wtmp" file.
# This should be moved to it's own module soon.
#
# The only use for 'radlast'. If you don't use
# 'radlast', then you can comment out this item.
#
radwtmp = ${logdir}/radwtmp
}
# Extensible Authentication Protocol
#
# For all EAP related authentications.
# Now in another file, because it is very large.
#
$INCLUDE ${confdir}/eap.conf
# Microsoft CHAP authentication
#
# This module supports MS-CHAP and MS-CHAPv2 authentication.
# It also enforces the SMB-Account-Ctrl attribute.
#
mschap {
#
# As of 0.9, the mschap module does NOT support
# reading from /etc/smbpasswd.
#
# If you are using /etc/smbpasswd, see the 'passwd'
# module for an example of how to use /etc/smbpasswd
# authtype value, if present, will be used
# to overwrite (or add) Auth-Type during
# authorization. Normally should be MS-CHAP
authtype = MS-CHAP
# if use_mppe is not set to no mschap will
# add MS-CHAP-MPPE-Keys for MS-CHAPv1 and
# MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2
#
#use_mppe = no
# if mppe is enabled require_encryption makes
# encryption moderate
#
#require_encryption = yes
# require_strong always requires 128 bit key
# encryption
#
#require_strong = yes
# Windows sends us a username in the form of
# DOMAIN\user, but sends the challenge response
# based on only the user portion. This hack
# corrects for that incorrect behavior.
#
#with_ntdomain_hack = no
# The module can perform authentication itself, OR
# use a Windows Domain Controller. This configuration
# directive tells the module to call the ntlm_auth
# program, which will do the authentication, and return
# the NT-Key. Note that you MUST have "winbindd" and
# "nmbd" running on the local machine for ntlm_auth
# to work. See the ntlm_auth program documentation
# for details.
#
# Be VERY careful when editing the following line!
#
#ntlm_auth = "/path/to/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
}
# Lightweight Directory Access Protocol (LDAP)
#
# This module definition allows you to use LDAP for
# authorization and authentication (Auth-Type := LDAP)
#
# See doc/rlm_ldap for description of configuration options
# and sample authorize{} and authenticate{} blocks
ldap {
server = "ldap.your.domain"
# identity = "cn=admin,o=My Org,c=UA"
# password = mypass
basedn = "o=My Org,c=UA"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
# base_filter = "(objectclass=radiusprofile)"
# set this to 'yes' to use TLS encrypted connections
# to the LDAP database by using the StartTLS extended
# operation.
# The StartTLS operation is supposed to be used with normal
# ldap connections instead of using ldaps (port 689) connections
start_tls = no
# tls_cacertfile = /path/to/cacert.pem
# tls_cacertdir = /path/to/ca/dir/
# tls_certfile = /path/to/radius.crt
# tls_keyfile = /path/to/radius.key
# tls_randfile = /path/to/rnd
# tls_require_cert = "demand"
# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
# profile_attribute = "radiusProfileDn"
access_attr = "dialupAccess"
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
#
# NOTICE: The password_header directive is NOT case insensitive
#
# password_header = "{clear}"
#
# Set:
# password_attribute = nspmPassword
#
# to get the user's password from a Novell eDirectory
# backend. This will work *only if* freeRADIUS is
# configured to build with --with-edir option.
#
#
# The server can usually figure this out on its own, and pull
# the correct User-Password or NT-Password from the database.
#
# Note that NT-Passwords MUST be stored as a 32-digit hex
# string, and MUST start off with "0x", such as:
#
# 0x000102030405060708090a0b0c0d0e0f
#
# Without the leading "0x", NT-Passwords will not work.
# This goes for NT-Passwords stored in SQL, too.
#
# password_attribute = userPassword
#
# Un-comment the following to disable Novell eDirectory account
# policy check and intruder detection. This will work *only if*
# FreeRADIUS is configured to build with --with-edir option.
#
# edir_account_policy_check=no
#
# groupname_attribute = cn
# groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
# groupmembership_attribute = radiusGroupName
timeout = 4
timelimit = 3
net_timeout = 1
# compare_check_items = yes
# do_xlat = yes
# access_attr_used_for_allow = yes
#
# By default, if the packet contains a User-Password,
# and no other module is configured to handle the
# authentication, the LDAP module sets itself to do
# LDAP bind for authentication.
#
# You can disable this behavior by setting the following
# configuration entry to "no".
#
# allowed values: {no, yes}
# set_auth_type = yes
}
# passwd module allows to do authorization via any passwd-like
# file and to extract any attributes from these modules
#
# parameters are:
# filename - path to filename
# format - format for filename record. This parameters
# correlates record in the passwd file and RADIUS
# attributes.
#
# Field marked as '*' is key field. That is, the parameter
# with this name from the request is used to search for
# the record from passwd file
# Attribute marked as '=' is added to reply_itmes instead
# of default configure_itmes
# Attribute marked as '~' is added to request_items
#
# Field marked as ',' may contain a comma separated list
# of attributes.
# authtype - if record found this Auth-Type is used to authenticate
# user
# hashsize - hashtable size. If 0 or not specified records are not
# stored in memory and file is red on every request.
# allowmultiplekeys - if few records for every key are allowed
# ignorenislike - ignore NIS-related records
# delimiter - symbol to use as a field separator in passwd file,
# for format ':' symbol is always used. '\0', '\n' are
# not allowed
#
# An example configuration for using /etc/smbpasswd.
#
#passwd etc_smbpasswd {
# filename = /etc/smbpasswd
# format = "*User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT::"
# authtype = MS-CHAP
# hashsize = 100
# ignorenislike = no
# allowmultiplekeys = no
#}
# Similar configuration, for the /etc/group file. Adds a Group-Name
# attribute for every group that the user is member of.
#
#passwd etc_group {
# filename = /etc/group
# format = "=Group-Name:::*,User-Name"
# hashsize = 50
# ignorenislike = yes
# allowmultiplekeys = yes
# delimiter = ":"
#}
# Realm module, for proxying.
#
# You can have multiple instances of the realm module to
# support multiple realm syntaxs at the same time. The
# search order is defined by the order in the authorize and
# preacct sections.
#
# Four config options:
# format - must be 'prefix' or 'suffix'
# delimiter - must be a single character
# ignore_default - set to 'yes' or 'no'
# ignore_null - set to 'yes' or 'no'
#
# ignore_default and ignore_null can be set to 'yes' to prevent
# the module from matching against DEFAULT or NULL realms. This
# may be useful if you have have multiple instances of the
# realm module.
#
# They both default to 'no'.
#
# 'realm/username'
#
# Using this entry, IPASS users have their realm set to "IPASS".
realm IPASS {
format = prefix
delimiter = "/"
ignore_default = no
ignore_null = no
}
# 'username@realm'
#
realm suffix {
format = suffix
delimiter = "@"
ignore_default = no
ignore_null = no
}
# 'username%realm'
#
realm realmpercent {
format = suffix
delimiter = "%"
ignore_default = no
ignore_null = no
}
#
# 'domain\user'
#
realm ntdomain {
format = prefix
delimiter = "\\"
ignore_default = no
ignore_null = no
}
# A simple value checking module
#
# It can be used to check if an attribute value in the request
# matches a (possibly multi valued) attribute in the check
# items This can be used for example for caller-id
# authentication. For the module to run, both the request
# attribute and the check items attribute must exist
#
# i.e.
# A user has an ldap entry with 2 radiusCallingStationId
# attributes with values "12345678" and "12345679". If we
# enable rlm_checkval, then any request which contains a
# Calling-Station-Id with one of those two values will be
# accepted. Requests with other values for
# Calling-Station-Id will be rejected.
#
# Regular expressions in the check attribute value are allowed
# as long as the operator is '=~'
#
checkval {
# The attribute to look for in the request
item-name = Calling-Station-Id
# The attribute to look for in check items. Can be multi valued
check-name = Calling-Station-Id
# The data type. Can be
# string,integer,ipaddr,date,abinary,octets
data-type = string
# If set to yes and we dont find the item-name attribute in the
# request then we send back a reject
# DEFAULT is no
#notfound-reject = no
}
# rewrite arbitrary packets. Useful in accounting and authorization.
#
#
# The module can also use the Rewrite-Rule attribute. If it
# is set and matches the name of the module instance, then
# that module instance will be the only one which runs.
#
# Also if new_attribute is set to yes then a new attribute
# will be created containing the value replacewith and it
# will be added to searchin (packet, reply, proxy, proxy_reply or config).
# searchfor,ignore_case and max_matches will be ignored in that case.
#
# Backreferences are supported: %{0} will contain the string the whole match
# and %{1} to %{8} will contain the contents of the 1st to the 8th parentheses
#
# If max_matches is greater than one the backreferences will correspond to the
# first match
#
#attr_rewrite sanecallerid {
# attribute = Called-Station-Id
# may be "packet", "reply", "proxy", "proxy_reply" or "config"
# searchin = packet
# searchfor = "[+ ]"
# replacewith = ""
# ignore_case = no
# new_attribute = no
# max_matches = 10
# ## If set to yes then the replace string will be appended to the original string
# append = no
#}
# Preprocess the incoming RADIUS request, before handing it off
# to other modules.
#
# This module processes the 'huntgroups' and 'hints' files.
# In addition, it re-writes some weird attributes created
# by some NASes, and converts the attributes into a form which
# is a little more standard.
#
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
# This hack changes Ascend's wierd port numberings
# to standard 0-??? port numbers so that the "+" works
# for IP address assignments.
with_ascend_hack = no
ascend_channels_per_line = 23
# Windows NT machines often authenticate themselves as
# NT_DOMAIN\username
#
# If this is set to 'yes', then the NT_DOMAIN portion
# of the user-name is silently discarded.
#
# This configuration entry SHOULD NOT be used.
# See the "realms" module for a better way to handle
# NT domains.
with_ntdomain_hack = no
# Specialix Jetstream 8500 24 port access server.
#
# If the user name is 10 characters or longer, a "/"
# and the excess characters after the 10th are
# appended to the user name.
#
# If you're not running that NAS, you don't need
# this hack.
with_specialix_jetstream_hack = no
# Cisco (and Quintum in Cisco mode) sends it's VSA attributes
# with the attribute name *again* in the string, like:
#
# H323-Attribute = "h323-attribute=value".
#
# If this configuration item is set to 'yes', then
# the redundant data in the the attribute text is stripped
# out. The result is:
#
# H323-Attribute = "value"
#
# If you're not running a Cisco or Quintum NAS, you don't
# need this hack.
with_cisco_vsa_hack = no
}
# Livingston-style 'users' file
#
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
preproxy_usersfile = ${confdir}/preproxy_users
# If you want to use the old Cistron 'users' file
# with FreeRADIUS, you should change the next line
# to 'compat = cistron'. You can the copy your 'users'
# file from Cistron.
compat = no
}
# Write a detailed log of all accounting records received.
#
detail {
# Note that we do NOT use NAS-IP-Address here, as
# that attribute MAY BE from the originating NAS, and
# NOT from the proxy which actually sent us the
# request. The Client-IP-Address attribute is ALWAYS
# the address of the client which sent us the
# request.
#
# The following line creates a new detail file for
# every radius client (by IP address or hostname).
# In addition, a new detail file is created every
# day, so that the detail file doesn't have to go
# through a 'log rotation'
#
# If your detail files are large, you may also want
# to add a ':%H' (see doc/variables.txt) to the end
# of it, to create a new detail file every hour, e.g.:
#
# ..../detail-%Y%m%d:%H
#
# This will create a new detail file for every hour.
#
detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
#
# The Unix-style permissions on the 'detail' file.
#
# The detail file often contains secret or private
# information about users. So by keeping the file
# permissions restrictive, we can prevent unwanted
# people from seeing that information.
detailperm = 0600
}
#
# Many people want to log authentication requests.
# Rather than modifying the server core to print out more
# messages, we can use a different instance of the 'detail'
# module, to log the authentication requests to a file.
#
# You will also need to un-comment the 'auth_log' line
# in the 'authorize' section, below.
#
# detail auth_log {
# detailfile = ${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d
#
# This MUST be 0600, otherwise anyone can read
# the users passwords!
# detailperm = 0600
# }
#
# This module logs authentication reply packets sent
# to a NAS. Both Access-Accept and Access-Reject packets
# are logged.
#
# You will also need to un-comment the 'reply_log' line
# in the 'post-auth' section, below.
#
# detail reply_log {
# detailfile = ${radacctdir}/%{Client-IP-Address}/reply-detail-%Y%m%d
#
# This MUST be 0600, otherwise anyone can read
# the users passwords!
# detailperm = 0600
# }
#
# This module logs packets proxied to a home server.
#
# You will also need to un-comment the 'pre_proxy_log' line
# in the 'pre-proxy' section, below.
#
# detail pre_proxy_log {
# detailfile = ${radacctdir}/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d
#
# This MUST be 0600, otherwise anyone can read
# the users passwords!
# detailperm = 0600
# }
#
# This module logs response packets from a home server.
#
# You will also need to un-comment the 'post_proxy_log' line
# in the 'post-proxy' section, below.
#
# detail post_proxy_log {
# detailfile = ${radacctdir}/%{Client-IP-Address}/post-proxy-detail-%Y%m%d
#
# This MUST be 0600, otherwise anyone can read
# the users passwords!
# detailperm = 0600
# }
#
# The rlm_sql_log module appends the SQL queries in a log
# file which is read later by the radsqlrelay program.
#
# This module only performs the dynamic expansion of the
# variables found in the SQL statements. No operation is
# executed on the database server. (this could be done
# later by an external program) That means the module is
# useful only with non-"SELECT" statements.
#
# See rlm_sql_log(5) manpage.
#
# sql_log {
# path = ${radacctdir}/sql-relay
# acct_table = "radacct"
# postauth_table = "radpostauth"
#
# Start = "INSERT INTO ${acct_table} (AcctSessionId, UserName, \
# NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \
# AcctSessionTime, AcctTerminateCause) VALUES \
# ('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \
# '%{Framed-IP-Address}', '%S', '0', '0', '');"
# Stop = "INSERT INTO ${acct_table} (AcctSessionId, UserName, \
# NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \
# AcctSessionTime, AcctTerminateCause) VALUES \
# ('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \
# '%{Framed-IP-Address}', '0', '%S', '%{Acct-Session-Time}', \
# '%{Acct-Terminate-Cause}');"
# Alive = "INSERT INTO ${acct_table} (AcctSessionId, UserName, \
# NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \
# AcctSessionTime, AcctTerminateCause) VALUES \
# ('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \
# '%{Framed-IP-Address}', '0', '0', '%{Acct-Session-Time}','');"
#
# Post-Auth = "INSERT INTO ${postauth_table} \
# (user, pass, reply, date) VALUES \
# ('%{User-Name}', '%{User-Password:-Chap-Password}', \
# '%{reply:Packet-Type}', '%S');"
# }
#
# Create a unique accounting session Id. Many NASes re-use
# or repeat values for Acct-Session-Id, causing no end of
# confusion.
#
# This module will add a (probably) unique session id
# to an accounting packet based on the attributes listed
# below found in the packet. See doc/rlm_acct_unique for
# more information.
#
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
}
# Include another file that has the SQL-related configuration.
# This is another file only because it tends to be big.
#
# The following configuration file is for use with MySQL.
#
# For Postgresql, use: ${confdir}/postgresql.conf
# For MS-SQL, use: ${confdir}/mssql.conf
# For Oracle, use: ${confdir}/oraclesql.conf
#
$INCLUDE ${confdir}/sql.conf
# For Cisco VoIP specific accounting with Postgresql,
# use: ${confdir}/pgsql-voip.conf
#
# You will also need the sql schema from:
# src/billing/cisco_h323_db_schema-postgres.sql
# Note: This config can be use AS WELL AS the standard sql
# config if you need SQL based Auth
# Write a 'utmp' style file, of which users are currently
# logged in, and where they've logged in from.
#
# This file is used mainly for Simultaneous-Use checking,
# and also 'radwho', to see who's currently logged in.
#
radutmp {
# Where the file is stored. It's not a log file,
# so it doesn't need rotating.
#
filename = ${logdir}/radutmp
# The field in the packet to key on for the
# 'user' name, If you have other fields which you want
# to use to key on to control Simultaneous-Use,
# then you can use them here.
#
# Note, however, that the size of the field in the
# 'utmp' data structure is small, around 32
# characters, so that will limit the possible choices
# of keys.
#
# You may want instead: %{Stripped-User-Name:-%{User-Name}}
username = %{User-Name}
# Whether or not we want to treat "user" the same
# as "USER", or "User". Some systems have problems
# with case sensitivity, so this should be set to
# 'no' to enable the comparisons of the key attribute
# to be case insensitive.
#
case_sensitive = yes
# Accounting information may be lost, so the user MAY
# have logged off of the NAS, but we haven't noticed.
# If so, we can verify this information with the NAS,
#
# If we want to believe the 'utmp' file, then this
# configuration entry can be set to 'no'.
#
check_with_nas = yes
# Set the file permissions, as the contents of this file
# are usually private.
perm = 0600
callerid = "yes"
}
# "Safe" radutmp - does not contain caller ID, so it can be
# world-readable, and radwho can work for normal users, without
# exposing any information that isn't already exposed by who(1).
#
# This is another 'instance' of the radutmp module, but it is given
# then name "sradutmp" to identify it later in the "accounting"
# section.
radutmp sradutmp {
filename = ${logdir}/sradutmp
perm = 0644
callerid = "no"
}
# attr_filter - filters the attributes received in replies from
# proxied servers, to make sure we send back to our RADIUS client
# only allowed attributes.
attr_filter {
attrsfile = ${confdir}/attrs
}
# counter module:
# This module takes an attribute (count-attribute).
# It also takes a key, and creates a counter for each unique
# key. The count is incremented when accounting packets are
# received by the server. The value of the increment depends
# on the attribute type.
# If the attribute is Acct-Session-Time or of an integer type we add the
# value of the attribute. If it is anything else we increase the
# counter by one.
#
# The 'reset' parameter defines when the counters are all reset to
# zero. It can be hourly, daily, weekly, monthly or never.
#
# hourly: Reset on 00:00 of every hour
# daily: Reset on 00:00:00 every day
# weekly: Reset on 00:00:00 on sunday
# monthly: Reset on 00:00:00 of the first day of each month
#
# It can also be user defined. It should be of the form:
# num[hdwm] where:
# h: hours, d: days, w: weeks, m: months
# If the letter is ommited days will be assumed. In example:
# reset = 10h (reset every 10 hours)
# reset = 12 (reset every 12 days)
#
#
# The check-name attribute defines an attribute which will be
# registered by the counter module and can be used to set the
# maximum allowed value for the counter after which the user
# is rejected.
# Something like:
#
# DEFAULT Max-Daily-Session := 36000
# Fall-Through = 1
#
# You should add the counter module in the instantiate
# section so that it registers check-name before the files
# module reads the users file.
#
# If check-name is set and the user is to be rejected then we
# send back a Reply-Message and we log a Failure-Message in
# the radius.log
# If the count attribute is Acct-Session-Time then on each login
# we send back the remaining online time as a Session-Timeout attribute
#
# The counter-name can also be used instead of using the check-name
# like below:
#
# DEFAULT Daily-Session-Time > 3600, Auth-Type = Reject
# Reply-Message = "You've used up more than one hour today"
#
# The allowed-servicetype attribute can be used to only take
# into account specific sessions. For example if a user first
# logs in through a login menu and then selects ppp there will
# be two sessions. One for Login-User and one for Framed-User
# service type. We only need to take into account the second one.
#
# The module should be added in the instantiate, authorize and
# accounting sections. Make sure that in the authorize
# section it comes after any module which sets the
# 'check-name' attribute.
#
counter daily {
filename = ${raddbdir}/db.daily
key = User-Name
count-attribute = Acct-Session-Time
reset = daily
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
allowed-servicetype = Framed-User
cache-size = 5000
}
#
# This module is an SQL enabled version of the counter module.
#
# Rather than maintaining seperate (GDBM) databases of
# accounting info for each counter, this module uses the data
# stored in the raddacct table by the sql modules. This
# module NEVER does any database INSERTs or UPDATEs. It is
# totally dependent on the SQL module to process Accounting
# packets.
#
# The 'sqlmod_inst' parameter holds the instance of the sql
# module to use when querying the SQL database. Normally it
# is just "sql". If you define more and one SQL module
# instance (usually for failover situations), you can
# specify which module has access to the Accounting Data
# (radacct table).
#
# The 'reset' parameter defines when the counters are all
# reset to zero. It can be hourly, daily, weekly, monthly or
# never. It can also be user defined. It should be of the
# form:
# num[hdwm] where:
# h: hours, d: days, w: weeks, m: months
# If the letter is ommited days will be assumed. In example:
# reset = 10h (reset every 10 hours)
# reset = 12 (reset every 12 days)
#
# The 'key' parameter specifies the unique identifier for the
# counter records (usually 'User-Name').
#
# The 'query' parameter specifies the SQL query used to get
# the current Counter value from the database. There are 3
# parameters that can be used in the query:
# %k 'key' parameter
# %b unix time value of beginning of reset period
# %e unix time value of end of reset period
#
# The 'check-name' parameter is the name of the 'check'
# attribute to use to access the counter in the 'users' file
# or SQL radcheck or radcheckgroup tables.
#
# DEFAULT Max-Daily-Session > 3600, Auth-Type = Reject
# Reply-Message = "You've used up more than one hour today"
#
sqlcounter dailycounter {
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
sqlmod-inst = sql
key = User-Name
reset = daily
# This query properly handles calls that span from the
# previous reset period into the current period but
# involves more work for the SQL server than those
# below
query = "SELECT SUM(AcctSessionTime - \
GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \
FROM radacct WHERE UserName='%{%k}' AND \
UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"
# This query ignores calls that started in a previous
# reset period and continue into into this one. But it
# is a little easier on the SQL server
# query = "SELECT SUM(AcctSessionTime) FROM radacct WHERE \
# UserName='%{%k}' AND AcctStartTime > FROM_UNIXTIME('%b')"
# This query is the same as above, but demonstrates an
# additional counter parameter '%e' which is the
# timestamp for the end of the period
# query = "SELECT SUM(AcctSessionTime) FROM radacct \
# WHERE UserName='%{%k}' AND AcctStartTime BETWEEN \
# FROM_UNIXTIME('%b') AND FROM_UNIXTIME('%e')"
}
sqlcounter monthlycounter {
counter-name = Monthly-Session-Time
check-name = Max-Monthly-Session
sqlmod-inst = sql
key = User-Name
reset = monthly
# This query properly handles calls that span from the
# previous reset period into the current period but
# involves more work for the SQL server than those
# below
query = "SELECT SUM(AcctSessionTime - \
GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \
FROM radacct WHERE UserName='%{%k}' AND \
UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"
# This query ignores calls that started in a previous
# reset period and continue into into this one. But it
# is a little easier on the SQL server
# query = "SELECT SUM(AcctSessionTime) FROM radacct WHERE \
# UserName='%{%k}' AND AcctStartTime > FROM_UNIXTIME('%b')"
# This query is the same as above, but demonstrates an
# additional counter parameter '%e' which is the
# timestamp for the end of the period
# query = "SELECT SUM(AcctSessionTime) FROM radacct \
# WHERE UserName='%{%k}' AND AcctStartTime BETWEEN \
# FROM_UNIXTIME('%b') AND FROM_UNIXTIME('%e')"
}
#
# The "always" module is here for debugging purposes. Each
# instance simply returns the same result, always, without
# doing anything.
always fail {
rcode = fail
}
always reject {
rcode = reject
}
always ok {
rcode = ok
simulcount = 0
mpp = no
}
#
# The 'expression' module currently has no configuration.
#
# This module is useful only for 'xlat'. To use it,
# put 'exec' into the 'instantiate' section. You can then
# do dynamic translation of attributes like:
#
# Attribute-Name = `%{expr:2 + 3 + %{exec: uid -u}}`
#
# The value of the attribute will be replaced with the output
# of the program which is executed. Due to RADIUS protocol
# limitations, any output over 253 bytes will be ignored.
expr {
}
#
# The 'digest' module currently has no configuration.
#
# "Digest" authentication against a Cisco SIP server.
# See 'doc/rfc/draft-sterman-aaa-sip-00.txt' for details
# on performing digest authentication for Cisco SIP servers.
#
digest {
}
#
# Execute external programs
#
# This module is useful only for 'xlat'. To use it,
# put 'exec' into the 'instantiate' section. You can then
# do dynamic translation of attributes like:
#
# Attribute-Name = `%{exec:/path/to/program args}`
#
# The value of the attribute will be replaced with the output
# of the program which is executed. Due to RADIUS protocol
# limitations, any output over 253 bytes will be ignored.
#
# The RADIUS attributes from the user request will be placed
# into environment variables of the executed program, as
# described in 'doc/variables.txt'
#
exec {
wait = yes
input_pairs = request
}
#
# This is a more general example of the execute module.
#
# This one is called "echo".
#
# Attribute-Name = `%{echo:/path/to/program args}`
#
# If you wish to execute an external program in more than
# one section (e.g. 'authorize', 'pre_proxy', etc), then it
# is probably best to define a different instance of the
# 'exec' module for every section.
#
exec echo {
#
# Wait for the program to finish.
#
# If we do NOT wait, then the program is "fire and
# forget", and any output attributes from it are ignored.
#
# If we are looking for the program to output
# attributes, and want to add those attributes to the
# request, then we MUST wait for the program to
# finish, and therefore set 'wait=yes'
#
# allowed values: {no, yes}
wait = yes
#
# The name of the program to execute, and it's
# arguments. Dynamic translation is done on this
# field, so things like the following example will
# work.
#
program = "/bin/echo %{User-Name}"
#
# The attributes which are placed into the
# environment variables for the program.
#
# Allowed values are:
#
# request attributes from the request
# config attributes from the configuration items list
# reply attributes from the reply
# proxy-request attributes from the proxy request
# proxy-reply attributes from the proxy reply
#
# Note that some attributes may not exist at some
# stages. e.g. There may be no proxy-reply
# attributes if this module is used in the
# 'authorize' section.
#
input_pairs = request
#
# Where to place the output attributes (if any) from
# the executed program. The values allowed, and the
# restrictions as to availability, are the same as
# for the input_pairs.
#
output_pairs = reply
#
# When to execute the program. If the packet
# type does NOT match what's listed here, then
# the module does NOT execute the program.
#
# For a list of allowed packet types, see
# the 'dictionary' file, and look for VALUEs
# of the Packet-Type attribute.
#
# By default, the module executes on ANY packet.
# Un-comment out the following line to tell the
# module to execute only if an Access-Accept is
# being sent to the NAS.
#
#packet_type = Access-Accept
}
# Do server side ip pool management. Should be added in post-auth and
# accounting sections.
#
# The module also requires the existance of the Pool-Name
# attribute. That way the administrator can add the Pool-Name
# attribute in the user profiles and use different pools
# for different users. The Pool-Name attribute is a *check* item not
# a reply item.
#
# Example:
# radiusd.conf: ippool students { [...] }
# users file : DEFAULT Group == students, Pool-Name := "students"
#
# ********* IF YOU CHANGE THE RANGE PARAMETERS YOU MUST *********
# ********* THEN ERASE THE DB FILES *********
#
ippool main_pool {
# range-start,range-stop: The start and end ip
# addresses for the ip pool
range-start = 192.168.1.1
range-stop = 192.168.3.254
# netmask: The network mask used for the ip's
netmask = 255.255.255.0
# cache-size: The gdbm cache size for the db
# files. Should be equal to the number of ip's
# available in the ip pool
cache-size = 800
# session-db: The main db file used to allocate ip's to clients
session-db = ${raddbdir}/db.ippool
# ip-index: Helper db index file used in multilink
ip-index = ${raddbdir}/db.ipindex
# override: Will this ippool override a Framed-IP-Address already set
override = no
# maximum-timeout: If not zero specifies the maximum time in seconds an
# entry may be active. Default: 0
maximum-timeout = 0
}
# OTP token support. Not included by default.
# $INCLUDE ${confdir}/otp.conf
}
# Instantiation
#
# This section orders the loading of the modules. Modules
# listed here will get loaded BEFORE the later sections like
# authorize, authenticate, etc. get examined.
#
# This section is not strictly needed. When a section like
# authorize refers to a module, it's automatically loaded and
# initialized. However, some modules may not be listed in any
# of the following sections, so they can be listed here.
#
# Also, listing modules here ensures that you have control over
# the order in which they are initalized. If one module needs
# something defined by another module, you can list them in order
# here, and ensure that the configuration will be OK.
#
instantiate {
#
# Allows the execution of external scripts.
# The entire command line (and output) must fit into 253 bytes.
#
# e.g. Framed-Pool = `%{exec:/bin/echo foo}`
exec
#
# The expression module doesn't do authorization,
# authentication, or accounting. It only does dynamic
# translation, of the form:
#
# Session-Timeout = `%{expr:2 + 3}`
#
# So the module needs to be instantiated, but CANNOT be
# listed in any other section. See 'doc/rlm_expr' for
# more information.
#
expr
#
# We add the counter module here so that it registers
# the check-name attribute before any module which sets
# it
# daily
}
# Authorization. First preprocess (hints and huntgroups files),
# then realms, and finally look in the "users" file.
#
# The order of the realm modules will determine the order that
# we try to find a matching realm.
#
# Make *sure* that 'preprocess' comes before any realm if you
# need to setup hints for the remote radius server
authorize {
#
# The preprocess module takes care of sanitizing some bizarre
# attributes in the request, and turning them into attributes
# which are more standard.
#
# It takes care of processing the 'raddb/hints' and the
# 'raddb/huntgroups' files.
#
# It also adds the %{Client-IP-Address} attribute to the request.
preprocess
#
# If you want to have a log of authentication requests,
# un-comment the following line, and the 'detail auth_log'
# section, above.
# auth_log
# attr_filter
#
# The chap module will set 'Auth-Type := CHAP' if we are
# handling a CHAP request and Auth-Type has not already been set
# chap
#
# If the users are logging in with an MS-CHAP-Challenge
# attribute for authentication, the mschap module will find
# the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
# to the request, which will cause the server to then use
# the mschap module for authentication.
# mschap
#
# If you have a Cisco SIP server authenticating against
# FreeRADIUS, uncomment the following line, and the 'digest'
# line in the 'authenticate' section.
# digest
#
# Look for IPASS style 'realm/', and if not found, look for
# '@realm', and decide whether or not to proxy, based on
# that.
# IPASS
#
# If you are using multiple kinds of realms, you probably
# want to set "ignore_null = yes" for all of them.
# Otherwise, when the first style of realm doesn't match,
# the other styles won't be checked.
#
# suffix
# ntdomain
#
# This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP
# authentication.
#
# It also sets the EAP-Type attribute in the request
# attribute list to the EAP type from the packet.
eap
#
# Read the 'users' file
# files
#
# Look in an SQL database. The schema of the database
# is meant to mirror the "users" file.
#
# See "Authorization Queries" in sql.conf
sql
#
# If you are using /etc/smbpasswd, and are also doing
# mschap authentication, the un-comment this line, and
# configure the 'etc_smbpasswd' module, above.
# etc_smbpasswd
#
# The ldap module will set Auth-Type to LDAP if it has not
# already been set
# ldap
#
# Enforce daily limits on time spent logged in.
# daily
#
# Use the checkval module
# checkval
}
# Authentication.
#
#
# This section lists which modules are available for authentication.
# Note that it does NOT mean 'try each module in order'. It means
# that a module from the 'authorize' section adds a configuration
# attribute 'Auth-Type := FOO'. That authentication type is then
# used to pick the apropriate module from the list below.
#
# In general, you SHOULD NOT set the Auth-Type attribute. The server
# will figure it out on its own, and will do the right thing. The
# most common side effect of erroneously setting the Auth-Type
# attribute is that one authentication method will work, but the
# others will not.
#
# The common reasons to set the Auth-Type attribute by hand
# is to either forcibly reject the user, or forcibly accept him.
#
authenticate {
#
# PAP authentication, when a back-end database listed
# in the 'authorize' section supplies a password. The
# password can be clear-text, or encrypted.
# Auth-Type PAP {
# pap
# }
#
# Most people want CHAP authentication
# A back-end database listed in the 'authorize' section
# MUST supply a CLEAR TEXT password. Encrypted passwords
# won't work.
# Auth-Type CHAP {
# chap
# }
#
# MSCHAP authentication.
# Auth-Type MS-CHAP {
# mschap
# }
#
# If you have a Cisco SIP server authenticating against
# FreeRADIUS, uncomment the following line, and the 'digest'
# line in the 'authorize' section.
# digest
#
# Pluggable Authentication Modules.
# pam
#
# See 'man getpwent' for information on how the 'unix'
# module checks the users password. Note that packets
# containing CHAP-Password attributes CANNOT be authenticated
# against /etc/passwd! See the FAQ for details.
#
# unix
# Uncomment it if you want to use ldap for authentication
#
# Note that this means "check plain-text password against
# the ldap database", which means that EAP won't work,
# as it does not supply a plain-text password.
# Auth-Type LDAP {
# ldap
# }
#
# Allow EAP authentication.
eap
}
#
# Pre-accounting. Decide which accounting type to use.
#
preacct {
preprocess
#
# Ensure that we have a semi-unique identifier for every
# request, and many NAS boxes are broken.
acct_unique
#
# Look for IPASS-style 'realm/', and if not found, look for
# '@realm', and decide whether or not to proxy, based on
# that.
#
# Accounting requests are generally proxied to the same
# home server as authentication requests.
# IPASS
# suffix
# ntdomain
#
# Read the 'acct_users' file
# files
}
#
# Accounting. Log the accounting data.
#
accounting {
#
# Create a 'detail'ed log of the packets.
# Note that accounting requests which are proxied
# are also logged in the detail file.
# detail
# daily
# Update the wtmp file
#
# If you don't use "radlast", you can delete this line.
# unix
#
# For Simultaneous-Use tracking.
#
# Due to packet losses in the network, the data here
# may be incorrect. There is little we can do about it.
radutmp
# sradutmp
# Return an address to the IP Pool when we see a stop record.
# main_pool
#
# Log traffic to an SQL database.
#
# See "Accounting queries" in sql.conf
sql
#
# Instead of sending the query to the SQL server,
# write it into a log file.
#
# sql_log
# Cisco VoIP specific bulk accounting
# pgsql-voip
}
# Session database, used for checking Simultaneous-Use. Either the radutmp
# or rlm_sql module can handle this.
# The rlm_sql module is *much* faster
session {
# radutmp
#
# See "Simultaneous Use Checking Querie" in sql.conf
sql
}
# Post-Authentication
# Once we KNOW that the user has been authenticated, there are
# additional steps we can take.
post-auth {
# Get an address from the IP Pool.
# main_pool
#
# If you want to have a log of authentication replies,
# un-comment the following line, and the 'detail reply_log'
# section, above.
# reply_log
#
# After authenticating the user, do another SQL query.
#
# See "Authentication Logging Queries" in sql.conf
# sql
#
# Instead of sending the query to the SQL server,
# write it into a log file.
#
# sql_log
#
# Un-comment the following if you have set
# 'edir_account_policy_check = yes' in the ldap module sub-section of
# the 'modules' section.
#
# ldap
#
# Access-Reject packets are sent through the REJECT sub-section of the
# post-auth section.
# Uncomment the following and set the module name to the ldap instance
# name if you have set 'edir_account_policy_check = yes' in the ldap
# module sub-section of the 'modules' section.
#
# Post-Auth-Type REJECT {
# insert-module-name-here
# }
}
#
# When the server decides to proxy a request to a home server,
# the proxied request is first passed through the pre-proxy
# stage. This stage can re-write the request, or decide to
# cancel the proxy.
#
# Only a few modules currently have this method.
#
pre-proxy {
# attr_rewrite
# Uncomment the following line if you want to change attributes
# as defined in the preproxy_users file.
# files
# If you want to have a log of packets proxied to a home
# server, un-comment the following line, and the
# 'detail pre_proxy_log' section, above.
# pre_proxy_log
}
#
# When the server receives a reply to a request it proxied
# to a home server, the request may be massaged here, in the
# post-proxy stage.
#
post-proxy {
# If you want to have a log of replies from a home server,
# un-comment the following line, and the 'detail post_proxy_log'
# section, above.
# post_proxy_log
# attr_rewrite
# Uncomment the following line if you want to filter replies from
# remote proxies based on the rules defined in the 'attrs' file.
# attr_filter
#
# If you are proxying LEAP, you MUST configure the EAP
# module, and you MUST list it here, in the post-proxy
# stage.
#
# You MUST also use the 'nostrip' option in the 'realm'
# configuration. Otherwise, the User-Name attribute
# in the proxied request will not match the user name
# hidden inside of the EAP packet, and the end server will
# reject the EAP request.
#
eap
}
#***************************Arquivo sql.conf**********************************************
#
# Configuration for the SQL module, when using MySQL.
#
# The database schema is available at:
#
# src/radiusd/src/modules/rlm_sql/drivers/rlm_sql_mysql/db_mysql.sql
#
# If you are using PostgreSQL, please use 'postgresql.conf', instead.
# If you are using Oracle, please use 'oracle.conf', instead.
# If you are using MS-SQL, please use 'mssql.conf', instead.
#
# $Id: sql.conf,v 1.41.2.2.2.1 2005/12/09 14:47:03 nbk Exp $
#
sql {
# Database type
# Current supported are: rlm_sql_mysql, rlm_sql_postgresql,
# rlm_sql_iodbc, rlm_sql_oracle, rlm_sql_unixodbc, rlm_sql_freetds
driver = "rlm_sql_mysql"
# Connect info
server = "localhost"
login = "erick"
password = "123"
# Database table configuration
radius_db = "radius"
# If you want both stop and start records logged to the
# same SQL table, leave this as is. If you want them in
# different tables, put the start table in acct_table1
# and stop table in acct_table2
acct_table1 = "radacct"
acct_table2 = "radacct"
# Allow for storing data after authentication
postauth_table = "radpostauth"
authcheck_table = "radcheck"
authreply_table = "radreply"
groupcheck_table = "radgroupcheck"
groupreply_table = "radgroupreply"
usergroup_table = "usergroup"
# Table to keep radius client info
nas_table = "nas"
# Remove stale session if checkrad does not see a double login
deletestalesessions = yes
# Print all SQL statements when in debug mode (-x)
sqltrace = no
sqltracefile = ${logdir}/sqltrace.sql
# number of sql connections to make to server
num_sql_socks = 5
# number of seconds to dely retrying on a failed database
# connection (per_socket)
connect_failure_retry_delay = 60
# Safe characters list for sql queries. Everything else is replaced
# with their mime-encoded equivalents.
# The default list should be ok
safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
#######################################################################
# Query config: Username
#######################################################################
# This is the username that will get substituted, escaped, and added
# as attribute 'SQL-User-Name'. '%{SQL-User-Name}' should be used below
# everywhere a username substitution is needed so you you can be sure
# the username passed from the client is escaped properly.
#
# Uncomment the next line, if you want the sql_user_name to mean:
#
# Use Stripped-User-Name, if it's there.
# Else use User-Name, if it's there,
# Else use hard-coded string "DEFAULT" as the user name.
#sql_user_name = "%{Stripped-User-Name:-%{User-Name:-DEFAULT}}"
#
sql_user_name = "%{User-Name}"
#######################################################################
# Default profile
#######################################################################
# This is the default profile. It is found in SQL by group membership.
# That means that this profile must be a member of at least one group
# which will contain the corresponding check and reply items.
# This profile will be queried in the authorize section for every user.
# The point is to assign all users a default profile without having to
# manually add each one to a group that will contain the profile.
# The SQL module will also honor the User-Profile attribute. This
# attribute can be set anywhere in the authorize section (ie the users
# file). It is found exactly as the default profile is found.
# If it is set then it will *overwrite* the default profile setting.
# The idea is to select profiles based on checks on the incoming packets,
# not on user group membership. For example:
# -- users file --
# DEFAULT Service-Type == Outbound-User, User-Profile := "outbound"
# DEFAULT Service-Type == Framed-User, User-Profile := "framed"
#
# By default the default_user_profile is not set
#
#default_user_profile = "DEFAULT"
#
# Determines if we will query the default_user_profile or the User-Profile
# if the user is not found. If the profile is found then we consider the user
# found. By default this is set to 'no'.
#
#query_on_not_found = no
#######################################################################
# Authorization Queries
#######################################################################
# These queries compare the check items for the user
# in ${authcheck_table} and setup the reply items in
# ${authreply_table}. You can use any query/tables
# you want, but the return data for each row MUST
# be in the following order:
#
# 0. Row ID (currently unused)
# 1. UserName/GroupName
# 2. Item Attr Name
# 3. Item Attr Value
# 4. Item Attr Operation
#######################################################################
# Use these for case sensitive usernames.
# authorize_check_query = "SELECT id, UserName, Attribute, Value, op \
# FROM ${authcheck_table} \
# WHERE Username = BINARY '%{SQL-User-Name}' \
# ORDER BY id"
# authorize_reply_query = "SELECT id, UserName, Attribute, Value, op \
# FROM ${authreply_table} \
# WHERE Username = BINARY '%{SQL-User-Name}' \
# ORDER BY id"
# The default queries are case insensitive. (for compatibility with
# older versions of FreeRADIUS)
authorize_check_query = "SELECT id, UserName, Attribute, Value, op \
FROM ${authcheck_table} \
WHERE Username = '%{SQL-User-Name}' \
ORDER BY id"
authorize_reply_query = "SELECT id, UserName, Attribute, Value, op \
FROM ${authreply_table} \
WHERE Username = '%{SQL-User-Name}' \
ORDER BY id"
# Use these for case sensitive usernames.
# authorize_group_check_query = "SELECT ${groupcheck_table}.id,${groupcheck_table}.GroupName,${groupcheck_table}.Attribute,${groupcheck_table}.Value,${groupcheck_table}.op FROM ${groupcheck_table},${usergroup_table} WHERE ${usergroup_table}.Username = BINARY '%{SQL-User-Name}' AND ${usergroup_table}.GroupName = ${groupcheck_table}.GroupName ORDER BY ${groupcheck_table}.id"
# authorize_group_reply_query = "SELECT ${groupreply_table}.id,${groupreply_table}.GroupName,${groupreply_table}.Attribute,${groupreply_table}.Value,${groupreply_table}.op FROM ${groupreply_table},${usergroup_table} WHERE ${usergroup_table}.Username = BINARY '%{SQL-User-Name}' AND ${usergroup_table}.GroupName = ${groupreply_table}.GroupName ORDER BY ${groupreply_table}.id"
authorize_group_check_query = "SELECT ${groupcheck_table}.id,${groupcheck_table}.GroupName,${groupcheck_table}.Attribute,${groupcheck_table}.Value,${groupcheck_table}.op FROM ${groupcheck_table},${usergroup_table} WHERE ${usergroup_table}.Username = '%{SQL-User-Name}' AND ${usergroup_table}.GroupName = ${groupcheck_table}.GroupName ORDER BY ${groupcheck_table}.id"
authorize_group_reply_query = "SELECT ${groupreply_table}.id,${groupreply_table}.GroupName,${groupreply_table}.Attribute,${groupreply_table}.Value,${groupreply_table}.op FROM ${groupreply_table},${usergroup_table} WHERE ${usergroup_table}.Username = '%{SQL-User-Name}' AND ${usergroup_table}.GroupName = ${groupreply_table}.GroupName ORDER BY ${groupreply_table}.id"
#######################################################################
# Accounting Queries
#######################################################################
# accounting_onoff_query - query for Accounting On/Off packets
# accounting_update_query - query for Accounting update packets
# accounting_update_query_alt - query for Accounting update packets
# (alternate in case first query fails)
# accounting_start_query - query for Accounting start packets
# accounting_start_query_alt - query for Accounting start packets
# (alternate in case first query fails)
# accounting_stop_query - query for Accounting stop packets
# accounting_stop_query_alt - query for Accounting start packets
# (alternate in case first query doesn't
# affect any existing rows in the table)
#######################################################################
accounting_onoff_query = "UPDATE ${acct_table1} SET AcctStopTime='%S', AcctSessionTime=unix_timestamp('%S') - unix_timestamp(AcctStartTime), AcctTerminateCause='%{Acct-Terminate-Cause}', AcctStopDelay = '%{Acct-Delay-Time}' WHERE AcctSessionTime=0 AND AcctStopTime=0 AND NASIPAddress= '%{NAS-IP-Address}' AND AcctStartTime <= '%S'"
accounting_update_query = "UPDATE ${acct_table1} \
SET FramedIPAddress = '%{Framed-IP-Address}', \
AcctSessionTime = '%{Acct-Session-Time}', \
AcctInputOctets = '%{Acct-Input-Octets}', \
AcctOutputOctets = '%{Acct-Output-Octets}' \
WHERE AcctSessionId = '%{Acct-Session-Id}' \
AND UserName = '%{SQL-User-Name}' \
AND NASIPAddress= '%{NAS-IP-Address}'"
accounting_update_query_alt = "INSERT into ${acct_table1} (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay) values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S',INTERVAL (%{Acct-Session-Time:-0} + %{Acct-Delay-Time:-0}) SECOND), '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{Acct-Input-Octets}', '%{Acct-Output-Octets}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0')"
accounting_start_query = "INSERT into ${acct_table1} (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay) values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S', '0', '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '%{Acct-Delay-Time}', '0')"
accounting_start_query_alt = "UPDATE ${acct_table1} SET AcctStartTime = '%S', AcctStartDelay = '%{Acct-Delay-Time}', ConnectInfo_start = '%{Connect-Info}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND NASIPAddress = '%{NAS-IP-Address}'"
accounting_stop_query = "UPDATE ${acct_table2} SET AcctStopTime = '%S', AcctSessionTime = '%{Acct-Session-Time}', AcctInputOctets = '%{Acct-Input-Octets}', AcctOutputOctets = '%{Acct-Output-Octets}', AcctTerminateCause = '%{Acct-Terminate-Cause}', AcctStopDelay = '%{Acct-Delay-Time}', ConnectInfo_stop = '%{Connect-Info}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND NASIPAddress = '%{NAS-IP-Address}'"
accounting_stop_query_alt = "INSERT into ${acct_table2} (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay) values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL (%{Acct-Session-Time:-0} + %{Acct-Delay-Time:-0}) SECOND), '%S', '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{Connect-Info}', '%{Acct-Input-Octets}', '%{Acct-Output-Octets}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Acct-Terminate-Cause}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0', '%{Acct-Delay-Time}')"
#######################################################################
# Simultaneous Use Checking Queries
#######################################################################
# simul_count_query - query for the number of current connections
# - If this is not defined, no simultaneouls use checking
# - will be performed by this module instance
# simul_verify_query - query to return details of current connections for verification
# - Leave blank or commented out to disable verification step
# - Note that the returned field order should not be changed.
#######################################################################
# Uncomment simul_count_query to enable simultaneous use checking
simul_count_query = "SELECT COUNT(*) FROM ${acct_table1} WHERE UserName='%{SQL-User-Name}' AND AcctStopTime = 0"
simul_verify_query = "SELECT RadAcctId, AcctSessionId, UserName, NASIPAddress, NASPortId, FramedIPAddress, CallingStationId, FramedProtocol FROM ${acct_table1} WHERE UserName='%{SQL-User-Name}' AND AcctStopTime = 0"
#######################################################################
# Group Membership Queries
#######################################################################
# group_membership_query - Check user group membership
#######################################################################
group_membership_query = "SELECT GroupName FROM ${usergroup_table} WHERE UserName='%{SQL-User-Name}'"
#######################################################################
# Authentication Logging Queries
#######################################################################
# postauth_query - Insert some info after authentication
#######################################################################
postauth_query = "INSERT into ${postauth_table} (id, user, pass, reply, date) values ('', '%{User-Name}', '%{User-Password:-Chap-Password}', '%{reply:Packet-Type}', NOW())"
#
# Set to 'yes' to read radius clients from the database ('nas' table)
#readclients = yes
}
#************************************Arquivo eap.conf*********************************
# -*- text -*-
#
# Whatever you do, do NOT set 'Auth-Type := EAP'. The server
# is smart enough to figure this out on its own. The most
# common side effect of setting 'Auth-Type := EAP' is that the
# users then cannot use ANY other authentication method.
#
# $Id: eap.conf,v 1.4.4.1 2006/01/04 14:29:29 nbk Exp $
#
eap {
# Invoke the default supported EAP type when
# EAP-Identity response is received.
#
# The incoming EAP messages DO NOT specify which EAP
# type they will be using, so it MUST be set here.
#
# For now, only one default EAP type may be used at a time.
#
# If the EAP-Type attribute is set by another module,
# then that EAP type takes precedence over the
# default type configured here.
#
default_eap_type = md5
# A list is maintained to correlate EAP-Response
# packets with EAP-Request packets. After a
# configurable length of time, entries in the list
# expire, and are deleted.
#
timer_expire = 60
# There are many EAP types, but the server has support
# for only a limited subset. If the server receives
# a request for an EAP type it does not support, then
# it normally rejects the request. By setting this
# configuration to "yes", you can tell the server to
# instead keep processing the request. Another module
# MUST then be configured to proxy the request to
# another RADIUS server which supports that EAP type.
#
# If another module is NOT configured to handle the
# request, then the request will still end up being
# rejected.
ignore_unknown_eap_types = no
# Cisco AP1230B firmware 12.2(13)JA1 has a bug. When given
# a User-Name attribute in an Access-Accept, it copies one
# more byte than it should.
#
# We can work around it by configurably adding an extra
# zero byte.
cisco_accounting_username_bug = no
# Supported EAP-types
#
# We do NOT recommend using EAP-MD5 authentication
# for wireless connections. It is insecure, and does
# not provide for dynamic WEP keys.
#
md5 {
}
# Cisco LEAP
#
# We do not recommend using LEAP in new deployments. See:
# http://www.securiteam.com/tools/5TP012ACKE.html
#
# Cisco LEAP uses the MS-CHAP algorithm (but not
# the MS-CHAP attributes) to perform it's authentication.
#
# As a result, LEAP *requires* access to the plain-text
# User-Password, or the NT-Password attributes.
# 'System' authentication is impossible with LEAP.
#
leap {
}
# Generic Token Card.
#
# Currently, this is only permitted inside of EAP-TTLS,
# or EAP-PEAP. The module "challenges" the user with
# text, and the response from the user is taken to be
# the User-Password.
#
# Proxying the tunneled EAP-GTC session is a bad idea,
# the users password will go over the wire in plain-text,
# for anyone to see.
#
gtc {
# The default challenge, which many clients
# ignore..
#challenge = "Password: "
# The plain-text response which comes back
# is put into a User-Password attribute,
# and passed to another module for
# authentication. This allows the EAP-GTC
# response to be checked against plain-text,
# or crypt'd passwords.
#
# If you say "Local" instead of "PAP", then
# the module will look for a User-Password
# configured for the request, and do the
# authentication itself.
#
auth_type = PAP
}
## EAP-TLS
#
# To generate ctest certificates, run the script
#
# ../scripts/certs.sh
#
# The documents on http://www.freeradius.org/doc
# are old, but may be helpful.
#
# See also:
#
# http://www.dslreports.com/forum/remark,9286052~mode=flat
#
tls {
private_key_password = whatever
private_key_file = ${raddbdir}/certs/cert-srv.pem
# If Private key & Certificate are located in
# the same file, then private_key_file &
# certificate_file must contain the same file
# name.
certificate_file = ${raddbdir}/certs/cert-srv.pem
# Trusted Root CA list
CA_file = ${raddbdir}/certs/demoCA/cacert.pem
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random
#
# This can never exceed the size of a RADIUS
# packet (4096 bytes), and is preferably half
# that, to accomodate other attributes in
# RADIUS packet. On most APs the MAX packet
# length is configured between 1500 - 1600
# In these cases, fragment size should be
# 1024 or less.
#
fragment_size = 1024
# include_length is a flag which is
# by default set to yes If set to
# yes, Total Length of the message is
# included in EVERY packet we send.
# If set to no, Total Length of the
# message is included ONLY in the
# First packet of a fragment series.
#
include_length = yes
# Check the Certificate Revocation List
#
# 1) Copy CA certificates and CRLs to same directory.
# 2) Execute 'c_rehash <CA certs&CRLs Directory>'.
# 'c_rehash' is OpenSSL's command.
# 3) Add 'CA_path=<CA certs&CRLs directory>'
# to radiusd.conf's tls section.
# 4) uncomment the line below.
# 5) Restart radiusd
# check_crl = yes
#
# If check_cert_cn is set, the value will
# be xlat'ed and checked against the CN
# in the client certificate. If the values
# do not match, the certificate verification
# will fail rejecting the user.
#
# check_cert_cn = %{User-Name}
}
# The TTLS module implements the EAP-TTLS protocol,
# which can be described as EAP inside of Diameter,
# inside of TLS, inside of EAP, inside of RADIUS...
#
# Surprisingly, it works quite well.
#
# The TTLS module needs the TLS module to be installed
# and configured, in order to use the TLS tunnel
# inside of the EAP packet. You will still need to
# configure the TLS module, even if you do not want
# to deploy EAP-TLS in your network. Users will not
# be able to request EAP-TLS, as it requires them to
# have a client certificate. EAP-TTLS does not
# require a client certificate.
#
ttls {
# The tunneled EAP session needs a default
# EAP type which is separate from the one for
# the non-tunneled EAP module. Inside of the
# TTLS tunnel, we recommend using EAP-MD5.
# If the request does not contain an EAP
# conversation, then this configuration entry
# is ignored.
default_eap_type = md5
# The tunneled authentication request does
# not usually contain useful attributes
# like 'Calling-Station-Id', etc. These
# attributes are outside of the tunnel,
# and normally unavailable to the tunneled
# authentication request.
#
# By setting this configuration entry to
# 'yes', any attribute which NOT in the
# tunneled authentication request, but
# which IS available outside of the tunnel,
# is copied to the tunneled request.
#
# allowed values: {no, yes}
copy_request_to_tunnel = no
# The reply attributes sent to the NAS are
# usually based on the name of the user
# 'outside' of the tunnel (usually
# 'anonymous'). If you want to send the
# reply attributes based on the user name
# inside of the tunnel, then set this
# configuration entry to 'yes', and the reply
# to the NAS will be taken from the reply to
# the tunneled request.
#
# allowed values: {no, yes}
use_tunneled_reply = no
}
#
# The tunneled EAP session needs a default EAP type
# which is separate from the one for the non-tunneled
# EAP module. Inside of the TLS/PEAP tunnel, we
# recommend using EAP-MS-CHAPv2.
#
# The PEAP module needs the TLS module to be installed
# and configured, in order to use the TLS tunnel
# inside of the EAP packet. You will still need to
# configure the TLS module, even if you do not want
# to deploy EAP-TLS in your network. Users will not
# be able to request EAP-TLS, as it requires them to
# have a client certificate. EAP-PEAP does not
# require a client certificate.
#
# peap {
# The tunneled EAP session needs a default
# EAP type which is separate from the one for
# the non-tunneled EAP module. Inside of the
# PEAP tunnel, we recommend using MS-CHAPv2,
# as that is the default type supported by
# Windows clients.
# default_eap_type = mschapv2
# the PEAP module also has these configuration
# items, which are the same as for TTLS.
# copy_request_to_tunnel = no
# use_tunneled_reply = no
# When the tunneled session is proxied, the
# home server may not understand EAP-MSCHAP-V2.
# Set this entry to "no" to proxy the tunneled
# EAP-MSCHAP-V2 as normal MSCHAPv2.
# proxy_tunneled_request_as_eap = yes
#}
#
# This takes no configuration.
#
# Note that it is the EAP MS-CHAPv2 sub-module, not
# the main 'mschap' module.
#
# Note also that in order for this sub-module to work,
# the main 'mschap' module MUST ALSO be configured.
#
# This module is the *Microsoft* implementation of MS-CHAPv2
# in EAP. There is another (incompatible) implementation
# of MS-CHAPv2 in EAP by Cisco, which FreeRADIUS does not
# currently support.
#
mschapv2 {
}
}
#******************************Arquivo clients.conf*********************************
#
# clients.conf - client configuration directives
#
#######################################################################
#######################################################################
#
# Definition of a RADIUS client (usually a NAS).
#
# The information given here over rides anything given in the
# 'clients' file, or in the 'naslist' file. The configuration here
# contains all of the information from those two files, and allows
# for more configuration items.
#
# The "shortname" is be used for logging. The "nastype", "login" and
# "password" fields are mainly used for checkrad and are optional.
#
#
# Defines a RADIUS client. The format is 'client [hostname|ip-address]'
#
# '127.0.0.1' is another name for 'localhost'. It is enabled by default,
# to allow testing of the server after an initial installation. If you
# are not going to be permitting RADIUS queries from localhost, we suggest
# that you delete, or comment out, this entry.
#
client 127.0.0.1 {
#
# The shared secret use to "encrypt" and "sign" packets between
# the NAS and FreeRADIUS. You MUST change this secret from the
# default, otherwise it's not a secret any more!
#
# The secret can be any string, up to 32 characters in length.
#
secret = testing123
#
# The short name is used as an alias for the fully qualified
# domain name, or the IP address.
#
shortname = localhost
#
# the following three fields are optional, but may be used by
# checkrad.pl for simultaneous use checks
#
#
# The nastype tells 'checkrad.pl' which NAS-specific method to
# use to query the NAS for simultaneous use.
#
# Permitted NAS types are:
#
# cisco
# computone
# livingston
# max40xx
# multitech
# netserver
# pathras
# patton
# portslave
# tc
# usrhiper
# other # for all other types
#
nastype = other # localhost isn't usually a NAS...
#
# The following two configurations are for future use.
# The 'naspasswd' file is currently used to store the NAS
# login name and password, which is used by checkrad.pl
# when querying the NAS for simultaneous use.
#
# login = !root
# password = someadminpas
}
#client some.host.org {
# secret = testing123
# shortname = localhost
#}
#
# You can now specify one secret for a network of clients.
# When a client request comes in, the BEST match is chosen.
# i.e. The entry from the smallest possible network.
#
client 10.254.0.0/24 {
secret = mslinkhome
shortname = mslink-radius
}
#
#client 192.168.0.0/16 {
# secret = testing123-2
# shortname = private-network-2
#}
#client 10.10.10.10 {
# # secret and password are mapped through the "secrets" file.
# secret = testing123
# shortname = liv1
# # the following three fields are optional, but may be used by
# # checkrad.pl for simultaneous usage checks
# nastype = livingston
# login = !root
# password = someadminpas
#}
5
4
Hello again,
@Alan DeKok
> But I would first suggest trying to use the test certificates that come with
> 2.0.1. If those work, then the issue isn't 2.0.0 versus 1.1.7, it's that
> there is something special about the certificates you're using.
I tried to generate some test certificates using the README file provided in the
source-code under "freeradius-server-2.0.1/raddb/certs/"
Therefore the Makefile is used in the same directory. I'm not really sure, but
in Line 93 where the "client.pem" is created it must be
-passin pass:$(PASSWORD_CLIENT) instead of -passin pass:$(PASSWORD_SERVER)
Most of the time you will not recognize, because in server.cnf and client.cnf
all the passwords are set to "whatever" so they are identical, but when you set
them, you will get an error (like me).
It would also be helpful to integrate the following command into the ca section,
when generating a self-signed CA certificate, because using Windows you need the
CA in DER-format:
openssl x509 -inform PEM -outform DER -in ca.pem -out ca.der
This evening I will try to test if this certificates are working.
@Reimer Karlsen-Masur
> We know of problems with EE certificates in PDAs containing the
> "non-repudiation" flag.
> Additionally Windows build-in supplicants don't like EE certificates with
> the extendedKeyUsage "Microsoft Smartcard Logon" (1.3.6.1.4.1.311.20.2.2)
> when doing EAP-TLS.
> Apparently the latter issue can also be solved by just disabling the valid
> certificate usage of Microsoft Smartcard Logon in the issuing CAs trusted
> usages properties on the system.
I'm not sure if understand correctly what you want to say to me (I'm stupid :-))
First I've used TinyCA to generate my certificates, now I will try the Makefile
provided in the source-code of freeradius. I think the extendedKeyUsage
"Microsoft Smartcard Logon" should not be set in both variants. Or do you mean
that the extendedKeyUsage "Microsoft Smartcard Logon" must be disabled on the PDA?
Best regards and thanks in advance
Stefan Puch
7
16