Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
November 2008
- 152 participants
- 226 discussions
OK, I've tried using a proxy and now it fails on rlm_eap and says the
User-Name doesn't match EAP Identity. Is there a way to have EAP
processed on the local machine but authentication happen on the
remote? Is that even the problem?
Kerry Tobin
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /private/etc/raddb/proxy.conf
Config: including file: /private/etc/raddb/clients.conf
Config: including file: /private/etc/raddb/snmp.conf
Config: including file: /private/etc/raddb/eap.conf
Config: including file: /private/etc/raddb/sql.conf
main: prefix = "/"
main: localstatedir = "/private/var"
main: logdir = "/private/var/log/radius"
main: libdir = "//lib"
main: radacctdir = "/private/var/log/radius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/private/var/log/radius/radius.log"
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = "/private/var/run/radiusd/radiusd.pid"
main: user = "(null)"
main: group = "(null)"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "//sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = no
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = "crypt"
pap: auto_header = no
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = "(null)"
mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded opendirectory
opendirectory: passwd = "(null)"
Module: Instantiated opendirectory (opendirectory)
Module: Loaded System
unix: cache = no
unix: passwd = "(null)"
unix: shadow = "(null)"
unix: group = "(null)"
unix: radwtmp = "/private/var/log/radius/radwtmp"
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = "ttls"
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type leap
gtc: challenge = "Password: "
gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized type gtc
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = "(null)"
tls: pem_file_type = yes
tls: private_key_file = "/etc/certificates/Default.key"
tls: certificate_file = "/etc/certificates/Default.crt"
tls: CA_file = "/etc/certificates/Default.crt"
tls: private_key_password = ""
tls: dh_file = "/private/etc/raddb/certs/dh"
tls: random_file = "/private/etc/raddb/certs/random"
tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = no
tls: check_cert_cn = "(null)"
tls: cipher_list = "(null)"
tls: check_cert_issuer = "(null)"
rlm_eap_tls: Loading the certificate file as a chain
rlm_eap: Loaded and initialized type tls
ttls: default_eap_type = "mschapv2"
ttls: copy_request_to_tunnel = no
ttls: use_tunneled_reply = no
rlm_eap: Loaded and initialized type ttls
peap: default_eap_type = "mschapv2"
peap: copy_request_to_tunnel = no
peap: use_tunneled_reply = no
peap: proxy_tunneled_request_as_eap = yes
rlm_eap: Loaded and initialized type peap
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = "/private/etc/raddb/huntgroups"
preprocess: hints = "/private/etc/raddb/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
preprocess: with_alvarion_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = "suffix"
realm: delimiter = "@"
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = "/private/etc/raddb/users"
files: acctusersfile = "/private/etc/raddb/acct_users"
files: preproxy_usersfile = "/private/etc/raddb/preproxy_users"
files: compat = "no"
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile = "/private/var/log/radius/radacct/%{Client-IP-
Address}/detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = "/private/var/log/radius/radutmp"
radutmp: username = "%{User-Name}"
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Module: Loaded SQL
sql: driver = "rlm_sql_sqlite"
sql: server = "localhost"
sql: port = ""
sql: login = "root"
sql: password = "rootpass"
sql: radius_db = "radius"
sql: nas_table = "nas"
sql: sqltrace = no
sql: sqltracefile = "/private/var/log/radius/sqltrace.sql"
sql: readclients = yes
sql: deletestalesessions = yes
sql: num_sql_socks = 5
sql: sql_user_name = "%{User-Name}"
sql: default_user_profile = ""
sql: query_on_not_found = no
sql: authorize_check_query = "SELECT id, UserName, Attribute, Value,
op FROM radcheck WHERE Username = '%{SQL-User-
Name}' ORDER BY id"
sql: authorize_reply_query = "SELECT id, UserName, Attribute, Value,
op FROM radreply WHERE Username = '%{SQL-User-
Name}' ORDER BY id"
sql: authorize_group_check_query = "SELECT
radgroupcheck
.id
,radgroupcheck
.GroupName
,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM
radgroupcheck,usergroup WHERE usergroup.Username = '%{SQL-User-Name}'
AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY
radgroupcheck.id"
sql: authorize_group_reply_query = "SELECT
radgroupreply
.id
,radgroupreply
.GroupName
,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM
radgroupreply,usergroup WHERE usergroup.Username = '%{SQL-User-Name}'
AND usergroup.GroupName = radgroupreply.GroupName ORDER BY
radgroupreply.id"
sql: accounting_onoff_query = "UPDATE radacct SET AcctStopTime='%S',
AcctSessionTime=unix_timestamp('%S') - unix_timestamp(AcctStartTime),
AcctTerminateCause='%{Acct-Terminate-Cause}', AcctStopDelay = '%{Acct-
Delay-Time}' WHERE AcctSessionTime=0 AND AcctStopTime=0 AND
NASIPAddress= '%{NAS-IP-Address}' AND AcctStartTime <= '%S'"
sql: accounting_update_query = " UPDATE radacct
SET FramedIPAddress = '%{Framed-IP-
Address}', AcctSessionTime = '%{Acct-Session-
Time}', AcctInputOctets = '%{Acct-Input-
Gigawords:-0}' << 32 | '%{Acct-
Input-Octets:-0}', AcctOutputOctets = '%{Acct-Output-
Gigawords:-0}' << 32 | '%{Acct-
Output-Octets:-0}' WHERE AcctSessionId = '%{Acct-Session-
Id}' AND UserName = '%{SQL-User-Name}' AND
NASIPAddress = '%{NAS-IP-Address}'"
sql: accounting_update_query_alt = " INSERT INTO
radacct (AcctSessionId, AcctUniqueId,
UserName, Realm, NASIPAddress,
NASPortId, NASPortType, AcctStartTime,
AcctSessionTime, AcctAuthentic, ConnectInfo_start,
AcctInputOctets, AcctOutputOctets, CalledStationId,
CallingStationId, ServiceType, FramedProtocol,
FramedIPAddress, AcctStartDelay,
XAscendSessionSvrKey) VALUES ('%{Acct-Session-
Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-
Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-
Port}', '%{NAS-Port-Type}',
DATE_SUB('%S', INTERVAL (%{Acct-Session-Time:-0}
+ %{Acct-Delay-Time:-0})
SECOND), '%{Acct-Session-Time}', '%
{Acct-Authentic}', '', '%{Acct-Input-Gigawords:-0}' << 32
| '%{Acct-Input-Octets:-0}', '%{Acct-Output-
Gigawords:-0}' << 32 | '%{Acct-Output-
Octets:-0}', '%{Called-Station-Id}', '%{Calling-Station-
Id}', '%{Service-Type}', '%{Framed-
Protocol}', '%{Framed-IP-Address}', '0', '%
{X-Ascend-Session-Svr-Key}')"
sql: accounting_start_query = " INSERT INTO
radacct (AcctSessionId, AcctUniqueId,
UserName, Realm, NASIPAddress,
NASPortId, NASPortType, AcctStartTime,
AcctStopTime, AcctSessionTime, AcctAuthentic,
ConnectInfo_start, ConnectInfo_stop, AcctInputOctets,
AcctOutputOctets, CalledStationId, CallingStationId,
AcctTerminateCause, ServiceType, FramedProtocol,
FramedIPAddress, AcctStartDelay, AcctStopDelay,
XAscendSessionSvrKey) VALUES ('%{Acct-Session-
Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-
Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-
Port}', '%{NAS-Port-Type}', '%S', '0', '0',
'%{Acct-Authentic}', '%{Connect-Info}', '', '0',
'0', '%{Called-Station-Id}', '%{Calling-Station-Id}',
'', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-
Address}', '%{Acct-Delay-Time:-0}', '0', '%{X-Ascend-
Session-Svr-Key}')"
sql: accounting_start_query_alt = "UPDATE radacct SET AcctStartTime
= '%S', AcctStartDelay = '%{Acct-Delay-Time}', ConnectInfo_start = '%
{Connect-Info}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND
UserName = '%{SQL-User-Name}' AND NASIPAddress = '%{NAS-IP-Address}'"
sql: accounting_stop_query = " UPDATE radacct
SET AcctStopTime = '%S',
AcctSessionTime = '%{Acct-Session-Time}',
AcctInputOctets = '%{Acct-Input-Gigawords:-0}' << 32
| '%{Acct-Input-
Octets:-0}', AcctOutputOctets = '%{Acct-Output-
Gigawords:-0}' << 32 | '%{Acct-
Output-Octets:-0}', AcctTerminateCause = '%{Acct-
Terminate-Cause}', AcctStopDelay = '%{Acct-Delay-
Time:-0}', ConnectInfo_stop = '%{Connect-
Info}' WHERE AcctSessionId = '%{Acct-Session-
Id}' AND UserName = '%{SQL-User-Name}'
AND NASIPAddress = '%{NAS-IP-Address}'"
sql: accounting_stop_query_alt = " INSERT INTO
radacct (AcctSessionId, AcctUniqueId,
UserName, Realm, NASIPAddress, NASPortId,
NASPortType, AcctStartTime, AcctStopTime,
AcctSessionTime, AcctAuthentic, ConnectInfo_start,
ConnectInfo_stop, AcctInputOctets, AcctOutputOctets,
CalledStationId, CallingStationId, AcctTerminateCause,
ServiceType, FramedProtocol, FramedIPAddress,
AcctStartDelay, AcctStopDelay) VALUES ('%{Acct-
Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-
Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-
Port}', '%{NAS-Port-Type}',
DATE_SUB('%S', INTERVAL (%{Acct-Session-Time:-0}
+ %{Acct-Delay-Time:-0}) SECOND), '%S',
'%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%
{Connect-Info}', '%{Acct-Input-Gigawords:-0}' << 32
| '%{Acct-Input-Octets:-0}', '%{Acct-Output-
Gigawords:-0}' << 32 | '%{Acct-Output-
Octets:-0}', '%{Called-Station-Id}', '%{Calling-Station-
Id}', '%{Acct-Terminate-Cause}', '%{Service-
Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}',
'0', '%{Acct-Delay-Time:-0}')"
sql: group_membership_query = "SELECT GroupName FROM usergroup WHERE
UserName='%{SQL-User-Name}'"
sql: connect_failure_retry_delay = 60
sql: simul_count_query = ""
sql: simul_verify_query = "SELECT RadAcctId, AcctSessionId,
UserName, NASIPAddress, NASPortId,
FramedIPAddress, CallingStationId,
FramedProtocol FROM
radacct WHERE UserName='%{SQL-User-
Name}' AND AcctStopTime = 0"
sql: postauth_query = "INSERT into radpostauth (user, pass, reply,
date) values ('%{User-Name}', '%{User-Password:-Chap-Password}', '%
{reply:Packet-Type}', NOW())"
sql: safe-characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
rlm_sql (sql): Driver rlm_sql_sqlite (module rlm_sql_sqlite) loaded
and linked
rlm_sql (sql): Attempting to connect to root@localhost:/radius
rlm_sql (sql): starting 0
rlm_sql (sql): Attempting to connect rlm_sql_sqlite #0
rlm_sql_sqlite: Opening sqlite database for #0
rlm_sql_sqlite: sqlite3_open() = 0
rlm_sql (sql): Connected new DB handle, #0
rlm_sql (sql): starting 1
rlm_sql (sql): Attempting to connect rlm_sql_sqlite #1
rlm_sql_sqlite: Opening sqlite database for #1
rlm_sql_sqlite: sqlite3_open() = 0
rlm_sql (sql): Connected new DB handle, #1
rlm_sql (sql): starting 2
rlm_sql (sql): Attempting to connect rlm_sql_sqlite #2
rlm_sql_sqlite: Opening sqlite database for #2
rlm_sql_sqlite: sqlite3_open() = 0
rlm_sql (sql): Connected new DB handle, #2
rlm_sql (sql): starting 3
rlm_sql (sql): Attempting to connect rlm_sql_sqlite #3
rlm_sql_sqlite: Opening sqlite database for #3
rlm_sql_sqlite: sqlite3_open() = 0
rlm_sql (sql): Connected new DB handle, #3
rlm_sql (sql): starting 4
rlm_sql (sql): Attempting to connect rlm_sql_sqlite #4
rlm_sql_sqlite: Opening sqlite database for #4
rlm_sql_sqlite: sqlite3_open() = 0
rlm_sql (sql): Connected new DB handle, #4
rlm_sql (sql): - generate_sql_clients
rlm_sql (sql): Query: SELECT * FROM nas
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql_sqlite: sqlite3_prepare() = 0
rlm_sql_sqlite: sqlite3_step = 100
rlm_sql (sql): Read entry
nasname=10.0.1.81,shortname=RadiusServ,secret=testing123
rlm_sql (sql): Adding client 10.0.1.81 (RadiusServ) to clients list
rlm_sql_sqlite: sqlite3_step = 101
rlm_sql_sqlite: sqlite3_finalize() = 0
rlm_sql (sql): Released sql socket id: 4
Module: Instantiated sql (sql)
Listening on authentication *:1812
Listening on accounting *:1813
Ready to process requests.
rad_recv: Access-Request packet from host 10.0.1.81:1814, id=1,
length=136
User-Name = "testuser"
Framed-MTU = 1400
Called-Station-Id = "0012.014d.d511"
Calling-Station-Id = "001f.5bbe.f006"
Service-Type = Login-User
Message-Authenticator = 0xcb3a97dde57e8f67081dc5e3d1b9c75f
EAP-Message = 0x020200140142494f4348454d5c6b77746f62696e
NAS-Port-Type = Wireless-802.11
NAS-Port = 26082
NAS-IP-Address = 10.0.1.18
Proxy-State = 0x323430
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_eap: EAP packet type response id 2 length 20
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 0
users: Matched entry DEFAULT at line 153
modcall[authorize]: module "files" returns ok for request 0
rlm_opendirectory: The SACL group "com.apple.access_radius" does not
exist on this system.
rlm_opendirectory: The host 10.0.1.81 does not have an access group.
rlm_opendirectory: no access control groups, all users allowed.
modcall[authorize]: module "opendirectory" returns ok for request 0
modcall: leaving group authorize (returns updated) for request 0
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_eap: Identity does not match User-Name, setting from EAP Identity.
rlm_eap: Failed in handler
modcall[authenticate]: module "eap" returns invalid for request 0
modcall: leaving group authenticate (returns invalid) for request 0
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 1 to 10.0.1.81 port 1814
Proxy-State = 0x323430
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 1 with timestamp 49106a06
Nothing to do. Sleeping until we see a request.
On Nov 3, 2008, at 1:01 PM, freeradius-users-request(a)lists.freeradius.org
wrote:
>
>
> Message: 3
> Date: Mon, 03 Nov 2008 15:45:44 +0100
> From: <tnt(a)kalik.net>
> Subject: Re: Unable to authenticate to Open Directory
> To: "FreeRadius users mailing list"
> <freeradius-users(a)lists.freeradius.org>
> Message-ID: <YjVYPK5R.1225723544.6673350.tnt(a)kalik.net>
> Content-Type: text/plain; charset=ISO-8859-2
>
>> Still fails when with_ntdomain_hack is enabled...
>>
> ..
>> rlm_realm: Looking up realm "DOMAIN" for User-Name = "DOMAIN
>> \testuser"
>> rlm_realm: Found realm "DOMAIN"
>> rlm_realm: Adding Stripped-User-Name = "testuser"
>> rlm_realm: Proxying request from user testuser to realm DOMAIN
>> rlm_realm: Adding Realm = "DOMAIN"
>> rlm_realm: Authentication realm is LOCAL.
>
> You need to proxy for real. Not locally as those are not stripped.
> There
> should be a proxy server sending requests to this one and stripping
> out
> the DOMAIN bit.
>
> Ivan Kalik
> Kalik Informatika ISP
>
3
2
Hi,
How should i call the ldap module in the post_proxy section (in
Freeradius v1 or v2...)?
It should perhaps be easier to ask a single question rather than in my
long request posted yesterday...;o)
In Freeradius v1, i can merge in an access-accept response radius
attribute to a proxy reply.
radiusd.conf
------------
...
authorize {
...
suffix
ldap
...
}
post_proxy {
eap
}
...
proxy.conf
----------
proxy server {
...
#
# Older versions of the server would pass proxy requests through the
# 'authorize' sections twice; once when the packet was received
# from the NAS, and again after the reply was received from the home
# server. Now that we have a 'post_proxy' section, the replies from
# the home server should be sent through that, instead of through
# the 'authorize' section again.
#
# However, for backwards compatibility, this behaviour is configurable.
# The default configuration is 'yes', for backwards compatibility.
# To use ONLY the new 'post_proxy' section, set this value to 'no'.
#
post_proxy_authorize = yes
...
}
realm otp {
type = radius
authhost = myproxyradius:1812
secret = xxxxxxx
}
And it works because it parses twice the authorization section (as i
seemed to understand, sorry i'm french ;o))...a thing that doesn't
happen in v2.x...
Rgds
Paul
--
============================
Paul TAVERNIER
Equipe Reseaux-Securite
Division Informatique
Rectorat de ROUEN
2
1
04 Nov '08
The first comment you gave mentioned to put the Etc-Group-Name in the huntgroups file. This unfortunately does not work as it will only accept system groups (and users do not have accounts for this system).
This option does not scale if I am understanding you right.
I would have to add a section for each user for every huntgroup. If I have 20 administrators and 20 huntgroups I would have to create 400 entries just for them. With the number of users I would have to deal with this would not scale.
It seems like there should be a easy way to deal with users in more than one group.
>Date: Tue, 04 Nov 2008 14:33:26 +0100
>From: <tnt(a)kalik.net>
>Subject: Re: user group problems, my logic or freeradius limitation
>
>Sorry, my brain is like sieve today.
>
>Not DEFAULT but user entries (as I said in the text):
>
>walt password, hutgroup, group
>fall-through
>
>walt bpassword, huntgroup, group
>
>Ivan Kalik
>Kalik Informatika ISP
>
> Date: Tue, 04 Nov 2008 14:29:27 +0100
> From: <tnt(a)kalik.net>
> Subject: Re: user group problems, my logic or freeradius limitation
> To: "FreeRadius users mailing list"
> <freeradius-users(a)lists.freeradius.org>
> Message-ID: <TWkceAyP.1225805367.8814670.tnt(a)kalik.net>
> Content-Type: text/plain; charset=ISO-8859-2
>
> Sorry, you have problem with users in multiple groups. What I posted will
> have no effect. You should create a different huntgroup - add every NAS
> that groups wilab2 and nolab are allowed to connect. Than remove that
> users file entry and add:
>
> DEFAULT Huntgroup-Name == "wilab2", Etc-Group-Name == "wilab2"
> Fall-Through = yes
>
> DEFAULT Huntgroup-Name == "nolab", Etc-Group-Name == "nolab"
> Fall-Through = yes
>
> Ivan Kalik
> Kalik Informatika ISP
>
>
> Dana 4/11/2008, "Reynolds, Walter" <waltr(a)umich.edu> pi?e:
>
> >I am trying to find a good way to limit who is able to login at specific NAS's. I
> know I could add all the allowed user names to the Huntgroups file, but this can
> get tedious as I must do it for each NAS. So I figured the best way was to use
> groups. The users are not account holders on the system, so I could not user
> the 'Group' option in huntgroups. I also do not have a database backend so
> wanted to uses a local file.
> >
> >So in looking I saw that I could do the following:
> >
> >1. modules/etc_group - Define a local file with a group list
> >2. Created the group file referenced in etc_group
> >3. Added a dictionary item for the attribute
> >4. Add the desired NAS to a huntgroup
> >5. Set a policy in the users file to be based on the list.
> >
> >Where I am having a problem is if the user is assigned to more than one
> group. As you can see from the first debug output from below, if a user is a
> member of the group alone it works fine. But the second debug shows that if a
> user is a member of more than one group, even if one is the right one, it will not
> work because one of the groups does not match.
> >
> >The reason I need users in more than one group is if they are affiliated with
> more than one department. Also will need more than one affiliation for support
> to be able to troubleshoot connecting on each NAS.
> >
> >In case it matters, the back end authentication is Kerberos on our production
> service but for this test I just have some local accounts defined in the users file.
> >
> >So, is this a error in my logic/setup or is this a limitation I have with
> Freeradius. Is there some other way to do this?
> >
> >
> >===============
> >
> >/usr/local/etc/raddb/modules/etc_group
> >
> >passwd etc_group {
> > filename = /usr/local/etc/raddb/group_file
> > format = "~Etc-Group-Name:*,User-Name"
> > hashsize = 150
> > ignorenislike = yes
> > allowmultiplekeys = yes
> > delimiter = ":"
> >}
> >
> >================
> >
> >/usr/local/etc/raddb/group_file
> >
> >wilab:walt,walter
> >wilab2:walter,walter01
> >nolab:walter01
> >
> >=================
> >
> >/usr/local/etc/raddb/dictionary
> >
> >ATTRIBUTE Etc-Group-Name 3000 string
> >
> >=================
> >
> >/usr/local/etc/raddb/huntgroups
> >
> >ILAB NAS-IP-Address == 10.11.224.36
> >
> >=================
> >
> >/usr/local/etc/raddb/users (added line numbers for the debug)
> >
> >
> > 102 DEFAULT Huntgroup-Name == ILAB, Etc-Group-Name != "wilab", Auth-
> Type := Reject
> > 103 Fall-Through = no
> > 104
> > 105 walt Cleartext-Password := "walter01"
> > 106 walter Cleartext-Password := "walter01"
> > 107 walter01 Cleartext-Password := "walter01"
> >
> >
> >-------------------------------
> >
> >
> >rad_recv: Access-Request packet from host 10.11.224.36 port 32783, id=111,
> length=131
> > User-Name = "walt"
> > User-Password = "walter01"
> > NAS-IP-Address = 10.11.224.36
> > Service-Type = Login-User
> > Framed-IP-Address = 192.168.135.25
> > Called-Station-Id = "00:07:E9:D1:8F:C2"
> > NAS-Identifier = "Bluesocket"
> > Acct-Session-Id = "00:07:E9:D1:8F:C2:1225801477"
> > NAS-Port-Type = Wireless-802.11
> >Tue Nov 4 07:09:21 2008 : Info: +- entering group authorize {...}
> >Tue Nov 4 07:09:21 2008 : Info: ++[preprocess] returns ok
> >Tue Nov 4 07:09:21 2008 : Info: ++[chap] returns noop
> >Tue Nov 4 07:09:21 2008 : Info: ++[mschap] returns noop
> >Tue Nov 4 07:09:21 2008 : Info: [suffix] No '@' in User-Name = "walt", looking
> up realm NULL
> >Tue Nov 4 07:09:21 2008 : Info: [suffix] No such realm "NULL"
> >Tue Nov 4 07:09:21 2008 : Info: ++[suffix] returns noop
> >Tue Nov 4 07:09:21 2008 : Info: [eap] No EAP-Message, not doing EAP
> >Tue Nov 4 07:09:21 2008 : Info: ++[eap] returns noop
> >Tue Nov 4 07:09:21 2008 : Info: ++[unix] returns notfound
> >Tue Nov 4 07:09:21 2008 : Info: [etc_group] Added Etc-Group-Name: 'wilab' to
> request_items
> >Tue Nov 4 07:09:21 2008 : Info: ++[etc_group] returns ok
> >Tue Nov 4 07:09:21 2008 : Info: [files] users: Matched entry walt at line 105
> >Tue Nov 4 07:09:21 2008 : Info: ++[files] returns ok
> >Tue Nov 4 07:09:21 2008 : Info: ++[expiration] returns noop
> >Tue Nov 4 07:09:21 2008 : Info: ++[logintime] returns noop
> >Tue Nov 4 07:09:21 2008 : Info: ++[pap] returns updated
> >Tue Nov 4 07:09:21 2008 : Info: Found Auth-Type = PAP
> >Tue Nov 4 07:09:21 2008 : Info: +- entering group PAP {...}
> >Tue Nov 4 07:09:21 2008 : Info: [pap] login attempt with password "walter01"
> >Tue Nov 4 07:09:21 2008 : Info: [pap] Using clear text password "walter01"
> >Tue Nov 4 07:09:21 2008 : Info: [pap] User authenticated successfully
> >Tue Nov 4 07:09:21 2008 : Info: ++[pap] returns ok
> >Tue Nov 4 07:09:21 2008 : Info: +- entering group post-auth {...}
> >Tue Nov 4 07:09:21 2008 : Info: ++[exec] returns noop
> >Sending Access-Accept of id 111 to 10.11.224.36 port 32783
> >Tue Nov 4 07:09:21 2008 : Info: Finished request 0.
> >
> >
> >=======================
> >rad_recv: Access-Request packet from host 10.11.224.36 port 32783, id=112,
> length=133
> > User-Name = "walter"
> > User-Password = "walter01"
> > NAS-IP-Address = 10.11.224.36
> > Service-Type = Login-User
> > Framed-IP-Address = 192.168.135.25
> > Called-Station-Id = "00:07:E9:D1:8F:C2"
> > NAS-Identifier = "Bluesocket"
> > Acct-Session-Id = "00:07:E9:D1:8F:C2:1225801505"
> > NAS-Port-Type = Wireless-802.11
> >Tue Nov 4 07:09:49 2008 : Info: +- entering group authorize {...}
> >Tue Nov 4 07:09:49 2008 : Info: ++[preprocess] returns ok
> >Tue Nov 4 07:09:49 2008 : Info: ++[chap] returns noop
> >Tue Nov 4 07:09:49 2008 : Info: ++[mschap] returns noop
> >Tue Nov 4 07:09:49 2008 : Info: [suffix] No '@' in User-Name = "walter", looking
> up realm NULL
> >Tue Nov 4 07:09:49 2008 : Info: [suffix] No such realm "NULL"
> >Tue Nov 4 07:09:49 2008 : Info: ++[suffix] returns noop
> >Tue Nov 4 07:09:49 2008 : Info: [eap] No EAP-Message, not doing EAP
> >Tue Nov 4 07:09:49 2008 : Info: ++[eap] returns noop
> >Tue Nov 4 07:09:49 2008 : Info: ++[unix] returns notfound
> >Tue Nov 4 07:09:49 2008 : Info: [etc_group] Added Etc-Group-Name: 'wilab2' to
> request_items
> >Tue Nov 4 07:09:49 2008 : Info: [etc_group] Added Etc-Group-Name: 'wilab' to
> request_items
> >Tue Nov 4 07:09:49 2008 : Info: ++[etc_group] returns ok
> >Tue Nov 4 07:09:49 2008 : Info: [files] users: Matched entry DEFAULT at line
> 102
> >Tue Nov 4 07:09:49 2008 : Info: ++[files] returns ok
> >Tue Nov 4 07:09:49 2008 : Info: ++[expiration] returns noop
> >Tue Nov 4 07:09:49 2008 : Info: ++[logintime] returns noop
> >Tue Nov 4 07:09:49 2008 : Info: [pap] Found existing Auth-Type, not changing
> it.
> >Tue Nov 4 07:09:49 2008 : Info: ++[pap] returns noop
> >Tue Nov 4 07:09:49 2008 : Info: Found Auth-Type = Reject
> >Tue Nov 4 07:09:49 2008 : Info: Auth-Type = Reject, rejecting user
> >Tue Nov 4 07:09:49 2008 : Info: Failed to authenticate the user.
> >Tue Nov 4 07:09:49 2008 : Info: Using Post-Auth-Type Reject
> >Tue Nov 4 07:09:49 2008 : Info: +- entering group REJECT {...}
> >Tue Nov 4 07:09:49 2008 : Info: [attr_filter.access_reject] expand: %{User-
> Name} -> walter
> >Tue Nov 4 07:09:49 2008 : Debug: attr_filter: Matched entry DEFAULT at line
> 11
> >Tue Nov 4 07:09:49 2008 : Info: ++[attr_filter.access_reject] returns updated
> >Tue Nov 4 07:09:49 2008 : Info: Delaying reject of request 1 for 1 seconds
> >Tue Nov 4 07:09:49 2008 : Debug: Going to the next request
> >Tue Nov 4 07:09:49 2008 : Debug: Waking up in 0.9 seconds.
> >Tue Nov 4 07:09:50 2008 : Info: Sending delayed reject for request 1
> >Sending Access-Reject of id 112 to 10.11.224.36 port 32783
> >Tue Nov 4 07:09:50 2008 : Debug: Waking up in 4.9 seconds.
> >Tue Nov 4 07:09:55 2008 : Info: Cleaning up request 1 ID 112 with timestamp
> +39
> >Tue Nov 4 07:09:55 2008 : Debug: Ready to process requests.
> >
> >
> >
> >
> >--
> >Walt Reynolds
> >Principal Systems Security Development Engineer
> >Information Technology Central Services
> >University of Michigan
> >(734) 615-9438
> >
> >
> >
> >-
> >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> >
> >
>
>
>
> ------------------------------
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
> End of Freeradius-Users Digest, Vol 43, Issue 12
> ************************************************
2
1
Hello !!
Here i use Exec-Program-Wait to validade data AFTER auth OK, i need to
execute other script AFTER auth OK to get IP address assigned to user.
i´m trying to pass %f to my script but return "?.?.?.?" because at this
moment, radius not assigned ip for user...
how i can do this ?
thanks !!
--
Sds.
Alexandre Jeronimo Correa
Onda Internet - http://www.ondainternet.com.br
OPinguim Hosting - http://www.opinguim.net
Linux User ID #142329
UNOTEL S/A - http://www.unotel.com.br
4
7
I am trying to find a good way to limit who is able to login at specific NAS's. I know I could add all the allowed user names to the Huntgroups file, but this can get tedious as I must do it for each NAS. So I figured the best way was to use groups. The users are not account holders on the system, so I could not user the 'Group' option in huntgroups. I also do not have a database backend so wanted to uses a local file.
So in looking I saw that I could do the following:
1. modules/etc_group - Define a local file with a group list
2. Created the group file referenced in etc_group
3. Added a dictionary item for the attribute
4. Add the desired NAS to a huntgroup
5. Set a policy in the users file to be based on the list.
Where I am having a problem is if the user is assigned to more than one group. As you can see from the first debug output from below, if a user is a member of the group alone it works fine. But the second debug shows that if a user is a member of more than one group, even if one is the right one, it will not work because one of the groups does not match.
The reason I need users in more than one group is if they are affiliated with more than one department. Also will need more than one affiliation for support to be able to troubleshoot connecting on each NAS.
In case it matters, the back end authentication is Kerberos on our production service but for this test I just have some local accounts defined in the users file.
So, is this a error in my logic/setup or is this a limitation I have with Freeradius. Is there some other way to do this?
===============
/usr/local/etc/raddb/modules/etc_group
passwd etc_group {
filename = /usr/local/etc/raddb/group_file
format = "~Etc-Group-Name:*,User-Name"
hashsize = 150
ignorenislike = yes
allowmultiplekeys = yes
delimiter = ":"
}
================
/usr/local/etc/raddb/group_file
wilab:walt,walter
wilab2:walter,walter01
nolab:walter01
=================
/usr/local/etc/raddb/dictionary
ATTRIBUTE Etc-Group-Name 3000 string
=================
/usr/local/etc/raddb/huntgroups
ILAB NAS-IP-Address == 10.11.224.36
=================
/usr/local/etc/raddb/users (added line numbers for the debug)
102 DEFAULT Huntgroup-Name == ILAB, Etc-Group-Name != "wilab", Auth-Type := Reject
103 Fall-Through = no
104
105 walt Cleartext-Password := "walter01"
106 walter Cleartext-Password := "walter01"
107 walter01 Cleartext-Password := "walter01"
-------------------------------
rad_recv: Access-Request packet from host 10.11.224.36 port 32783, id=111, length=131
User-Name = "walt"
User-Password = "walter01"
NAS-IP-Address = 10.11.224.36
Service-Type = Login-User
Framed-IP-Address = 192.168.135.25
Called-Station-Id = "00:07:E9:D1:8F:C2"
NAS-Identifier = "Bluesocket"
Acct-Session-Id = "00:07:E9:D1:8F:C2:1225801477"
NAS-Port-Type = Wireless-802.11
Tue Nov 4 07:09:21 2008 : Info: +- entering group authorize {...}
Tue Nov 4 07:09:21 2008 : Info: ++[preprocess] returns ok
Tue Nov 4 07:09:21 2008 : Info: ++[chap] returns noop
Tue Nov 4 07:09:21 2008 : Info: ++[mschap] returns noop
Tue Nov 4 07:09:21 2008 : Info: [suffix] No '@' in User-Name = "walt", looking up realm NULL
Tue Nov 4 07:09:21 2008 : Info: [suffix] No such realm "NULL"
Tue Nov 4 07:09:21 2008 : Info: ++[suffix] returns noop
Tue Nov 4 07:09:21 2008 : Info: [eap] No EAP-Message, not doing EAP
Tue Nov 4 07:09:21 2008 : Info: ++[eap] returns noop
Tue Nov 4 07:09:21 2008 : Info: ++[unix] returns notfound
Tue Nov 4 07:09:21 2008 : Info: [etc_group] Added Etc-Group-Name: 'wilab' to request_items
Tue Nov 4 07:09:21 2008 : Info: ++[etc_group] returns ok
Tue Nov 4 07:09:21 2008 : Info: [files] users: Matched entry walt at line 105
Tue Nov 4 07:09:21 2008 : Info: ++[files] returns ok
Tue Nov 4 07:09:21 2008 : Info: ++[expiration] returns noop
Tue Nov 4 07:09:21 2008 : Info: ++[logintime] returns noop
Tue Nov 4 07:09:21 2008 : Info: ++[pap] returns updated
Tue Nov 4 07:09:21 2008 : Info: Found Auth-Type = PAP
Tue Nov 4 07:09:21 2008 : Info: +- entering group PAP {...}
Tue Nov 4 07:09:21 2008 : Info: [pap] login attempt with password "walter01"
Tue Nov 4 07:09:21 2008 : Info: [pap] Using clear text password "walter01"
Tue Nov 4 07:09:21 2008 : Info: [pap] User authenticated successfully
Tue Nov 4 07:09:21 2008 : Info: ++[pap] returns ok
Tue Nov 4 07:09:21 2008 : Info: +- entering group post-auth {...}
Tue Nov 4 07:09:21 2008 : Info: ++[exec] returns noop
Sending Access-Accept of id 111 to 10.11.224.36 port 32783
Tue Nov 4 07:09:21 2008 : Info: Finished request 0.
=======================
rad_recv: Access-Request packet from host 10.11.224.36 port 32783, id=112, length=133
User-Name = "walter"
User-Password = "walter01"
NAS-IP-Address = 10.11.224.36
Service-Type = Login-User
Framed-IP-Address = 192.168.135.25
Called-Station-Id = "00:07:E9:D1:8F:C2"
NAS-Identifier = "Bluesocket"
Acct-Session-Id = "00:07:E9:D1:8F:C2:1225801505"
NAS-Port-Type = Wireless-802.11
Tue Nov 4 07:09:49 2008 : Info: +- entering group authorize {...}
Tue Nov 4 07:09:49 2008 : Info: ++[preprocess] returns ok
Tue Nov 4 07:09:49 2008 : Info: ++[chap] returns noop
Tue Nov 4 07:09:49 2008 : Info: ++[mschap] returns noop
Tue Nov 4 07:09:49 2008 : Info: [suffix] No '@' in User-Name = "walter", looking up realm NULL
Tue Nov 4 07:09:49 2008 : Info: [suffix] No such realm "NULL"
Tue Nov 4 07:09:49 2008 : Info: ++[suffix] returns noop
Tue Nov 4 07:09:49 2008 : Info: [eap] No EAP-Message, not doing EAP
Tue Nov 4 07:09:49 2008 : Info: ++[eap] returns noop
Tue Nov 4 07:09:49 2008 : Info: ++[unix] returns notfound
Tue Nov 4 07:09:49 2008 : Info: [etc_group] Added Etc-Group-Name: 'wilab2' to request_items
Tue Nov 4 07:09:49 2008 : Info: [etc_group] Added Etc-Group-Name: 'wilab' to request_items
Tue Nov 4 07:09:49 2008 : Info: ++[etc_group] returns ok
Tue Nov 4 07:09:49 2008 : Info: [files] users: Matched entry DEFAULT at line 102
Tue Nov 4 07:09:49 2008 : Info: ++[files] returns ok
Tue Nov 4 07:09:49 2008 : Info: ++[expiration] returns noop
Tue Nov 4 07:09:49 2008 : Info: ++[logintime] returns noop
Tue Nov 4 07:09:49 2008 : Info: [pap] Found existing Auth-Type, not changing it.
Tue Nov 4 07:09:49 2008 : Info: ++[pap] returns noop
Tue Nov 4 07:09:49 2008 : Info: Found Auth-Type = Reject
Tue Nov 4 07:09:49 2008 : Info: Auth-Type = Reject, rejecting user
Tue Nov 4 07:09:49 2008 : Info: Failed to authenticate the user.
Tue Nov 4 07:09:49 2008 : Info: Using Post-Auth-Type Reject
Tue Nov 4 07:09:49 2008 : Info: +- entering group REJECT {...}
Tue Nov 4 07:09:49 2008 : Info: [attr_filter.access_reject] expand: %{User-Name} -> walter
Tue Nov 4 07:09:49 2008 : Debug: attr_filter: Matched entry DEFAULT at line 11
Tue Nov 4 07:09:49 2008 : Info: ++[attr_filter.access_reject] returns updated
Tue Nov 4 07:09:49 2008 : Info: Delaying reject of request 1 for 1 seconds
Tue Nov 4 07:09:49 2008 : Debug: Going to the next request
Tue Nov 4 07:09:49 2008 : Debug: Waking up in 0.9 seconds.
Tue Nov 4 07:09:50 2008 : Info: Sending delayed reject for request 1
Sending Access-Reject of id 112 to 10.11.224.36 port 32783
Tue Nov 4 07:09:50 2008 : Debug: Waking up in 4.9 seconds.
Tue Nov 4 07:09:55 2008 : Info: Cleaning up request 1 ID 112 with timestamp +39
Tue Nov 4 07:09:55 2008 : Debug: Ready to process requests.
--
Walt Reynolds
Principal Systems Security Development Engineer
Information Technology Central Services
University of Michigan
(734) 615-9438
2
3
Hi all/anders,
As told, i tried freeradius-2.1.1, but same result.
Actaully my setup involves wifi client supporting PEAP ---------> EAP-MD5
|-----> EAP-Token_card
l------> EAP-MSCHAPv2
Attached are the conf file eap.conf and debug log file.
Wifi client is installed on Windows XP _Service pack 2 OS.
SETUP:
wifi client(WINXP) <---------> AP <------------------->
freeradius-2.1.1 server.
The setup works with PEAP_EAP-Tokencard and PEAP_EAP-MSCHAPv2
But fails only for PEAP_EAP-MD5.
Is it because of the supplicant (Win XP).
Kindly reply.
Regards
Prasad
On Mon, Nov 3, 2008 at 1:41 PM, Anders Holm <anders.holm(a)sysadmin.ie> wrote:
> This is likely to have been fixed in a newer version. Do you see this with a
> 2.1.1 installation?
>
> //anders
>
> Prasad Parab wrote:
>
> Hi,
> Am using freeradius-1.0.5 for PEAP authentication with EAP-MD5.
> Attached is the log of auth failure wirg the same.
> Attached also are the configuration files.
> Kindly help.
> Regards
> Prasad
>
> ________________________________
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
2
3
I'm compiling for PPC on Intel Debian machine.
Compiler package's from montavista.
On the compiling, I met "ltdl" problem. So, I added "--enable-ltdl-install"
option and then ok.
...
I made options like next:
./configure --prefix=/root/local
CC=/opt/mvl4/pro/devkit/ppc/7xx/bin/ppc_7xx-gcc
CCFLAGS=/usr/src/linux-2.6.10/include/ --enable-ltdl-install --host=ppc
But, errors occurred at "rlm_perl" like attatched file.(1.1.7.txt) again.
What's a problem?
-- from beginner --
P.S. I have to compile freeradius-1.1.7.
1
0
Hi~
I did compile freeradius-1.1.7 and 2.1.1.
My build machine is : intel debian 3.1 and montavista cross-compiler
Options are :
./configure --prefix="/root/local"
CC="/opt/mvl4/pro/devkit/ppc/7xx/bin/ppc_7xx-gcc" --host="ppc"
First error was about libgdbm.a and wrong format message.
So, I got gdbm-xxx.tar.gz package and installed to
"/opt/mvl4/pro/devkit/ppc/7xx/target/lib". And then the error disappeared.
And now, second error message occurred.
/root/ipv6/freeradius-1.1.7/src/main/mainconfig.c:827: warning: Using
'getservbyname' in statically linked applications requires at runtime the
shared libraries from the glibc version used for linking
/opt/mvl4/pro/devkit/ppc/7xx/bin/../lib/gcc/powerpc-montavista-linux/3.4.3/.
./../../../powerpc-montavista-linux/bin/ld: attempted static link of dynamic
object `/opt/mvl4/pro/devkit/ppc/7xx/bin/../target/usr/lib//libltdl.so'
collect2: ld returned 1 exit status
rm -f .libs/radiusdS.o
make[4]: *** [radiusd] Error 1
make[4]: Leaving directory `/root/ipv6/freeradius-1.1.7/src/main'
make[3]: *** [common] Error 2
make[3]: Leaving directory `/root/ipv6/freeradius-1.1.7/src'
make[2]: *** [all] Error 2
make[2]: Leaving directory `/root/ipv6/freeradius-1.1.7/src'
make[1]: *** [common] Error 2
make[1]: Leaving directory `/root/ipv6/freeradius-1.1.7'
make: *** [all] Error 2
In my thinking, this kinds of errors seems to be happened so often.
What can I do for this?
-- from beginner -- :-)
Thanks.
2
1
Well, I'm porting to PPC with package by the hands of other people and one
of those is freeradius-1.1.7.
Ok. I'll do that. By the way, does the configuration file of version 1.1.7
use for 2.1.1?
Thanks.
-----Original Message-----
From: freeradius-users-bounces+cs010101=gmail.com(a)lists.freeradius.org
[mailto:freeradius-users-bounces+cs010101=gmail.com@lists.freeradius.org] On
Behalf Of freeradius-users-request(a)lists.freeradius.org
Sent: Monday, November 03, 2008 8:00 PM
To: freeradius-users(a)lists.freeradius.org
Subject: Freeradius-Users Digest, Vol 43, Issue 3
Send Freeradius-Users mailing list submissions to
freeradius-users(a)lists.freeradius.org
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.freeradius.org/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
freeradius-users-request(a)lists.freeradius.org
You can reach the person managing the list at
freeradius-users-owner(a)lists.freeradius.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Freeradius-Users digest..."
Today's Topics:
1. Re: [Q] compiling for ppc. (Anders Holm)
2. Re: Freeradius-1.0.5_PEAP with EAP-MD5 auth failure (Anders Holm)
----------------------------------------------------------------------
Message: 1
Date: Mon, 03 Nov 2008 08:10:21 +0000
From: Anders Holm <anders.holm(a)sysadmin.ie>
Subject: Re: [Q] compiling for ppc.
To: FreeRadius users mailing list
<freeradius-users(a)lists.freeradius.org>
Message-ID: <490EB1ED.80909(a)sysadmin.ie>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Young-Whan Kim wrote:
> Hi~~ Happy to meet you.
>
> I'm trying to compile for PPC. The version is 1.1.7.
>
Why 1.1.7? Use 2.1.1 if you're going through the trouble of compiling
anyway.
>
/opt/mvl4/pro/devkit/ppc/7xx/bin/../lib/gcc/powerpc-montavista-linux/3.4.3/.
> ./../../../powerpc-montavista-linux/bin/ld: attempted static link of
dynamic
> object `/opt/mvl4/pro/devkit/ppc/7xx/bin/../target/usr/lib/libgdbm.a'
> collect2: ld returned 1 exit status
>
Fairly self-explanatory. Why not start with 2.1.1, and use configure
without options and see how far you get, and then take one step at a
time until things are where you want them to be.
//anders
------------------------------
Message: 2
Date: Mon, 03 Nov 2008 08:11:50 +0000
From: Anders Holm <anders.holm(a)sysadmin.ie>
Subject: Re: Freeradius-1.0.5_PEAP with EAP-MD5 auth failure
To: FreeRadius users mailing list
<freeradius-users(a)lists.freeradius.org>
Message-ID: <490EB246.6040603(a)sysadmin.ie>
Content-Type: text/plain; charset="iso-8859-1"; Format="flowed"
This is likely to have been fixed in a newer version. Do you see this
with a 2.1.1 installation?
//anders
Prasad Parab wrote:
> Hi,
>
> Am using freeradius-1.0.5 for PEAP authentication with EAP-MD5.
> Attached is the log of auth failure wirg the same.
> Attached also are the configuration files.
> Kindly help.
>
> Regards
> Prasad
> ------------------------------------------------------------------------
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
2
1
Still fails when with_ntdomain_hack is enabled...
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /private/etc/raddb/proxy.conf
Config: including file: /private/etc/raddb/clients.conf
Config: including file: /private/etc/raddb/snmp.conf
Config: including file: /private/etc/raddb/eap.conf
Config: including file: /private/etc/raddb/sql.conf
main: prefix = "/"
main: localstatedir = "/private/var"
main: logdir = "/private/var/log/radius"
main: libdir = "//lib"
main: radacctdir = "/private/var/log/radius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = yes
main: log_file = "/private/var/log/radius/radius.log"
main: log_auth = yes
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = "/private/var/run/radiusd/radiusd.pid"
main: user = "(null)"
main: group = "(null)"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "//sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = no
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = "crypt"
pap: auto_header = no
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = yes
mschap: passwd = "(null)"
mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded opendirectory
opendirectory: passwd = "(null)"
Module: Instantiated opendirectory (opendirectory)
Module: Loaded System
unix: cache = no
unix: passwd = "(null)"
unix: shadow = "(null)"
unix: group = "(null)"
unix: radwtmp = "/private/var/log/radius/radwtmp"
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = "ttls"
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type leap
gtc: challenge = "Password: "
gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized type gtc
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = "(null)"
tls: pem_file_type = yes
tls: private_key_file = "/etc/certificates/
directory.domain.wisc.edu.key"
tls: certificate_file = "/etc/certificates/
directory.domain.wisc.edu.crt"
tls: CA_file = "/etc/certificates/directory.domain.wisc.edu.chcrt"
tls: private_key_password = "somepassword"
tls: dh_file = "/private/etc/raddb/certs/dh"
tls: random_file = "/private/etc/raddb/certs/random"
tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = no
tls: check_cert_cn = "(null)"
tls: cipher_list = "(null)"
tls: check_cert_issuer = "(null)"
rlm_eap_tls: Loading the certificate file as a chain
rlm_eap: Loaded and initialized type tls
ttls: default_eap_type = "mschapv2"
ttls: copy_request_to_tunnel = no
ttls: use_tunneled_reply = no
rlm_eap: Loaded and initialized type ttls
peap: default_eap_type = "mschapv2"
peap: copy_request_to_tunnel = no
peap: use_tunneled_reply = no
peap: proxy_tunneled_request_as_eap = yes
rlm_eap: Loaded and initialized type peap
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = "/private/etc/raddb/huntgroups"
preprocess: hints = "/private/etc/raddb/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
preprocess: with_alvarion_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = "suffix"
realm: delimiter = "@"
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
realm: format = "prefix"
realm: delimiter = "\"
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (DOMAIN)
Module: Loaded files
files: usersfile = "/private/etc/raddb/users"
files: acctusersfile = "/private/etc/raddb/acct_users"
files: preproxy_usersfile = "/private/etc/raddb/preproxy_users"
files: compat = "no"
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-
IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile = "/private/var/log/radius/radacct/%{Client-IP-
Address}/detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = "/private/var/log/radius/radutmp"
radutmp: username = "%{User-Name}"
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Module: Loaded SQL
sql: driver = "rlm_sql_sqlite"
sql: server = "localhost"
sql: port = ""
sql: login = "root"
sql: password = "rootpass"
sql: radius_db = "radius"
sql: nas_table = "nas"
sql: sqltrace = no
sql: sqltracefile = "/private/var/log/radius/sqltrace.sql"
sql: readclients = yes
sql: deletestalesessions = yes
sql: num_sql_socks = 5
sql: sql_user_name = "%{User-Name}"
sql: default_user_profile = ""
sql: query_on_not_found = no
sql: authorize_check_query = "SELECT id, UserName, Attribute, Value,
op FROM radcheck WHERE Username = '%{SQL-User-
Name}' ORDER BY id"
sql: authorize_reply_query = "SELECT id, UserName, Attribute, Value,
op FROM radreply WHERE Username = '%{SQL-User-
Name}' ORDER BY id"
sql: authorize_group_check_query = "SELECT
radgroupcheck
.id
,radgroupcheck
.GroupName
,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM
radgroupcheck,usergroup WHERE usergroup.Username = '%{SQL-User-Name}'
AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY
radgroupcheck.id"
sql: authorize_group_reply_query = "SELECT
radgroupreply
.id
,radgroupreply
.GroupName
,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM
radgroupreply,usergroup WHERE usergroup.Username = '%{SQL-User-Name}'
AND usergroup.GroupName = radgroupreply.GroupName ORDER BY
radgroupreply.id"
sql: accounting_onoff_query = "UPDATE radacct SET AcctStopTime='%S',
AcctSessionTime=unix_timestamp('%S') - unix_timestamp(AcctStartTime),
AcctTerminateCause='%{Acct-Terminate-Cause}', AcctStopDelay = '%{Acct-
Delay-Time}' WHERE AcctSessionTime=0 AND AcctStopTime=0 AND
NASIPAddress= '%{NAS-IP-Address}' AND AcctStartTime <= '%S'"
sql: accounting_update_query = " UPDATE radacct
SET FramedIPAddress = '%{Framed-IP-
Address}', AcctSessionTime = '%{Acct-Session-
Time}', AcctInputOctets = '%{Acct-Input-
Gigawords:-0}' << 32 | '%{Acct-
Input-Octets:-0}', AcctOutputOctets = '%{Acct-Output-
Gigawords:-0}' << 32 | '%{Acct-Output-
Octets:-0}' WHERE AcctSessionId = '%{Acct-Session-
Id}' AND UserName = '%{SQL-User-Name}' AND
NASIPAddress = '%{NAS-IP-Address}'"
sql: accounting_update_query_alt = " INSERT INTO
radacct (AcctSessionId, AcctUniqueId,
UserName, Realm, NASIPAddress,
NASPortId, NASPortType, AcctStartTime,
AcctSessionTime, AcctAuthentic, ConnectInfo_start,
AcctInputOctets, AcctOutputOctets, CalledStationId,
CallingStationId, ServiceType, FramedProtocol,
FramedIPAddress, AcctStartDelay,
XAscendSessionSvrKey) VALUES ('%{Acct-Session-
Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-
Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-
Port}', '%{NAS-Port-Type}',
DATE_SUB('%S', INTERVAL (%{Acct-Session-Time:-0}
+ %{Acct-Delay-Time:-0}) SECOND), '%{Acct-
Session-Time}', '%{Acct-Authentic}', '', '%
{Acct-Input-Gigawords:-0}' << 32 | '%{Acct-Input-
Octets:-0}', '%{Acct-Output-Gigawords:-0}' << 32
| '%{Acct-Output-Octets:-0}', '%{Called-
Station-Id}', '%{Calling-Station-Id}', '%{Service-Type}',
'%{Framed-Protocol}', '%{Framed-IP-
Address}', '0', '%{X-Ascend-Session-Svr-Key}')"
sql: accounting_start_query = " INSERT INTO
radacct (AcctSessionId, AcctUniqueId,
UserName, Realm, NASIPAddress,
NASPortId, NASPortType, AcctStartTime,
AcctStopTime, AcctSessionTime, AcctAuthentic,
ConnectInfo_start, ConnectInfo_stop, AcctInputOctets,
AcctOutputOctets, CalledStationId, CallingStationId,
AcctTerminateCause, ServiceType, FramedProtocol,
FramedIPAddress, AcctStartDelay, AcctStopDelay,
XAscendSessionSvrKey) VALUES ('%{Acct-Session-
Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-
Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%
{NAS-Port-Type}', '%S', '0', '0', '%{Acct-Authentic}', '%
{Connect-Info}', '', '0', '0', '%{Called-
Station-Id}', '%{Calling-Station-Id}', '', '%{Service-
Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '%
{Acct-Delay-Time:-0}', '0', '%{X-Ascend-Session-Svr-Key}')"
sql: accounting_start_query_alt = "UPDATE radacct SET AcctStartTime =
'%S', AcctStartDelay = '%{Acct-Delay-Time}', ConnectInfo_start = '%
{Connect-Info}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND
UserName = '%{SQL-User-Name}' AND NASIPAddress = '%{NAS-IP-Address}'"
sql: accounting_stop_query = " UPDATE radacct
SET AcctStopTime = '%S',
AcctSessionTime = '%{Acct-Session-Time}',
AcctInputOctets = '%{Acct-Input-Gigawords:-0}' << 32
| '%{Acct-Input-
Octets:-0}', AcctOutputOctets = '%{Acct-Output-
Gigawords:-0}' << 32 | '%{Acct-
Output-Octets:-0}', AcctTerminateCause = '%{Acct-Terminate-
Cause}', AcctStopDelay = '%{Acct-Delay-
Time:-0}', ConnectInfo_stop = '%{Connect-
Info}' WHERE AcctSessionId = '%{Acct-Session-
Id}' AND UserName = '%{SQL-User-Name}'
AND NASIPAddress = '%{NAS-IP-Address}'"
sql: accounting_stop_query_alt = " INSERT INTO
radacct (AcctSessionId, AcctUniqueId,
UserName, Realm, NASIPAddress, NASPortId,
NASPortType, AcctStartTime, AcctStopTime,
AcctSessionTime, AcctAuthentic, ConnectInfo_start,
ConnectInfo_stop, AcctInputOctets, AcctOutputOctets,
CalledStationId, CallingStationId, AcctTerminateCause,
ServiceType, FramedProtocol, FramedIPAddress,
AcctStartDelay, AcctStopDelay) VALUES ('%{Acct-
Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-
Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-
Port}', '%{NAS-Port-Type}',
DATE_SUB('%S', INTERVAL (%{Acct-Session-Time:-0}
+ %{Acct-Delay-Time:-0}) SECOND), '%S',
'%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%
{Connect-Info}', '%{Acct-Input-Gigawords:-0}' << 32
| '%{Acct-Input-Octets:-0}', '%{Acct-Output-
Gigawords:-0}' << 32 | '%{Acct-Output-
Octets:-0}', '%{Called-Station-Id}', '%{Calling-Station-
Id}', '%{Acct-Terminate-Cause}', '%{Service-
Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}',
'0', '%{Acct-Delay-Time:-0}')"
sql: group_membership_query = "SELECT GroupName FROM usergroup WHERE
UserName='%{SQL-User-Name}'"
sql: connect_failure_retry_delay = 60
sql: simul_count_query = ""
sql: simul_verify_query = "SELECT RadAcctId, AcctSessionId,
UserName, NASIPAddress, NASPortId,
FramedIPAddress, CallingStationId,
FramedProtocol FROM
radacct WHERE UserName='%{SQL-User-
Name}' AND AcctStopTime = 0"
sql: postauth_query = "INSERT into radpostauth (user, pass, reply,
date) values ('%{User-Name}', '%{User-Password:-Chap-Password}', '%
{reply:Packet-Type}', NOW())"
sql: safe-characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
rlm_sql (sql): Driver rlm_sql_sqlite (module rlm_sql_sqlite) loaded
and linked
rlm_sql (sql): Attempting to connect to root@localhost:/radius
rlm_sql (sql): starting 0
rlm_sql (sql): Attempting to connect rlm_sql_sqlite #0
rlm_sql_sqlite: Opening sqlite database for #0
rlm_sql_sqlite: sqlite3_open() = 0
rlm_sql (sql): Connected new DB handle, #0
rlm_sql (sql): starting 1
rlm_sql (sql): Attempting to connect rlm_sql_sqlite #1
rlm_sql_sqlite: Opening sqlite database for #1
rlm_sql_sqlite: sqlite3_open() = 0
rlm_sql (sql): Connected new DB handle, #1
rlm_sql (sql): starting 2
rlm_sql (sql): Attempting to connect rlm_sql_sqlite #2
rlm_sql_sqlite: Opening sqlite database for #2
rlm_sql_sqlite: sqlite3_open() = 0
rlm_sql (sql): Connected new DB handle, #2
rlm_sql (sql): starting 3
rlm_sql (sql): Attempting to connect rlm_sql_sqlite #3
rlm_sql_sqlite: Opening sqlite database for #3
rlm_sql_sqlite: sqlite3_open() = 0
rlm_sql (sql): Connected new DB handle, #3
rlm_sql (sql): starting 4
rlm_sql (sql): Attempting to connect rlm_sql_sqlite #4
rlm_sql_sqlite: Opening sqlite database for #4
rlm_sql_sqlite: sqlite3_open() = 0
rlm_sql (sql): Connected new DB handle, #4
rlm_sql (sql): - generate_sql_clients
rlm_sql (sql): Query: SELECT * FROM nas
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql_sqlite: sqlite3_prepare() = 0
rlm_sql_sqlite: sqlite3_step = 100
rlm_sql (sql): Read entry
nasname=10.0.1.7,shortname=DomainWireless,secret=somesecret
rlm_sql (sql): Adding client 10.0.1.7 (DomainWireless) to clients list
rlm_sql_sqlite: sqlite3_step = 100
rlm_sql (sql): Read entry
nasname=10.0.2.5,shortname=DomainWireless,secret=somesecret
rlm_sql (sql): Adding client 10.0.2.5 (DomainWireless) to clients list
rlm_sql_sqlite: sqlite3_step = 100
rlm_sql (sql): Read entry
nasname=10.0.2.6,shortname=DomainWireless,secret=somesecret
rlm_sql (sql): Adding client 10.0.2.6 (DomainWireless) to clients list
rlm_sql_sqlite: sqlite3_step = 100
rlm_sql (sql): Read entry
nasname=10.0.2.7,shortname=DomainWireless,secret=somesecret
rlm_sql (sql): Adding client 10.0.2.7 (DomainWireless) to clients list
rlm_sql_sqlite: sqlite3_step = 100
rlm_sql (sql): Read entry
nasname=10.0.2.8,shortname=DomainWireless,secret=somesecret
rlm_sql (sql): Adding client 10.0.2.8 (DomainWireless) to clients list
rlm_sql_sqlite: sqlite3_step = 100
rlm_sql (sql): Read entry
nasname=10.0.2.9,shortname=DomainWireless,secret=somesecret
rlm_sql (sql): Adding client 10.0.2.9 (DomainWireless) to clients list
rlm_sql_sqlite: sqlite3_step = 100
rlm_sql (sql): Read entry
nasname=10.0.2.10,shortname=DomainWireless,secret=somesecret
rlm_sql (sql): Adding client 10.0.2.10 (DomainWireless) to clients list
rlm_sql_sqlite: sqlite3_step = 100
rlm_sql (sql): Read entry
nasname=10.0.2.11,shortname=DomainWireless,secret=somesecret
rlm_sql (sql): Adding client 10.0.2.11 (DomainWireless) to clients list
rlm_sql_sqlite: sqlite3_step = 100
rlm_sql (sql): Read entry
nasname=10.0.2.12,shortname=DomainWireless,secret=somesecret
rlm_sql (sql): Adding client 10.0.2.12 (DomainWireless) to clients list
rlm_sql_sqlite: sqlite3_step = 100
rlm_sql (sql): Read entry
nasname=10.0.2.13,shortname=DomainWireless,secret=somesecret
rlm_sql (sql): Adding client 10.0.2.13 (DomainWireless) to clients list
rlm_sql_sqlite: sqlite3_step = 100
rlm_sql (sql): Read entry
nasname=10.0.2.17,shortname=DomainWireless,secret=somesecret
rlm_sql (sql): Adding client 10.0.2.17 (DomainWireless) to clients list
rlm_sql_sqlite: sqlite3_step = 100
rlm_sql (sql): Read entry
nasname=10.0.1.5,shortname=DomainWireless,secret=somesecret
rlm_sql (sql): Adding client 10.0.1.5 (DomainWireless) to clients list
rlm_sql_sqlite: sqlite3_step = 100
rlm_sql (sql): Read entry
nasname=10.0.1.6,shortname=DomainWireless,secret=somesecret
rlm_sql (sql): Adding client 10.0.1.6 (DomainWireless) to clients list
rlm_sql_sqlite: sqlite3_step = 100
rlm_sql (sql): Read entry
nasname=10.0.1.8,shortname=DomainWireless,secret=somesecret
rlm_sql (sql): Adding client 10.0.1.8 (DomainWireless) to clients list
rlm_sql_sqlite: sqlite3_step = 100
rlm_sql (sql): Read entry
nasname=10.0.1.9,shortname=DomainWireless,secret=somesecret
rlm_sql (sql): Adding client 10.0.1.9 (DomainWireless) to clients list
rlm_sql_sqlite: sqlite3_step = 100
rlm_sql (sql): Read entry
nasname=10.0.1.10,shortname=DomainWireless,secret=somesecret
rlm_sql (sql): Adding client 10.0.1.10 (DomainWireless) to clients list
rlm_sql_sqlite: sqlite3_step = 100
rlm_sql (sql): Read entry
nasname=10.0.1.11,shortname=DomainWireless,secret=somesecret
rlm_sql (sql): Adding client 10.0.1.11 (DomainWireless) to clients list
rlm_sql_sqlite: sqlite3_step = 100
rlm_sql (sql): Read entry
nasname=10.0.1.12,shortname=DomainWireless,secret=somesecret
rlm_sql (sql): Adding client 10.0.1.12 (DomainWireless) to clients list
rlm_sql_sqlite: sqlite3_step = 100
rlm_sql (sql): Read entry
nasname=10.0.1.13,shortname=DomainWireless,secret=somesecret
rlm_sql (sql): Adding client 10.0.1.13 (DomainWireless) to clients list
rlm_sql_sqlite: sqlite3_step = 100
rlm_sql (sql): Read entry
nasname=10.0.1.15,shortname=DomainWireless,secret=somesecret
rlm_sql (sql): Adding client 10.0.1.15 (DomainWireless) to clients list
rlm_sql_sqlite: sqlite3_step = 100
rlm_sql (sql): Read entry
nasname=10.0.1.16,shortname=DomainWireless,secret=somesecret
rlm_sql (sql): Adding client 10.0.1.16 (DomainWireless) to clients list
rlm_sql_sqlite: sqlite3_step = 100
rlm_sql (sql): Read entry
nasname=10.0.1.17,shortname=DomainWireless,secret=somesecret
rlm_sql (sql): Adding client 10.0.1.17 (DomainWireless) to clients list
rlm_sql_sqlite: sqlite3_step = 100
rlm_sql (sql): Read entry
nasname=10.0.1.18,shortname=DomainWireless,secret=somesecret
rlm_sql (sql): Adding client 10.0.1.18 (DomainWireless) to clients list
rlm_sql_sqlite: sqlite3_step = 100
rlm_sql (sql): Read entry
nasname=10.0.1.19,shortname=DomainWireless,secret=somesecret
rlm_sql (sql): Adding client 10.0.1.19 (DomainWireless) to clients list
rlm_sql_sqlite: sqlite3_step = 100
rlm_sql (sql): Read entry
nasname=10.0.1.20,shortname=DomainWireless,secret=somesecret
rlm_sql (sql): Adding client 10.0.1.20 (DomainWireless) to clients list
rlm_sql_sqlite: sqlite3_step = 100
rlm_sql (sql): Read entry
nasname=10.0.1.21,shortname=DomainWireless,secret=somesecret
rlm_sql (sql): Adding client 10.0.1.21 (DomainWireless) to clients list
rlm_sql_sqlite: sqlite3_step = 100
rlm_sql (sql): Read entry
nasname=10.0.1.14,shortname=DomainWireless,secret=somesecret
rlm_sql (sql): Adding client 10.0.1.14 (DomainWireless) to clients list
rlm_sql_sqlite: sqlite3_step = 101
rlm_sql_sqlite: sqlite3_finalize() = 0
rlm_sql (sql): Released sql socket id: 4
Module: Instantiated sql (sql)
Listening on authentication *:1812
Listening on accounting *:1813
Ready to process requests.
rad_recv: Access-Request packet from host 10.0.1.18:1645, id=141,
length=139
User-Name = "DOMAIN\\testuser"
Framed-MTU = 1400
Called-Station-Id = "0012.014d.d511"
Calling-Station-Id = "001f.5bbe.f006"
Service-Type = Login-User
Message-Authenticator = 0xa48e7da1b96d032d811b5f90484fc061
EAP-Message = 0x020200140142494f4348454d5c6b77746f62696e
NAS-Port-Type = Wireless-802.11
NAS-Port = 25054
NAS-IP-Address = 10.0.1.18
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "DOMAIN\testuser", looking up
realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_realm: Looking up realm "DOMAIN" for User-Name = "DOMAIN
\testuser"
rlm_realm: Found realm "DOMAIN"
rlm_realm: Adding Stripped-User-Name = "testuser"
rlm_realm: Proxying request from user testuser to realm DOMAIN
rlm_realm: Adding Realm = "DOMAIN"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "DOMAIN" returns noop for request 0
rlm_eap: EAP packet type response id 2 length 20
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 0
users: Matched entry DEFAULT at line 153
modcall[authorize]: module "files" returns ok for request 0
rlm_opendirectory: The SACL group "com.apple.access_radius" does not
exist on this system.
rlm_opendirectory: The host 10.0.1.18 does not have an access group.
rlm_opendirectory: no access control groups, all users allowed.
modcall[authorize]: module "opendirectory" returns ok for request 0
modcall: leaving group authorize (returns updated) for request 0
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns handled for request 0
modcall: leaving group authenticate (returns handled) for request 0
Sending Access-Challenge of id 141 to 10.0.1.18 port 1645
EAP-Message = 0x010300061520
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x6bb3d9d944118f5c965a13576243b4af
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.0.1.18:1645, id=142,
length=143
User-Name = "DOMAIN\\testuser"
Framed-MTU = 1400
Called-Station-Id = "0012.014d.d511"
Calling-Station-Id = "001f.5bbe.f006"
Service-Type = Login-User
Message-Authenticator = 0x2da99a6709f529936bef6bef51470d96
EAP-Message = 0x020300060319
NAS-Port-Type = Wireless-802.11
NAS-Port = 25054
State = 0x6bb3d9d944118f5c965a13576243b4af
NAS-IP-Address = 10.0.1.18
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
modcall[authorize]: module "preprocess" returns ok for request 1
modcall[authorize]: module "chap" returns noop for request 1
modcall[authorize]: module "mschap" returns noop for request 1
rlm_realm: No '@' in User-Name = "DOMAIN\testuser", looking up
realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 1
rlm_realm: Looking up realm "DOMAIN" for User-Name = "DOMAIN
\testuser"
rlm_realm: Found realm "DOMAIN"
rlm_realm: Adding Stripped-User-Name = "testuser"
rlm_realm: Proxying request from user testuser to realm DOMAIN
rlm_realm: Adding Realm = "DOMAIN"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "DOMAIN" returns noop for request 1
rlm_eap: EAP packet type response id 3 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 1
users: Matched entry DEFAULT at line 153
modcall[authorize]: module "files" returns ok for request 1
rlm_opendirectory: The SACL group "com.apple.access_radius" does not
exist on this system.
rlm_opendirectory: The host 10.0.1.18 does not have an access group.
rlm_opendirectory: no access control groups, all users allowed.
modcall[authorize]: module "opendirectory" returns ok for request 1
modcall: leaving group authorize (returns updated) for request 1
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1
rlm_eap: Request found, released from the list
rlm_eap: EAP NAK
rlm_eap: EAP-NAK asked for EAP-Type/peap
rlm_eap: processing type tls
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns handled for request 1
modcall: leaving group authenticate (returns handled) for request 1
Sending Access-Challenge of id 142 to 10.0.1.18 port 1645
EAP-Message = 0x010400061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xe706dc4d0e0291e0e8e047db207e2891
Finished request 1
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.0.1.18:1645, id=143,
length=295
User-Name = "DOMAIN\\testuser"
Framed-MTU = 1400
Called-Station-Id = "0012.014d.d511"
Calling-Station-Id = "001f.5bbe.f006"
Service-Type = Login-User
Message-Authenticator = 0x4fb6b57e3546a5977704b42f46cb0f1f
EAP-Message =
0x0204009e198000000094160301008f0100008b0301490b0141c6e5d85ea44a312e7bb8b465a0f09ac069ae39a5c77145b3c847ae9e20f9ded8ef1fc3f5c5f99ee0fe8c6c809d271ca2d3241944767f351e1a5102b2570018002f00350005000ac009c00ac013c01400320038001300040100002a00000014001200000f62696f6368656d5c6b77746f62696e000a00080006001700180019000b00020100
NAS-Port-Type = Wireless-802.11
NAS-Port = 25054
State = 0xe706dc4d0e0291e0e8e047db207e2891
NAS-IP-Address = 10.0.1.18
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
modcall[authorize]: module "preprocess" returns ok for request 2
modcall[authorize]: module "chap" returns noop for request 2
modcall[authorize]: module "mschap" returns noop for request 2
rlm_realm: No '@' in User-Name = "DOMAIN\testuser", looking up
realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 2
rlm_realm: Looking up realm "DOMAIN" for User-Name = "DOMAIN
\testuser"
rlm_realm: Found realm "DOMAIN"
rlm_realm: Adding Stripped-User-Name = "testuser"
rlm_realm: Proxying request from user testuser to realm DOMAIN
rlm_realm: Adding Realm = "DOMAIN"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "DOMAIN" returns noop for request 2
rlm_eap: EAP packet type response id 4 length 158
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 2
users: Matched entry DEFAULT at line 153
modcall[authorize]: module "files" returns ok for request 2
rlm_opendirectory: The SACL group "com.apple.access_radius" does not
exist on this system.
rlm_opendirectory: The host 10.0.1.18 does not have an access group.
rlm_opendirectory: no access control groups, all users allowed.
modcall[authorize]: module "opendirectory" returns ok for request 2
modcall: leaving group authorize (returns updated) for request 2
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 2
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
(other): before/accept initialization
TLS_accept: before/accept initialization
rlm_eap_tls: <<< TLS 1.0 Handshake [length 008f], ClientHello
TLS_accept: SSLv3 read client hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
TLS_accept: SSLv3 write server hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0652], Certificate
TLS_accept: SSLv3 write certificate A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
TLS_accept: SSLv3 write server done A
TLS_accept: SSLv3 flush data
TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
modcall[authenticate]: module "eap" returns handled for request 2
modcall: leaving group authenticate (returns handled) for request 2
Sending Access-Challenge of id 143 to 10.0.1.18 port 1645
EAP-Message =
0x0105040a19c0000006af160301004a020000460301490b013efeec63a498c85ac1c7147569eee59af667636f881667ef1936aaa6c5209210aea17c090ccde6e09055d194628c1dcd085c91d959f9c04c41c235423360002f0016030106520b00064e00064b0003213082031d30820286a003020102020309f4cf300d06092a864886f70d0101050500304e310b30090603550406130255533110300e060355040a130745717569666178312d302b060355040b1324457175696661782053656375726520436572746966696361746520417574686f72697479301e170d3038313030373137353331385a170d3130313030383137353331385a3081a731
EAP-Message =
0x0b30090603550406130255533112301006035504081309576973636f6e73696e3110300e060355040713074d616469736f6e31283026060355040a131f556e6976657273697479206f6620576973636f6e73696e2d4d616469736f6e31233021060355040b131a4465706172746d656e74206f662042696f6368656d6973747279312330210603550403131a6469726563746f72792e62696f6368656d2e776973632e65647530819f300d06092a864886f70d010101050003818d0030818902818100cca2a234e44460f5581769f32d3db1c9c6a392606f399af6949cf226a89ba21bed5eb7a8232c984d62b482798bccda8c7167b5c94610adab12c3
EAP-Message =
0x5d6e4a169057cacdca0c241f7664b4ee357d2c195a77ff58a109372cfed1b47c5f55cd3aecd5614cde8a5e5af7189832b523df01f3b19a045d0820752335dbe76c5001bd86b90203010001a381ae3081ab300e0603551d0f0101ff0404030204f0301d0603551d0e0416041470ebf51284bbf75477107119daa2431c45e66da8303a0603551d1f04333031302fa02da02b8629687474703a2f2f63726c2e67656f74727573742e636f6d2f63726c732f73656375726563612e63726c301f0603551d2304183016801448e668f92bd2b295d747d82320104f3398909fd4301d0603551d250416301406082b0601050507030106082b0601050507030230
EAP-Message =
0x0d06092a864886f70d0101050500038181009ef534fbfd107c74a784add2cd43b697dc7419168de8d3fa40618c2dbd7e1f47476212609fb0abbb792dac5fe1c99efed42c5c9ccee72ce50bde41fa3451d395e1d74254655d2033badfa8999590a4ae14b0ee3448e8687ce1f19472e6d3edfa92827c061f246a8e99e42ef3429f0bb64d4f6f174628e1d4d95d2903f57719580003243082032030820289a003020102020435def4cf300d06092a864886f70d0101050500304e310b30090603550406130255533110300e060355040a130745717569666178312d302b060355040b13244571756966617820536563757265204365727469666963617465
EAP-Message = 0x20417574686f72697479301e170d3938303832323136
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x114f5ffc05ee4ad37ad8ba841de21409
Finished request 2
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.0.1.18:1645, id=144,
length=143
User-Name = "DOMAIN\\testuser"
Framed-MTU = 1400
Called-Station-Id = "0012.014d.d511"
Calling-Station-Id = "001f.5bbe.f006"
Service-Type = Login-User
Message-Authenticator = 0xe3e8142bda7d07ce675f9d322f1a897c
EAP-Message = 0x020500061900
NAS-Port-Type = Wireless-802.11
NAS-Port = 25054
State = 0x114f5ffc05ee4ad37ad8ba841de21409
NAS-IP-Address = 10.0.1.18
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 3
modcall[authorize]: module "preprocess" returns ok for request 3
modcall[authorize]: module "chap" returns noop for request 3
modcall[authorize]: module "mschap" returns noop for request 3
rlm_realm: No '@' in User-Name = "DOMAIN\testuser", looking up
realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 3
rlm_realm: Looking up realm "DOMAIN" for User-Name = "DOMAIN
\testuser"
rlm_realm: Found realm "DOMAIN"
rlm_realm: Adding Stripped-User-Name = "testuser"
rlm_realm: Proxying request from user testuser to realm DOMAIN
rlm_realm: Adding Realm = "DOMAIN"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "DOMAIN" returns noop for request 3
rlm_eap: EAP packet type response id 5 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 3
users: Matched entry DEFAULT at line 153
modcall[authorize]: module "files" returns ok for request 3
rlm_opendirectory: The SACL group "com.apple.access_radius" does not
exist on this system.
rlm_opendirectory: The host 10.0.1.18 does not have an access group.
rlm_opendirectory: no access control groups, all users allowed.
modcall[authorize]: module "opendirectory" returns ok for request 3
modcall: leaving group authorize (returns updated) for request 3
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 3
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake fragment handler
eaptls_verify returned 1
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
modcall[authenticate]: module "eap" returns handled for request 3
modcall: leaving group authenticate (returns handled) for request 3
Sending Access-Challenge of id 144 to 10.0.1.18 port 1645
EAP-Message =
0x010602b51900343135315a170d3138303832323136343135315a304e310b30090603550406130255533110300e060355040a130745717569666178312d302b060355040b1324457175696661782053656375726520436572746966696361746520417574686f7269747930819f300d06092a864886f70d010101050003818d0030818902818100c15db158670862eea09a2d1f086d911468980a1efeda046f13846221c3d17cce9f05e0b801f04e34ece28a950464acf16b535f05b3cb6780bf42028efedd0109ece100144ffcfbf00cdd43ba5b2be11f80709915579316f10f976ab7c268231ccc4d5930ac511e3baf2bd6ee63457bc5d95f50d2e350
EAP-Message =
0x0f3a88e7bf14fde0c7b90203010001a38201093082010530700603551d1f046930673065a063a061a45f305d310b30090603550406130255533110300e060355040a130745717569666178312d302b060355040b1324457175696661782053656375726520436572746966696361746520417574686f72697479310d300b0603550403130443524c31301a0603551d1004133011810f32303138303832323136343135315a300b0603551d0f040403020106301f0603551d2304183016801448e668f92bd2b295d747d82320104f3398909fd4301d0603551d0e0416041448e668f92bd2b295d747d82320104f3398909fd4300c0603551d1304053003
EAP-Message =
0x0101ff301a06092a864886f67d074100040d300b1b0556332e3063030206c0300d06092a864886f70d01010505000381810058ce29eafcf7deb5ce02b917b585d1b9e3e095cc25310d00a6926e7fb692639e5095d19a6fe411de63856e98eea8ff5ac8d355b2667157dec021eb3d2aa72349010486427bfcee7fa21652b56767d340db3b2658b228773dae147761d6fa2a6627a00dfaa7735cea70f1942165445ffafcef2968a9a28779ef79ef4fac07773816030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xac8a03590947a4a133d475214f94e56b
Finished request 3
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.0.1.18:1645, id=145,
length=345
User-Name = "DOMAIN\\testuser"
Framed-MTU = 1400
Called-Station-Id = "0012.014d.d511"
Calling-Station-Id = "001f.5bbe.f006"
Service-Type = Login-User
Message-Authenticator = 0xed28b544c87f25f497e3613d6cb3bcdf
EAP-Message =
0x020600d01980000000c616030100861000008200803e724edfea2cb04f67fddde42c96a923f9bb9c846153512105f5b523fd7dc8c92b75aae9c15a683335c64c42be8fbbf7af7db81e269ef9cc8591991fdc329e00df2cac96b6971724cf15f0e017dd4971d3426f5fd381c71bcaad5aa273ce539e364b5b8232e62e0138f8dcb890f5c6431a042373e6b8b575ab0ae28d675073c11403010001011603010030663ab180a032a44019f082c7b7bbbe08b4ab0289d3f756b3db9c008ff833b677dcd0f13b8a3f8dff843fee6ff5ade45f
NAS-Port-Type = Wireless-802.11
NAS-Port = 25054
State = 0xac8a03590947a4a133d475214f94e56b
NAS-IP-Address = 10.0.1.18
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 4
modcall[authorize]: module "preprocess" returns ok for request 4
modcall[authorize]: module "chap" returns noop for request 4
modcall[authorize]: module "mschap" returns noop for request 4
rlm_realm: No '@' in User-Name = "DOMAIN\testuser", looking up
realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 4
rlm_realm: Looking up realm "DOMAIN" for User-Name = "DOMAIN
\testuser"
rlm_realm: Found realm "DOMAIN"
rlm_realm: Adding Stripped-User-Name = "testuser"
rlm_realm: Proxying request from user testuser to realm DOMAIN
rlm_realm: Adding Realm = "DOMAIN"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "DOMAIN" returns noop for request 4
rlm_eap: EAP packet type response id 6 length 208
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 4
users: Matched entry DEFAULT at line 153
modcall[authorize]: module "files" returns ok for request 4
rlm_opendirectory: The SACL group "com.apple.access_radius" does not
exist on this system.
rlm_opendirectory: The host 10.0.1.18 does not have an access group.
rlm_opendirectory: no access control groups, all users allowed.
modcall[authorize]: module "opendirectory" returns ok for request 4
modcall: leaving group authorize (returns updated) for request 4
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 4
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
TLS_accept: SSLv3 read client key exchange A
rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001]
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 read finished A
rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001]
TLS_accept: SSLv3 write change cipher spec A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 write finished A
TLS_accept: SSLv3 flush data
(other): SSL negotiation finished successfully
SSL Connection Established
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
modcall[authenticate]: module "eap" returns handled for request 4
modcall: leaving group authenticate (returns handled) for request 4
Sending Access-Challenge of id 145 to 10.0.1.18 port 1645
EAP-Message =
0x0107004119001403010001011603010030228059fa6d5d5315500d985707e3971e2ed6528447523cb9eddbe62cd59ade513573cb6c65ca62c4aae4ade497822162
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x047026473879d59c947bc8c63927aeb7
Finished request 4
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.0.1.18:1645, id=146,
length=143
User-Name = "DOMAIN\\testuser"
Framed-MTU = 1400
Called-Station-Id = "0012.014d.d511"
Calling-Station-Id = "001f.5bbe.f006"
Service-Type = Login-User
Message-Authenticator = 0x9f2bc68db89048165ba1634281fc72b4
EAP-Message = 0x020700061900
NAS-Port-Type = Wireless-802.11
NAS-Port = 25054
State = 0x047026473879d59c947bc8c63927aeb7
NAS-IP-Address = 10.0.1.18
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 5
modcall[authorize]: module "preprocess" returns ok for request 5
modcall[authorize]: module "chap" returns noop for request 5
modcall[authorize]: module "mschap" returns noop for request 5
rlm_realm: No '@' in User-Name = "DOMAIN\testuser", looking up
realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 5
rlm_realm: Looking up realm "DOMAIN" for User-Name = "DOMAIN
\testuser"
rlm_realm: Found realm "DOMAIN"
rlm_realm: Adding Stripped-User-Name = "testuser"
rlm_realm: Proxying request from user testuser to realm DOMAIN
rlm_realm: Adding Realm = "DOMAIN"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "DOMAIN" returns noop for request 5
rlm_eap: EAP packet type response id 7 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 5
users: Matched entry DEFAULT at line 153
modcall[authorize]: module "files" returns ok for request 5
rlm_opendirectory: The SACL group "com.apple.access_radius" does not
exist on this system.
rlm_opendirectory: The host 10.0.1.18 does not have an access group.
rlm_opendirectory: no access control groups, all users allowed.
modcall[authorize]: module "opendirectory" returns ok for request 5
modcall: leaving group authorize (returns updated) for request 5
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 5
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake is finished
eaptls_verify returned 3
eaptls_process returned 3
rlm_eap_peap: EAPTLS_SUCCESS
modcall[authenticate]: module "eap" returns handled for request 5
modcall: leaving group authenticate (returns handled) for request 5
Sending Access-Challenge of id 146 to 10.0.1.18 port 1645
EAP-Message =
0x0108002b1900170301002064dace269cb899183bd8d95224eb94f32b5e6a26066dad7788f53605a5aded03
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xed196022f86e5afdd435936327716839
Finished request 5
Going to the next request
--- Walking the entire request list ---
Waking up in 3 seconds...
rad_recv: Access-Request packet from host 10.0.1.18:1645, id=147,
length=196
User-Name = "DOMAIN\\testuser"
Framed-MTU = 1400
Called-Station-Id = "0012.014d.d511"
Calling-Station-Id = "001f.5bbe.f006"
Service-Type = Login-User
Message-Authenticator = 0x79803d7a760259e31ef05817b9324ee7
EAP-Message =
0x0208003b19001703010030097b27b79776f3439411c7d9eb0b461d0be1c00ed19d5af243e1b1b5cefd44bd953e77adc0dc20396a887f50aa4e9cda
NAS-Port-Type = Wireless-802.11
NAS-Port = 25054
State = 0xed196022f86e5afdd435936327716839
NAS-IP-Address = 10.0.1.18
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 6
modcall[authorize]: module "preprocess" returns ok for request 6
modcall[authorize]: module "chap" returns noop for request 6
modcall[authorize]: module "mschap" returns noop for request 6
rlm_realm: No '@' in User-Name = "DOMAIN\testuser", looking up
realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 6
rlm_realm: Looking up realm "DOMAIN" for User-Name = "DOMAIN
\testuser"
rlm_realm: Found realm "DOMAIN"
rlm_realm: Adding Stripped-User-Name = "testuser"
rlm_realm: Proxying request from user testuser to realm DOMAIN
rlm_realm: Adding Realm = "DOMAIN"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "DOMAIN" returns noop for request 6
rlm_eap: EAP packet type response id 8 length 59
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 6
users: Matched entry DEFAULT at line 153
modcall[authorize]: module "files" returns ok for request 6
rlm_opendirectory: The SACL group "com.apple.access_radius" does not
exist on this system.
rlm_opendirectory: The host 10.0.1.18 does not have an access group.
rlm_opendirectory: no access control groups, all users allowed.
modcall[authorize]: module "opendirectory" returns ok for request 6
modcall: leaving group authorize (returns updated) for request 6
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 6
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: Identity - DOMAIN\testuser
rlm_eap_peap: Tunneled data is valid.
PEAP: Got tunneled EAP-Message
EAP-Message = 0x020800140142494f4348454d5c6b77746f62696e
PEAP: Got tunneled identity of DOMAIN\testuser
PEAP: Setting default EAP type for tunneled EAP session.
PEAP: Setting User-Name to DOMAIN\testuser
PEAP: Sending tunneled request
EAP-Message = 0x020800140142494f4348454d5c6b77746f62696e
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "DOMAIN\\testuser"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 6
modcall[authorize]: module "preprocess" returns ok for request 6
modcall[authorize]: module "chap" returns noop for request 6
modcall[authorize]: module "mschap" returns noop for request 6
rlm_realm: No '@' in User-Name = "DOMAIN\testuser", looking up
realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 6
rlm_realm: Looking up realm "DOMAIN" for User-Name = "DOMAIN
\testuser"
rlm_realm: Found realm "DOMAIN"
rlm_realm: Adding Stripped-User-Name = "testuser"
rlm_realm: Proxying request from user testuser to realm DOMAIN
rlm_realm: Adding Realm = "DOMAIN"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "DOMAIN" returns noop for request 6
rlm_eap: EAP packet type response id 8 length 20
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 6
users: Matched entry DEFAULT at line 153
modcall[authorize]: module "files" returns ok for request 6
rlm_opendirectory: The SACL group "com.apple.access_radius" does not
exist on this system.
rlm_opendirectory: The host 127.0.0.1 does not have an access group.
rlm_opendirectory: no access control groups, all users allowed.
modcall[authorize]: module "opendirectory" returns ok for request 6
modcall: leaving group authorize (returns updated) for request 6
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 6
rlm_eap: EAP Identity
rlm_eap: processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
modcall[authenticate]: module "eap" returns handled for request 6
modcall: leaving group authenticate (returns handled) for request 6
PEAP: Got tunneled reply RADIUS code 11
EAP-Message =
0x010900291a0109002410f6a2c9810fb7ed8edb009ef517c57b9842494f4348454d5c6b77746f62696e
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x676e7eabb3df0b7fd51756e198fb33e1
PEAP: Processing from tunneled session code 0x3d0b40 11
EAP-Message =
0x010900291a0109002410f6a2c9810fb7ed8edb009ef517c57b9842494f4348454d5c6b77746f62696e
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x676e7eabb3df0b7fd51756e198fb33e1
PEAP: Got tunneled Access-Challenge
modcall[authenticate]: module "eap" returns handled for request 6
modcall: leaving group authenticate (returns handled) for request 6
Sending Access-Challenge of id 147 to 10.0.1.18 port 1645
EAP-Message =
0x0109004b19001703010040f2f081f7c672f75e88cc3c28924709ccce0b2ffc36eafc0eedb192a5ff797eb09cc69b304b0a73c0fa7dd1cd0955a7fde7dfd368453e179f886b4a19743253ab
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xf04e08db6dfd07d6ea4469559541778b
Finished request 6
Going to the next request
Waking up in 3 seconds...
rad_recv: Access-Request packet from host 10.0.1.18:1645, id=148,
length=244
User-Name = "DOMAIN\\testuser"
Framed-MTU = 1400
Called-Station-Id = "0012.014d.d511"
Calling-Station-Id = "001f.5bbe.f006"
Service-Type = Login-User
Message-Authenticator = 0x04fa6f71fd593d68468ba675d8a6a6fd
EAP-Message =
0x0209006b190017030100608ba86381a989f629a0152db4af2e5e1b230358e0e52f2b7804c6b7015e455a85fdd3af9b7582e3874bad298f2563d3dbd7d92f2ae857e1f6d7855e911ee79990791c3f0401b495543bbe55e9d71a4dde69abf394de19514ebdb952c36cf00363
NAS-Port-Type = Wireless-802.11
NAS-Port = 25054
State = 0xf04e08db6dfd07d6ea4469559541778b
NAS-IP-Address = 10.0.1.18
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 7
modcall[authorize]: module "preprocess" returns ok for request 7
modcall[authorize]: module "chap" returns noop for request 7
modcall[authorize]: module "mschap" returns noop for request 7
rlm_realm: No '@' in User-Name = "DOMAIN\testuser", looking up
realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 7
rlm_realm: Looking up realm "DOMAIN" for User-Name = "DOMAIN
\testuser"
rlm_realm: Found realm "DOMAIN"
rlm_realm: Adding Stripped-User-Name = "testuser"
rlm_realm: Proxying request from user testuser to realm DOMAIN
rlm_realm: Adding Realm = "DOMAIN"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "DOMAIN" returns noop for request 7
rlm_eap: EAP packet type response id 9 length 107
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 7
users: Matched entry DEFAULT at line 153
modcall[authorize]: module "files" returns ok for request 7
rlm_opendirectory: The SACL group "com.apple.access_radius" does not
exist on this system.
rlm_opendirectory: The host 10.0.1.18 does not have an access group.
rlm_opendirectory: no access control groups, all users allowed.
modcall[authorize]: module "opendirectory" returns ok for request 7
modcall: leaving group authorize (returns updated) for request 7
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 7
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: EAP type mschapv2
rlm_eap_peap: Tunneled data is valid.
PEAP: Got tunneled EAP-Message
EAP-Message =
0x0209004a1a02090045319e7f822007891eede62836fae693e7380000000000000000e678940c9d90daad8c447247c5f2a5735a81f065a4f51c5a0042494f4348454d5c6b77746f62696e
PEAP: Setting User-Name to DOMAIN\testuser
PEAP: Adding old state with 67 6e
PEAP: Sending tunneled request
EAP-Message =
0x0209004a1a02090045319e7f822007891eede62836fae693e7380000000000000000e678940c9d90daad8c447247c5f2a5735a81f065a4f51c5a0042494f4348454d5c6b77746f62696e
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "DOMAIN\\testuser"
State = 0x676e7eabb3df0b7fd51756e198fb33e1
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 7
modcall[authorize]: module "preprocess" returns ok for request 7
modcall[authorize]: module "chap" returns noop for request 7
modcall[authorize]: module "mschap" returns noop for request 7
rlm_realm: No '@' in User-Name = "DOMAIN\testuser", looking up
realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 7
rlm_realm: Looking up realm "DOMAIN" for User-Name = "DOMAIN
\testuser"
rlm_realm: Found realm "DOMAIN"
rlm_realm: Adding Stripped-User-Name = "testuser"
rlm_realm: Proxying request from user testuser to realm DOMAIN
rlm_realm: Adding Realm = "DOMAIN"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "DOMAIN" returns noop for request 7
rlm_eap: EAP packet type response id 9 length 74
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 7
users: Matched entry DEFAULT at line 153
modcall[authorize]: module "files" returns ok for request 7
rlm_opendirectory: The SACL group "com.apple.access_radius" does not
exist on this system.
rlm_opendirectory: The host 127.0.0.1 does not have an access group.
rlm_opendirectory: no access control groups, all users allowed.
modcall[authorize]: module "opendirectory" returns ok for request 7
modcall: leaving group authorize (returns updated) for request 7
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 7
rlm_eap: Request found, released from the list
rlm_eap: EAP/mschapv2
rlm_eap: processing type mschapv2
Processing the authenticate section of radiusd.conf
modcall: entering group MS-CHAP for request 7
rlm_mschap: No User-Password configured. Cannot create LM-Password.
rlm_mschap: No User-Password configured. Cannot create NT-Password.
rlm_mschap: Told to do MS-CHAPv2 for testuser with NT-Password
rlm_mschap: No NT-Password configured. Trying DirectoryService
Authentication.
rlm_mschap: getUserNodeRef(): dsGetRecordList() status = 0, recCount=0
rlm_osx_od: ds_mschap_auth: getUserNodeRef failed
modcall[authenticate]: module "mschap" returns fail for request 7
modcall: leaving group MS-CHAP (returns fail) for request 7
rlm_eap: Freeing handler
modcall[authenticate]: module "eap" returns reject for request 7
modcall: leaving group authenticate (returns reject) for request 7
auth: Failed to validate the user.
Login incorrect: [testuser] (from client localhost port 0)
PEAP: Got tunneled reply RADIUS code 3
EAP-Message = 0x04090004
Message-Authenticator = 0x00000000000000000000000000000000
PEAP: Processing from tunneled session code 0x3d26b0 3
EAP-Message = 0x04090004
Message-Authenticator = 0x00000000000000000000000000000000
PEAP: Tunneled authentication was rejected.
rlm_eap_peap: FAILURE
modcall[authenticate]: module "eap" returns handled for request 7
modcall: leaving group authenticate (returns handled) for request 7
Sending Access-Challenge of id 148 to 10.0.1.18 port 1645
EAP-Message =
0x010a002b1900170301002013b0843f143878e3e3c72c2dc0b637942564e4cd356299644f344050eec64b82
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x3ac5dbc0d187f8eac944d43bec2c0ee6
Finished request 7
Going to the next request
Waking up in 3 seconds...
rad_recv: Access-Request packet from host 10.0.1.18:1645, id=149,
length=180
User-Name = "DOMAIN\\testuser"
Framed-MTU = 1400
Called-Station-Id = "0012.014d.d511"
Calling-Station-Id = "001f.5bbe.f006"
Service-Type = Login-User
Message-Authenticator = 0xf76349f84857f1b818b035805e606323
EAP-Message =
0x020a002b19001703010020c497d0e05f02c157dc32f289f96a454aa43f4a825a3fd48ca82f1e2473e949f7
NAS-Port-Type = Wireless-802.11
NAS-Port = 25054
State = 0x3ac5dbc0d187f8eac944d43bec2c0ee6
NAS-IP-Address = 10.0.1.18
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 8
modcall[authorize]: module "preprocess" returns ok for request 8
modcall[authorize]: module "chap" returns noop for request 8
modcall[authorize]: module "mschap" returns noop for request 8
rlm_realm: No '@' in User-Name = "DOMAIN\testuser", looking up
realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 8
rlm_realm: Looking up realm "DOMAIN" for User-Name = "DOMAIN
\testuser"
rlm_realm: Found realm "DOMAIN"
rlm_realm: Adding Stripped-User-Name = "testuser"
rlm_realm: Proxying request from user testuser to realm DOMAIN
rlm_realm: Adding Realm = "DOMAIN"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "DOMAIN" returns noop for request 8
rlm_eap: EAP packet type response id 10 length 43
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 8
users: Matched entry DEFAULT at line 153
modcall[authorize]: module "files" returns ok for request 8
rlm_opendirectory: The SACL group "com.apple.access_radius" does not
exist on this system.
rlm_opendirectory: The host 10.0.1.18 does not have an access group.
rlm_opendirectory: no access control groups, all users allowed.
modcall[authorize]: module "opendirectory" returns ok for request 8
modcall: leaving group authorize (returns updated) for request 8
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 8
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: Received EAP-TLV response.
rlm_eap_peap: Tunneled data is valid.
rlm_eap_peap: Had sent TLV failure. User was rejcted rejected
earlier in this session.
rlm_eap: Handler failed in EAP/peap
rlm_eap: Failed in EAP select
modcall[authenticate]: module "eap" returns invalid for request 8
modcall: leaving group authenticate (returns invalid) for request 8
auth: Failed to validate the user.
Login incorrect: [testuser] (from client DomainWireless port 25054 cli
001f.5bbe.f006)
Delaying request 8 for 1 seconds
Finished request 8
Going to the next request
Waking up in 3 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 141 with timestamp 490b013e
Cleaning up request 1 ID 142 with timestamp 490b013e
Cleaning up request 2 ID 143 with timestamp 490b013e
Cleaning up request 3 ID 144 with timestamp 490b013e
Cleaning up request 4 ID 145 with timestamp 490b013e
Sending Access-Reject of id 149 to 10.0.1.18 port 1645
EAP-Message = 0x040a0004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3 seconds...
--- Walking the entire request list ---
Cleaning up request 5 ID 146 with timestamp 490b0141
Cleaning up request 6 ID 147 with timestamp 490b0141
Cleaning up request 7 ID 148 with timestamp 490b0141
Cleaning up request 8 ID 149 with timestamp 490b0141
Nothing to do. Sleeping until we see a request.
Kerry Tobin
>
>
> Message: 1
> Date: Thu, 30 Oct 2008 15:14:02 +0100
> From: <tnt(a)kalik.net>
> Subject: Re: Freeradius-Users Digest, Vol 42, Issue 169
> To: "FreeRadius users mailing list"
> <freeradius-users(a)lists.freeradius.org>
> Message-ID: <6pV6Kdh8.1225376042.7408230.tnt(a)kalik.net>
> Content-Type: text/plain; charset=ISO-8859-2
>
>> rlm_mschap: NT Domain delimeter found, should we have enabled
>> with_ntdomain_hack
>
> You need to enable with_ntdomain_hack in mschap module. ntdomain realm
> works for pap requests.
>
> Ivan Kalik
> Kalik Informatika ISP
2
1