Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
April 2008
- 161 participants
- 323 discussions
I have searched and searched, read the archives, etc. I feel that I may
have a unique problem and just missing a piece of the puzzle.
I have been running freeradius with a mysql database for over a year
now. It is very stable and I am generally pleased.
I have been having stale session issues on every one of my NASes. They
range from Cisco 7200, Cisco 2600, and Livingston Portmasters. They all
have stale sessions in the mysql database that never recieve a stop
time. I am almost certain there are no network issues because it seems
that start packets are never lost or update packets either.
This is the aaa config on my Ciscos:
aaa new-model
!
!
aaa authentication login default local group radius
aaa authentication login telnet line
aaa authentication ppp default if-needed local group radius
aaa authorization network default local group radius
aaa authorization network iemcdslauth group radius local
aaa accounting delay-start
aaa accounting update newinfo
aaa accounting network default start-stop group radius
aaa session-id common
!
radius-server attribute nas-port format d
radius-server host X.X.X.X auth-port 1645 acct-port 1646
radius-server key 7 XXXXXXXXXXXXXXX
So the question is, why are my NASs not sending stop packets, or why is
the freeradius server not processing the stop packets?
Is this a common problem? Feel free to also point me to some documents
that may be of assistance. Maybe I don't have enough resources to
process the commands? I have about 1500 users.
This is my setup:
openSuSE 10.2
Freeradius 1.1.13
MySQL 5.0.26
128MB RAM
Pentium III
Thanks for any help,
Shane
2
1
Ivan,
I compare the log of user "test" with user "test(a)some.domain.com" and the difference occurs in request 6, where the error occurs.
modcall: entering group MS-CHAP for request 6
rlm_mschap: Told to do MS-CHAPv2 for teste(a)unesp.br with NT-Password
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
Follow the full request debug. Thanks.
Dácio
rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx:3072, id=229, length=185
User-Name = "test(a)some.domain.com"
NAS-IP-Address = xxx.xxx.xxx.xxx
NAS-Port = 0
Called-Station-Id = "00032f3939ee"
Calling-Station-Id = "00195b3bb2ef"
NAS-Identifier = "Realtek Access Point. 8181"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Service-Type = Framed-User
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x0201001301746573746540756e6573702e6272
Message-Authenticator = 0xc3ffe9e3fc0f509ae2b84f8a6f6a6067
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
radius_xlat: '/var/log/radacct/xxx.xxx.xxx.xxx/auth-detail-20080408'
rlm_detail: /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radacct/xxx.xxx.xxx.xxx/auth-detail-20080408
modcall[authorize]: module "auth_log" returns ok for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: Looking up realm "some.domain.com" for User-Name = "test(a)some.domain.com"
rlm_realm: Found realm "some.domain.com"
rlm_realm: Proxying request from user teste to realm xxx.xxx.xxx.xxx
rlm_realm: Adding Realm = "some.domain.com"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "suffix" returns noop for request 0
rlm_eap: EAP packet type response id 1 length 19
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 0
radius_xlat: 'test(a)some.domain.com'
rlm_sql (sql): sql_set_user escaped user --> 'test(a)some.domain.com'
radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'test(a)some.domain.com' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 0
rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'test(a)some.domain.com' ORDER BY id
radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'test(a)some.domain.com' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'test(a)some.domain.com' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id
radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'test(a)some.domain.com' ORDER BY id'
rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'test(a)some.domain.com' ORDER BY id
radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'test(a)some.domain.com' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'test(a)some.domain.com' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id
rlm_sql (sql): Released sql socket id: 0
modcall[authorize]: module "sql" returns ok for request 0
modcall: leaving group authorize (returns updated) for request 0
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns handled for request 0
modcall: leaving group authenticate (returns handled) for request 0
Sending Access-Challenge of id 229 to xxx.xxx.xxx.xxx port 3072
EAP-Message = 0x010200061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x6224eaae80c73dc6c5b1e4c001202132
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx:3072, id=230, length=278
User-Name = "test(a)some.domain.com"
NAS-IP-Address = xxx.xxx.xxx.xxx
NAS-Port = 0
Called-Station-Id = "00032f3939ee"
Calling-Station-Id = "00195b3bb2ef"
NAS-Identifier = "Realtek Access Point. 8181"
NAS-Port-Type = Wireless-802.11
Service-Type = Framed-User
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x0202006419800000005a160301005501000051030147fb7c20c1e30b2994b996b0b8c4ef4242892ffcc47c595d2f5128ede79fe14800002a00160013006600150012000a0005000400070009006300650060006200610064001400110003000600080100
State = 0x6224eaae80c73dc6c5b1e4c001202132
Message-Authenticator = 0xc09131a50997249891265ad8957d7901
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
modcall[authorize]: module "preprocess" returns ok for request 1
radius_xlat: '/var/log/radacct/xxx.xxx.xxx.xxx/auth-detail-20080408'
rlm_detail: /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radacct/xxx.xxx.xxx.xxx/auth-detail-20080408
modcall[authorize]: module "auth_log" returns ok for request 1
modcall[authorize]: module "mschap" returns noop for request 1
rlm_realm: Looking up realm "some.domain.com" for User-Name = "test(a)some.domain.com"
rlm_realm: Found realm "some.domain.com"
rlm_realm: Proxying request from user teste to realm some.domain.com
rlm_realm: Adding Realm = "some.domain.com"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "suffix" returns noop for request 1
rlm_eap: EAP packet type response id 2 length 100
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 1
radius_xlat: 'test(a)some.domain.com'
rlm_sql (sql): sql_set_user escaped user --> 'test(a)some.domain.com'
radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'test(a)some.domain.com' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 1
rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'test(a)some.domain.com' ORDER BY id
radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'test(a)some.domain.com' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'test(a)some.domain.com' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id
radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'test(a)some.domain.com' ORDER BY id'
rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'test(a)some.domain.com' ORDER BY id
radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'test(a)some.domain.com' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'test(a)some.domain.com' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id
rlm_sql (sql): Released sql socket id: 1
modcall[authorize]: module "sql" returns ok for request 1
modcall: leaving group authorize (returns updated) for request 1
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
(other): before/accept initialization
TLS_accept: before/accept initialization
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0055], ClientHello
TLS_accept: SSLv3 read client hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
TLS_accept: SSLv3 write server hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0694], Certificate
TLS_accept: SSLv3 write certificate A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
TLS_accept: SSLv3 write server done A
TLS_accept: SSLv3 flush data
TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
modcall[authenticate]: module "eap" returns handled for request 1
modcall: leaving group authenticate (returns handled) for request 1
Sending Access-Challenge of id 230 to xxx.xxx.xxx.xxx port 3072
EAP-Message = 0x0103040a19c0000006f1160301004a02000046030147fb7c1f951876f5d60ba0f24d9fe93e6de4863bce7b5425c6cb1cf3a92dd33020613abc102d8150fef2156e03878273ffbbcc53b87de025738cea62fc0cb6a800000a0016030106940b00069000068d0002cd308202c930820232a003020102020102300d06092a864886f70d010104050030819f310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010060355040b13096c6f63616c686f7374311b301906035504031312436c69656e74206365
EAP-Message = 0x7274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c652e636f6d301e170d3034303132353133323631305a170d3035303132343133323631305a30819b310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010060355040b13096c6f63616c686f73743119301706035504031310526f6f74206365727469666963617465311f301d06092a864886f70d0109011610726f6f74406578616d706c652e636f6d30819f300d06092a864886f70d010101050003
EAP-Message = 0x818d0030818902818100dac525422bfedb082629a2cba44b3449c90d0ab462fb72c8434a782098863d7eb7d7e70028c2b7ad555a51cc756cf4fa1d7091615ab450d5289553ae6616aff014a55085d6b8fb4aee98638e426175cdd36c665c63cda177d34920eb30585edc8773999c2980f81ad4638bbbea1c82d054023db7ef24a3ec1c3f6241a903d7f30203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101040500038181007a2d921b1cf13bf2982a9178ec9ede6d88edc178a2e8bd40a0a06fb6f0769957884cd7084537083496fd184165293f583c8e8240eb68e042c94b15752e4c07e80d09
EAP-Message = 0x779afa3dd55c24fa54ac292d77205d1c2477ed30d59f57caf9bd21ff2a8d16cc0911c50e4f295763fcb60efa3c3d2d0e43850f6e6fbe284902f6e83503650003ba308203b63082031fa003020102020100300d06092a864886f70d010104050030819f310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010060355040b13096c6f63616c686f7374311b301906035504031312436c69656e742063657274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c
EAP-Message = 0x652e636f6d301e170d3034303132353133323630375a
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x193c2165eb8d7263ae983a247103c03a
Finished request 1
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx:3072, id=231, length=184
User-Name = "test(a)some.domain.com"
NAS-IP-Address = xxx.xxx.xxx.xxx
NAS-Port = 0
Called-Station-Id = "00032f3939ee"
Calling-Station-Id = "00195b3bb2ef"
NAS-Identifier = "Realtek Access Point. 8181"
NAS-Port-Type = Wireless-802.11
Service-Type = Framed-User
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020300061900
State = 0x193c2165eb8d7263ae983a247103c03a
Message-Authenticator = 0xe38fe982e8ba04777fcf3a5092644716
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
modcall[authorize]: module "preprocess" returns ok for request 2
radius_xlat: '/var/log/radacct/xxx.xxx.xxx.xxx/auth-detail-20080408'
rlm_detail: /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radacct/xxx.xxx.xxx.xxx/auth-detail-20080408
modcall[authorize]: module "auth_log" returns ok for request 2
modcall[authorize]: module "mschap" returns noop for request 2
rlm_realm: Looking up realm "some.domain.com" for User-Name = "test(a)some.domain.com"
rlm_realm: Found realm "some.domain.com"
rlm_realm: Proxying request from user teste to realm some.domain.com
rlm_realm: Adding Realm = "some.domain.com"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "suffix" returns noop for request 2
rlm_eap: EAP packet type response id 3 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 2
radius_xlat: 'test(a)some.domain.com'
rlm_sql (sql): sql_set_user escaped user --> 'test(a)some.domain.com'
radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'test(a)some.domain.com' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 0
rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'test(a)some.domain.com' ORDER BY id
radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'test(a)some.domain.com' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'test(a)some.domain.com' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id
radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'test(a)some.domain.com' ORDER BY id'
rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'test(a)some.domain.com' ORDER BY id
radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'test(a)some.domain.com' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'test(a)some.domain.com' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id
rlm_sql (sql): Released sql socket id: 0
modcall[authorize]: module "sql" returns ok for request 2
modcall: leaving group authorize (returns updated) for request 2
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 2
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake fragment handler
eaptls_verify returned 1
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
modcall[authenticate]: module "eap" returns handled for request 2
modcall: leaving group authenticate (returns handled) for request 2
Sending Access-Challenge of id 231 to xxx.xxx.xxx.xxx port 3072
EAP-Message = 0x010402f71900170d3036303132343133323630375a30819f310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010060355040b13096c6f63616c686f7374311b301906035504031312436c69656e742063657274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c652e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100d4c5b19724f164acf1ffb189db1c8fbff4f14396ea7cb1e90f78d69451725377895dfe52ccb99b41e8
EAP-Message = 0x0ddeb58b127a943f4f58cbc562878192fbdc6fece9f871e7c130d35cf5188817e9b133249edd2a1c75d31043ae87553cec7a77ef26aa7d74281db9b77e17c6446c5dd9b188b43250ca0229963722a123a726b00b4027fd0203010001a381ff3081fc301d0603551d0e0416041468d36d3e1ee7bc9d5a057021c363da1365d1ade33081cc0603551d230481c43081c1801468d36d3e1ee7bc9d5a057021c363da1365d1ade3a181a5a481a230819f310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010
EAP-Message = 0x060355040b13096c6f63616c686f7374311b301906035504031312436c69656e742063657274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c652e636f6d820100300c0603551d13040530030101ff300d06092a864886f70d01010405000381810033c00b66b1e579ef73a06798252dab8d5e5511fc00fd276d80d12f834777c6743fdc2743fca1507704e4bc0979e4f60ac3ad9ee83e6f347369229d1f77229ba2e982359da563024a00163dba6d6c986c0bad28af85132ff8f0d76501bf1b7c2dff658ce1e62c01997b6e64e3e8d4373354ce9912847651539063b85bbc5485c516030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xcf564de617cbad9dca59e8769f2b8bf6
Finished request 2
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx:3072, id=232, length=378
User-Name = "test(a)some.domain.com"
NAS-IP-Address = xxx.xxx.xxx.xxx
NAS-Port = 0
Called-Station-Id = "00032f3939ee"
Calling-Station-Id = "00195b3bb2ef"
NAS-Identifier = "Realtek Access Point. 8181"
NAS-Port-Type = Wireless-802.11
Service-Type = Framed-User
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020400c81980000000be1603010086100000820080cc1fe677bfe3b1d5581ac79a9e25bca4c9451d47ea55f3930c0d5b9c7899c116a7463e86a71a6e55ccef458b4d474e42b301d869fa872bbec33a1f3e15433cb50454aca004b29a3b631fc8a1edaaa814435ce7b90aeb19c7477de1fd46b5ddf4db383c95766a78208a60687042d3680790877c39e98ac997935ee3ab718cc20b140301000101160301002828a9d204577a1d9398ec183a15bd27e4f1695f56df57e7e52f65c4a1acbf43358a76e938916c5b5b
State = 0xcf564de617cbad9dca59e8769f2b8bf6
Message-Authenticator = 0x2d7e56d69f0063be3791634814782f93
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 3
modcall[authorize]: module "preprocess" returns ok for request 3
radius_xlat: '/var/log/radacct/xxx.xxx.xxx.xxx/auth-detail-20080408'
rlm_detail: /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radacct/xxx.xxx.xxx.xxx/auth-detail-20080408
modcall[authorize]: module "auth_log" returns ok for request 3
modcall[authorize]: module "mschap" returns noop for request 3
rlm_realm: Looking up realm "some.domain.com" for User-Name = "test(a)some.domain.com"
rlm_realm: Found realm "some.domain.com"
rlm_realm: Proxying request from user teste to realm some.domain.com
rlm_realm: Adding Realm = "some.domain.com"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "suffix" returns noop for request 3
rlm_eap: EAP packet type response id 4 length 200
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 3
radius_xlat: 'test(a)some.domain.com'
rlm_sql (sql): sql_set_user escaped user --> 'test(a)some.domain.com'
radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'test(a)some.domain.com' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 1
rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'test(a)some.domain.com' ORDER BY id
radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'test(a)some.domain.com' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'test(a)some.domain.com' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id
radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'test(a)some.domain.com' ORDER BY id'
rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'test(a)some.domain.com' ORDER BY id
radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'test(a)some.domain.com' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'test(a)some.domain.com' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id
rlm_sql (sql): Released sql socket id: 1
modcall[authorize]: module "sql" returns ok for request 3
modcall: leaving group authorize (returns updated) for request 3
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 3
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
TLS_accept: SSLv3 read client key exchange A
rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001]
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 read finished A
rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001]
TLS_accept: SSLv3 write change cipher spec A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 write finished A
TLS_accept: SSLv3 flush data
(other): SSL negotiation finished successfully
SSL Connection Established
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
modcall[authenticate]: module "eap" returns handled for request 3
modcall: leaving group authenticate (returns handled) for request 3
Sending Access-Challenge of id 232 to xxx.xxx.xxx.xxx port 3072
EAP-Message = 0x010500391900140301000101160301002825a817ae388d2cd2ec8ae3be6049e08fb21c0a5e3179ee6edb412a99bcf926e8157cb15dd1addeee
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x182e732c21ae66a62538d2ac3f2a13e0
Finished request 3
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx:3072, id=233, length=184
User-Name = "test(a)some.domain.com"
NAS-IP-Address = xxx.xxx.xxx.xxx
NAS-Port = 0
Called-Station-Id = "00032f3939ee"
Calling-Station-Id = "00195b3bb2ef"
NAS-Identifier = "Realtek Access Point. 8181"
NAS-Port-Type = Wireless-802.11
Service-Type = Framed-User
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020500061900
State = 0x182e732c21ae66a62538d2ac3f2a13e0
Message-Authenticator = 0xe575301676b2facac5ac8cf928a43cb3
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 4
modcall[authorize]: module "preprocess" returns ok for request 4
radius_xlat: '/var/log/radacct/xxx.xxx.xxx.xxx/auth-detail-20080408'
rlm_detail: /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radacct/xxx.xxx.xxx.xxx/auth-detail-20080408
modcall[authorize]: module "auth_log" returns ok for request 4
modcall[authorize]: module "mschap" returns noop for request 4
rlm_realm: Looking up realm "some.domain.com" for User-Name = "test(a)some.domain.com"
rlm_realm: Found realm "some.domain.com"
rlm_realm: Proxying request from user teste to realm some.domain.com
rlm_realm: Adding Realm = "some.domain.com"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "suffix" returns noop for request 4
rlm_eap: EAP packet type response id 5 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 4
radius_xlat: 'test(a)some.domain.com'
rlm_sql (sql): sql_set_user escaped user --> 'test(a)some.domain.com'
radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'test(a)some.domain.com' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 0
rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'test(a)some.domain.com' ORDER BY id
radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'test(a)some.domain.com' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'test(a)some.domain.com' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id
radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'test(a)some.domain.com' ORDER BY id'
rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'test(a)some.domain.com' ORDER BY id
radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'test(a)some.domain.com' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'test(a)some.domain.com' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id
rlm_sql (sql): Released sql socket id: 0
modcall[authorize]: module "sql" returns ok for request 4
modcall: leaving group authorize (returns updated) for request 4
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 4
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake is finished
eaptls_verify returned 3
eaptls_process returned 3
rlm_eap_peap: EAPTLS_SUCCESS
modcall[authenticate]: module "eap" returns handled for request 4
modcall: leaving group authenticate (returns handled) for request 4
Sending Access-Challenge of id 233 to xxx.xxx.xxx.xxx port 3072
EAP-Message = 0x0106002b19001703010020de0aa7aa8c691695e91aac3dcbcf0f308a562d1695fa441d14542c764e2d2c3a
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xd704d19866681740655181d83bd472b2
Finished request 4
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx:3072, id=234, length=258
User-Name = "test(a)some.domain.com"
NAS-IP-Address = xxx.xxx.xxx.xxx
NAS-Port = 0
Called-Station-Id = "00032f3939ee"
Calling-Station-Id = "00195b3bb2ef"
NAS-Identifier = "Realtek Access Point. 8181"
NAS-Port-Type = Wireless-802.11
Service-Type = Framed-User
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020600501900170301001827a733901555adfb04f3dea94b257adfc45ba0d6d8bc37681703010028b24cc3458a50eeb036ece2970736c5700fdd6848c37c002972ec179988e6e95b65e31802d2ca14eb
State = 0xd704d19866681740655181d83bd472b2
Message-Authenticator = 0xcc1ed16ef713838dd8c0efa98dc5afc6
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 5
modcall[authorize]: module "preprocess" returns ok for request 5
radius_xlat: '/var/log/radacct/xxx.xxx.xxx.xxx/auth-detail-20080408'
rlm_detail: /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radacct/xxx.xxx.xxx.xxx/auth-detail-20080408
modcall[authorize]: module "auth_log" returns ok for request 5
modcall[authorize]: module "mschap" returns noop for request 5
rlm_realm: Looking up realm "some.domain.com" for User-Name = "test(a)some.domain.com"
rlm_realm: Found realm "some.domain.com"
rlm_realm: Proxying request from user teste to realm some.domain.com
rlm_realm: Adding Realm = "some.domain.com"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "suffix" returns noop for request 5
rlm_eap: EAP packet type response id 6 length 80
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 5
radius_xlat: 'test(a)some.domain.com'
rlm_sql (sql): sql_set_user escaped user --> 'test(a)some.domain.com'
radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'test(a)some.domain.com' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 1
rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'test(a)some.domain.com' ORDER BY id
radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'test(a)some.domain.com' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'test(a)some.domain.com' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id
radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'test(a)some.domain.com' ORDER BY id'
rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'test(a)some.domain.com' ORDER BY id
radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'test(a)some.domain.com' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'test(a)some.domain.com' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id
rlm_sql (sql): Released sql socket id: 1
modcall[authorize]: module "sql" returns ok for request 5
modcall: leaving group authorize (returns updated) for request 5
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 5
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: Identity - test(a)some.domain.com
rlm_eap_peap: Tunneled data is valid.
PEAP: Got tunneled EAP-Message
EAP-Message = 0x0206001301746573746540756e6573702e6272
PEAP: Got tunneled identity of test(a)some.domain.com
PEAP: Setting default EAP type for tunneled EAP session.
PEAP: Setting User-Name to test(a)some.domain.com
PEAP: Sending tunneled request
EAP-Message = 0x0206001301746573746540756e6573702e6272
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "test(a)some.domain.com"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 5
modcall[authorize]: module "preprocess" returns ok for request 5
radius_xlat: '/var/log/radacct/127.0.0.1/auth-detail-20080408'
rlm_detail: /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radacct/127.0.0.1/auth-detail-20080408
modcall[authorize]: module "auth_log" returns ok for request 5
modcall[authorize]: module "mschap" returns noop for request 5
rlm_realm: Looking up realm "some.domain.com" for User-Name = "test(a)some.domain.com"
rlm_realm: Found realm "some.domain.com"
rlm_realm: Proxying request from user teste to realm some.domain.com
rlm_realm: Adding Realm = "some.domain.com"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "suffix" returns noop for request 5
rlm_eap: EAP packet type response id 6 length 19
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 5
radius_xlat: 'test(a)some.domain.com'
rlm_sql (sql): sql_set_user escaped user --> 'test(a)some.domain.com'
radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'test(a)some.domain.com' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 0
rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'test(a)some.domain.com' ORDER BY id
radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'test(a)some.domain.com' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'test(a)some.domain.com' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id
radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'test(a)some.domain.com' ORDER BY id'
rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'test(a)some.domain.com' ORDER BY id
radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'test(a)some.domain.com' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'test(a)some.domain.com' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id
rlm_sql (sql): Released sql socket id: 0
modcall[authorize]: module "sql" returns ok for request 5
modcall: leaving group authorize (returns updated) for request 5
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 5
rlm_eap: EAP Identity
rlm_eap: processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
modcall[authenticate]: module "eap" returns handled for request 5
modcall: leaving group authenticate (returns handled) for request 5
PEAP: Got tunneled reply RADIUS code 11
EAP-Message = 0x010700281a010700231008a4d8ef8da7648f9e3b999692beb2d9746573746540756e6573702e6272
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x4c210b27974f76ea183dd958e64687f6
PEAP: Processing from tunneled session code 0x814c540 11
EAP-Message = 0x010700281a010700231008a4d8ef8da7648f9e3b999692beb2d9746573746540756e6573702e6272
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x4c210b27974f76ea183dd958e64687f6
PEAP: Got tunneled Access-Challenge
modcall[authenticate]: module "eap" returns handled for request 5
modcall: leaving group authenticate (returns handled) for request 5
Sending Access-Challenge of id 234 to xxx.xxx.xxx.xxx port 3072
EAP-Message = 0x0107004b1900170301004040e0c56b9292f315d4d01662f832bd6f36bbc14146db053b464da3e2d53a0a4c6b81806fd47bab5917f63c3f73e537e789c824f9c55feb37ef46a24176ede837
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x8ecf9b67323718ec2c911b6ca0d17892
Finished request 5
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx:3072, id=235, length=306
User-Name = "test(a)some.domain.com"
NAS-IP-Address = xxx.xxx.xxx.xxx
NAS-Port = 0
Called-Station-Id = "00032f3939ee"
Calling-Station-Id = "00195b3bb2ef"
NAS-Identifier = "Realtek Access Point. 8181"
NAS-Port-Type = Wireless-802.11
Service-Type = Framed-User
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x0207008019001703010018097c58bd0f7550fe69d20edc0338b113586aa977a1b8155e17030100587bf14aeb61246aed87d8cf406094493cebd1660d1f385298dcdf88440828c2052c5cb34136a89f75921f89dd4daba5c5bb3d146d56a00def6cdf669cec0947f1f80f2197cd79bcc4884cbf931c1c8a0556fba4743d260d11
State = 0x8ecf9b67323718ec2c911b6ca0d17892
Message-Authenticator = 0x62dfc88c5039a06086439e75ba25cd7b
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 6
modcall[authorize]: module "preprocess" returns ok for request 6
radius_xlat: '/var/log/radacct/xxx.xxx.xxx.xxx/auth-detail-20080408'
rlm_detail: /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radacct/xxx.xxx.xxx.xxx/auth-detail-20080408
modcall[authorize]: module "auth_log" returns ok for request 6
modcall[authorize]: module "mschap" returns noop for request 6
rlm_realm: Looking up realm "some.domain.com" for User-Name = "test(a)some.domain.com"
rlm_realm: Found realm "some.domain.com"
rlm_realm: Proxying request from user teste to realm some.domain.com
rlm_realm: Adding Realm = "some.domain.com"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "suffix" returns noop for request 6
rlm_eap: EAP packet type response id 7 length 128
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 6
radius_xlat: 'test(a)some.domain.com'
rlm_sql (sql): sql_set_user escaped user --> 'test(a)some.domain.com'
radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'test(a)some.domain.com' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 1
rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'test(a)some.domain.com' ORDER BY id
radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'test(a)some.domain.com' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'test(a)some.domain.com' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id
radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'test(a)some.domain.com' ORDER BY id'
rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'test(a)some.domain.com' ORDER BY id
radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'test(a)some.domain.com' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'test(a)some.domain.com' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id
rlm_sql (sql): Released sql socket id: 1
modcall[authorize]: module "sql" returns ok for request 6
modcall: leaving group authorize (returns updated) for request 6
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 6
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: EAP type mschapv2
rlm_eap_peap: Tunneled data is valid.
PEAP: Got tunneled EAP-Message
EAP-Message = 0x020700401a0207003b31c46468a9049dbdcc059374d52be43ec400000000000000001c9c46053af9712fe75317261304952aff7418c766d6e14d007465737465
PEAP: Setting User-Name to test(a)some.domain.com
PEAP: Adding old state with 4c 21
PEAP: Sending tunneled request
EAP-Message = 0x020700401a0207003b31c46468a9049dbdcc059374d52be43ec400000000000000001c9c46053af9712fe75317261304952aff7418c766d6e14d007465737465
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "test(a)some.domain.com"
State = 0x4c210b27974f76ea183dd958e64687f6
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 6
modcall[authorize]: module "preprocess" returns ok for request 6
radius_xlat: '/var/log/radacct/127.0.0.1/auth-detail-20080408'
rlm_detail: /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radacct/127.0.0.1/auth-detail-20080408
modcall[authorize]: module "auth_log" returns ok for request 6
modcall[authorize]: module "mschap" returns noop for request 6
rlm_realm: Looking up realm "some.domain.com" for User-Name = "test(a)some.domain.com"
rlm_realm: Found realm "some.domain.com"
rlm_realm: Proxying request from user teste to realm some.domain.com
rlm_realm: Adding Realm = "some.domain.com"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "suffix" returns noop for request 6
rlm_eap: EAP packet type response id 7 length 64
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 6
radius_xlat: 'test(a)some.domain.com'
rlm_sql (sql): sql_set_user escaped user --> 'test(a)some.domain.com'
radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'test(a)some.domain.com' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 0
rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'test(a)some.domain.com' ORDER BY id
radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'test(a)some.domain.com' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'test(a)some.domain.com' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id
radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'test(a)some.domain.com' ORDER BY id'
rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'test(a)some.domain.com' ORDER BY id
radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'test(a)some.domain.com' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'test(a)some.domain.com' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id
rlm_sql (sql): Released sql socket id: 0
modcall[authorize]: module "sql" returns ok for request 6
modcall: leaving group authorize (returns updated) for request 6
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 6
rlm_eap: Request found, released from the list
rlm_eap: EAP/mschapv2
rlm_eap: processing type mschapv2
Processing the authenticate section of radiusd.conf
modcall: entering group MS-CHAP for request 6
rlm_mschap: Told to do MS-CHAPv2 for test(a)some.domain.com with NT-Password
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
modcall[authenticate]: module "mschap" returns reject for request 6
modcall: leaving group MS-CHAP (returns reject) for request 6
rlm_eap: Freeing handler
modcall[authenticate]: module "eap" returns reject for request 6
modcall: leaving group authenticate (returns reject) for request 6
auth: Failed to validate the user.
Trying to look up name of unknown client 127.0.0.1.
Login incorrect: [test(a)some.domain.com/<no User-Password attribute>] (from client UNKNOWN-CLIENT port 0)
PEAP: Got tunneled reply RADIUS code 3
MS-CHAP-Error = "\007E=691 R=1"
EAP-Message = 0x04070004
Message-Authenticator = 0x00000000000000000000000000000000
PEAP: Processing from tunneled session code 0x814c580 3
MS-CHAP-Error = "\007E=691 R=1"
EAP-Message = 0x04070004
Message-Authenticator = 0x00000000000000000000000000000000
PEAP: Tunneled authentication was rejected.
rlm_eap_peap: FAILURE
modcall[authenticate]: module "eap" returns handled for request 6
modcall: leaving group authenticate (returns handled) for request 6
Sending Access-Challenge of id 235 to xxx.xxx.xxx.xxx port 3072
EAP-Message = 0x0108002b190017030100204f9c3f7cf2cfc129466b867acdfb475dcc3af95f2ced0c6372afd0ba0c0fa8a2
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xdd4feaf92f62dd58a7c02671a675bd37
Finished request 6
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx:3072, id=236, length=250
User-Name = "test(a)some.domain.com"
NAS-IP-Address = xxx.xxx.xxx.xxx
NAS-Port = 0
Called-Station-Id = "00032f3939ee"
Calling-Station-Id = "00195b3bb2ef"
NAS-Identifier = "Realtek Access Point. 8181"
NAS-Port-Type = Wireless-802.11
Service-Type = Framed-User
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x0208004819001703010018bd3ccdb7752e25d155d356f08ba1e02912ec8e16c8a8bf9817030100204b2bfca50409bfae77cc01432a5b5a30eabf8a4cbacc1f46646f5a586fae96ea
State = 0xdd4feaf92f62dd58a7c02671a675bd37
Message-Authenticator = 0x9a4d428deb0e6931a3a41cff9a3f7365
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 7
modcall[authorize]: module "preprocess" returns ok for request 7
radius_xlat: '/var/log/radacct/xxx.xxx.xxx.xxx/auth-detail-20080408'
rlm_detail: /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radacct/xxx.xxx.xxx.xxx/auth-detail-20080408
modcall[authorize]: module "auth_log" returns ok for request 7
modcall[authorize]: module "mschap" returns noop for request 7
rlm_realm: Looking up realm "some.domain.com" for User-Name = "test(a)some.domain.com"
rlm_realm: Found realm "some.domain.com"
rlm_realm: Proxying request from user teste to realm some.domain.com
rlm_realm: Adding Realm = "some.domain.com"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "suffix" returns noop for request 7
rlm_eap: EAP packet type response id 8 length 72
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 7
radius_xlat: 'test(a)some.domain.com'
rlm_sql (sql): sql_set_user escaped user --> 'test(a)some.domain.com'
radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'test(a)some.domain.com' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 1
rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'test(a)some.domain.com' ORDER BY id
radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'test(a)some.domain.com' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'test(a)some.domain.com' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id
radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'test(a)some.domain.com' ORDER BY id'
rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'test(a)some.domain.com' ORDER BY id
radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'test(a)some.domain.com' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'test(a)some.domain.com' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id
rlm_sql (sql): Released sql socket id: 1
modcall[authorize]: module "sql" returns ok for request 7
modcall: leaving group authorize (returns updated) for request 7
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 7
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: Received EAP-TLV response.
rlm_eap_peap: Tunneled data is valid.
rlm_eap_peap: Had sent TLV failure. User was rejcted rejected earlier in this session.
rlm_eap: Handler failed in EAP/peap
rlm_eap: Failed in EAP select
modcall[authenticate]: module "eap" returns invalid for request 7
modcall: leaving group authenticate (returns invalid) for request 7
auth: Failed to validate the user.
Login incorrect: [test(a)some.domain.com/<no User-Password attribute>] (from client AP01-GRC port 0 cli 00195b3bb2ef)
Delaying request 7 for 1 seconds
Finished request 7
Going to the next request
Waking up in 6 seconds...
---------- Início da mensagem original -----------
De: freeradius-users-bounces+tiodacio=bol.com.br(a)lists.freeradius.org
Para: "FreeRadius users mailing list" freeradius-users(a)lists.freeradius.org
Cc:
Data: Tue, 08 Apr 2008 14:32:01 +0100
Assunto: Re: Authenticate with FreeRadius + MySQL + PEAP
> Debug of the request?
>
> Ivan Kalik
> Kalik Informatika ISP
>
>
> Dana 8/4/2008, "tiodacio" <tiodacio(a)bol.com.br> pise:
>
> >Hi,
> >
> >I'm using FreeRADIUS Version 1.1.6 for Freebsd 6.2 to authenticate Wi-Fi clients. Im using WPA2. My users are in a MySQL database and i'm using EAP-PEAP and mschapv2 for authentication.
> >
> >When i create a user "test", for example, in the radcheck table and configure this user in a Windows XP the authentication proceeds without problem, but when i create a user "test(a)some.domain.com" in radcheck and configure this user in Windows XP client, the authentication fails.
> >
> >In my proxy.conf i have two entries, the realm NULL and the realm some.domain.com, both authenticating locally, and the realm some.domain.com with the nostrip option. In my radiusd.conf, i'm using realm suffix with @ as delimiter.
> >
> >The strange is that with the same configuration, the user "test" was authenticate correctly but the user "test(a)some.domain.com" was not. Any suggestions?
> >
> >Follow my configuration options:
> >
> >Config: including file: /usr/local/etc/raddb/proxy.conf
> >Config: including file: /usr/local/etc/raddb/clients.conf
> >Config: including file: /usr/local/etc/raddb/eap.conf
> >Config: including file: /usr/local/etc/raddb/sql.conf
> > main: prefix = "/usr/local"
> > main: localstatedir = "/var"
> > main: logdir = "/var/log"
> > main: libdir = "/usr/local/lib"
> > main: radacctdir = "/var/log/radacct"
> > main: hostname_lookups = no
> > main: max_request_time = 30
> > main: cleanup_delay = 5
> > main: max_requests = 1024
> > main: delete_blocked_requests = 0
> > main: port = 1812
> > main: allow_core_dumps = no
> > main: log_stripped_names = yes
> > main: log_file = "/var/log/radius.log"
> > main: log_auth = yes
> > main: log_auth_badpass = yes
> > main: log_auth_goodpass = yes
> > main: pidfile = "/var/run/radiusd/radiusd.pid"
> > main: bind_address = xxx.xxx.xxx.xxx IP address [xxx.xxx.xxx.xxx]
> > main: user = "(null)"
> > main: group = "(null)"
> > main: usercollide = no
> > main: lower_user = "no"
> > main: lower_pass = "no"
> > main: nospace_user = "no"
> > main: nospace_pass = "no"
> > main: checkrad = "/usr/local/sbin/checkrad"
> > main: proxy_requests = yes
> > proxy: retry_delay = 5
> > proxy: retry_count = 3
> > proxy: synchronous = no
> > proxy: default_fallback = yes
> > proxy: dead_time = 120
> > proxy: post_proxy_authorize = no
> > proxy: wake_all_if_all_dead = no
> > security: max_attributes = 200
> > security: reject_delay = 1
> > security: status_server = no
> > main: debug_level = 0
> >read_config_files: reading dictionary
> >read_config_files: reading naslist
> >Using deprecated naslist file. Support for this will go away soon.
> >read_config_files: reading clients
> >read_config_files: reading realms
> >radiusd: entering modules setup
> >Module: Library search path is /usr/local/lib
> >Module: Loaded MS-CHAP
> > mschap: use_mppe = no
> > mschap: require_encryption = yes
> > mschap: require_strong = yes
> > mschap: with_ntdomain_hack = no
> > mschap: passwd = "(null)"
> > mschap: ntlm_auth = "(null)"
> >Module: Instantiated mschap (mschap)
> >Module: Loaded eap
> > eap: default_eap_type = "peap"
> > eap: timer_expire = 60
> > eap: ignore_unknown_eap_types = no
> > eap: cisco_accounting_username_bug = no
> > tls: rsa_key_exchange = no
> > tls: dh_key_exchange = yes
> > tls: rsa_key_length = 512
> > tls: dh_key_length = 512
> > tls: verify_depth = 0
> > tls: CA_path = "(null)"
> > tls: pem_file_type = yes
> > tls: private_key_file = "/usr/local/etc/raddb/certs/cert-srv.pem"
> > tls: certificate_file = "/usr/local/etc/raddb/certs/cert-srv.pem"
> > tls: CA_file = "/usr/local/etc/raddb/certs/demoCA/cacert.pem"
> > tls: private_key_password = "whatever"
> > tls: dh_file = "/usr/local/etc/raddb/certs/dh"
> > tls: random_file = "/usr/local/etc/raddb/certs/random"
> > tls: fragment_size = 1024
> > tls: include_length = yes
> > tls: check_crl = no
> > tls: check_cert_cn = "(null)"
> > tls: cipher_list = "(null)"
> > tls: check_cert_issuer = "(null)"
> >rlm_eap_tls: Loading the certificate file as a chain
> >rlm_eap: Loaded and initialized type tls
> > peap: default_eap_type = "mschapv2"
> > peap: copy_request_to_tunnel = no
> > peap: use_tunneled_reply = no
> > peap: proxy_tunneled_request_as_eap = yes
> >rlm_eap: Loaded and initialized type peap
> > mschapv2: with_ntdomain_hack = no
> >rlm_eap: Loaded and initialized type mschapv2
> >Module: Instantiated eap (eap)
> >Module: Loaded preprocess
> > preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups"
> > preprocess: hints = "/usr/local/etc/raddb/hints"
> > preprocess: with_ascend_hack = no
> > preprocess: ascend_channels_per_line = 23
> > preprocess: with_ntdomain_hack = no
> > preprocess: with_specialix_jetstream_hack = no
> > preprocess: with_cisco_vsa_hack = no
> > preprocess: with_alvarion_vsa_hack = no
> >Module: Instantiated preprocess (preprocess)
> >Module: Loaded detail
> > detail: detailfile = "/var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d"
> > detail: detailperm = 384
> > detail: dirperm = 493
> > detail: locking = no
> >Module: Instantiated detail (auth_log)
> >Module: Loaded realm
> > realm: format = "suffix"
> > realm: delimiter = "@"
> > realm: ignore_default = no
> > realm: ignore_null = no
> >Module: Instantiated realm (suffix)
> >Module: Loaded SQL
> > sql: driver = "rlm_sql_mysql"
> > sql: server = "localhost"
> > sql: port = ""
> > sql: login = "root"
> > sql: password = "xxxxxxxxxxxx"
> > sql: radius_db = "phpradmin"
> > sql: nas_table = "nas"
> > sql: sqltrace = yes
> > sql: sqltracefile = "/var/log/sqltrace.sql"
> > sql: readclients = yes
> > sql: deletestalesessions = yes
> > sql: num_sql_socks = 2
> > sql: sql_user_name = "%{Stripped-User-Name:-%{User-Name:-DEFAULT}}"
> > sql: default_user_profile = ""
> > sql: query_on_not_found = no
> > sql: authorize_check_query = "SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id"
> > sql: authorize_reply_query = "SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id"
> > sql: authorize_group_check_query = "SELECT radgroupcheck.id,radgroupcheckGroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '%{SQL-User-Name}' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id"
> > sql: authorize_group_reply_query = "SELECT radgroupreply.id,radgroupreplyGroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '%{SQL-User-Name}' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id"
> > sql: accounting_onoff_query = "UPDATE radacct SET AcctStopTime='%S', AcctSessionTime=unix_timestamp('%S') - unix_timestamp(AcctStartTime), AcctTerminateCause='%{Acct-Terminate-Cause}', AcctStopDelay = '%{Acct-Delay-Time}' WHERE AcctSessionTime=0 AND AcctStopTime=0 AND NASIPAddress= '%{NAS-IP-Address}' AND AcctStartTime <= '%S'"
> > sql: accounting_update_query = "UPDATE radacct SET FramedIPAddress = '%{Framed-IP-Address}', AcctSessionTime = '%{Acct-Session-Time}', AcctInputOctets = '%{Acct-Input-Octets}', AcctOutputOctets = '%{Acct-Output-Octets}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND NASIPAddress= '%{NAS-IP-Address}'"
> > sql: accounting_update_query_alt = "INSERT into radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay) values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S',INTERVAL (%{Acct-Session-Time:-0} + %{Acct-Delay-Time:-0}) SECOND), '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{Acct-Input-Octets}', '%{Acct-Output-Octets}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0')"
> > sql: accounting_start_query = "INSERT into radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay) values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S', '0', '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '%{Acct-Delay-Time}', '0')"
> > sql: accounting_start_query_alt = "UPDATE radacct SET AcctStartTime = '%S', AcctStartDelay = '%{Acct-Delay-Time}', ConnectInfo_start = '%{Connect-Info}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND NASIPAddress = '%{NAS-IP-Address}'"
> > sql: accounting_stop_query = "UPDATE radacct SET AcctStopTime = '%S', AcctSessionTime = '%{Acct-Session-Time}', AcctInputOctets = '%{Acct-Input-Octets}', AcctOutputOctets = '%{Acct-Output-Octets}', AcctTerminateCause = '%{Acct-Terminate-Cause}', AcctStopDelay = '%{Acct-Delay-Time}', ConnectInfo_stop = '%{Connect-Info}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND NASIPAddress = '%{NAS-IP-Address}'"
> > sql: accounting_stop_query_alt = "INSERT into radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay) values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL (%{Acct-Session-Time:-0} + %{Acct-Delay-Time:-0}) SECOND), '%S', '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{Connect-Info}', '%{Acct-Input-Octets}', '%{Acct-Output-Octets}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Acct-Terminate-Cause}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0', '%{Acct-Delay-Time}')"
> > sql: group_membership_query = "SELECT GroupName FROM usergroup WHERE UserName='%{SQL-User-Name}'"
> > sql: connect_failure_retry_delay = 60
> > sql: simul_count_query = ""
> > sql: simul_verify_query = "SELECT RadAcctId, AcctSessionId, UserName, NASIPAddress, NASPortId, FramedIPAddress, CallingStationId, FramedProtocol FROM radacct WHERE UserName='%{SQL-User-Name}' AND AcctStopTime = 0"
> > sql: postauth_query = "INSERT into radpostauth (id, user, pass, reply, date) values ('', '%{User-Name}', '%{User-Password:-Chap-Password}', '%{reply:Packet-Type}', NOW())"
> > sql: safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
> >rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
> >rlm_sql (sql): Attempting to connect to root@localhost:/phpradmin
> >rlm_sql (sql): starting 0
> >rlm_sql (sql): Attempting to connect rlm_sql_mysql #0
> >rlm_sql_mysql: Starting connect to MySQL server for #0
> >rlm_sql (sql): Connected new DB handle, #0
> >rlm_sql (sql): starting 1
> >rlm_sql (sql): Attempting to connect rlm_sql_mysql #1
> >rlm_sql_mysql: Starting connect to MySQL server for #1
> >rlm_sql (sql): Connected new DB handle, #1
> >rlm_sql (sql): - generate_sql_clients
> >rlm_sql (sql): Query: SELECT * FROM nas
> >rlm_sql (sql): Reserving sql socket id: 1
> >rlm_sql_mysql: query: SELECT * FROM nas
> >rlm_sql (sql): Read entry nasname=xxx.xxx.xxx.xxx,shortname=Localhost,secret=xxxxxxxx
> >rlm_sql (sql): Adding client xxx.xxx.xxx.xxx (Localhost) to clients list
> >rlm_sql (sql): Read entry nasname=xxx.xxx.xxx.xxx,shortname=AP01,secret=xxxxxxxx
> >rlm_sql (sql): Adding client xxx.xxx.xxx.xxx (AP01) to clients list
> >rlm_sql (sql): Released sql socket id: 1
> >Module: Instantiated sql (sql)
> >Module: Loaded Acct-Unique-Session-Id
> > acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
> >Module: Instantiated acct_unique (acct_unique)
> > detail: detailfile = "/var/log/radacct/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d"
> > detail: detailperm = 384
> > detail: dirperm = 493
> > detail: locking = no
> >Module: Instantiated detail (pre_proxy_log)
> > detail: detailfile = "/var/log/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d"
> > detail: detailperm = 384
> > detail: dirperm = 493
> > detail: locking = no
> >Module: Instantiated detail (reply_log)
> >Listening on authentication xxx.xxx.xxx.xxx:1812
> >Listening on accounting xxx.xxx.xxx.xxx:1813
> >Ready to process requests.
> >
> >
> >-
> >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> >
> >
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
2
1
Hi,
I'm using FreeRADIUS Version 1.1.6 for Freebsd 6.2 to authenticate Wi-Fi clients. Im using WPA2. My users are in a MySQL database and i'm using EAP-PEAP and mschapv2 for authentication.
When i create a user "test", for example, in the radcheck table and configure this user in a Windows XP the authentication proceeds without problem, but when i create a user "test(a)some.domain.com" in radcheck and configure this user in Windows XP client, the authentication fails.
In my proxy.conf i have two entries, the realm NULL and the realm some.domain.com, both authenticating locally, and the realm some.domain.com with the nostrip option. In my radiusd.conf, i'm using realm suffix with @ as delimiter.
The strange is that with the same configuration, the user "test" was authenticate correctly but the user "test(a)some.domain.com" was not. Any suggestions?
Follow my configuration options:
Config: including file: /usr/local/etc/raddb/proxy.conf
Config: including file: /usr/local/etc/raddb/clients.conf
Config: including file: /usr/local/etc/raddb/eap.conf
Config: including file: /usr/local/etc/raddb/sql.conf
main: prefix = "/usr/local"
main: localstatedir = "/var"
main: logdir = "/var/log"
main: libdir = "/usr/local/lib"
main: radacctdir = "/var/log/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 1812
main: allow_core_dumps = no
main: log_stripped_names = yes
main: log_file = "/var/log/radius.log"
main: log_auth = yes
main: log_auth_badpass = yes
main: log_auth_goodpass = yes
main: pidfile = "/var/run/radiusd/radiusd.pid"
main: bind_address = xxx.xxx.xxx.xxx IP address [xxx.xxx.xxx.xxx]
main: user = "(null)"
main: group = "(null)"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/local/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = no
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded MS-CHAP
mschap: use_mppe = no
mschap: require_encryption = yes
mschap: require_strong = yes
mschap: with_ntdomain_hack = no
mschap: passwd = "(null)"
mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded eap
eap: default_eap_type = "peap"
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = "(null)"
tls: pem_file_type = yes
tls: private_key_file = "/usr/local/etc/raddb/certs/cert-srv.pem"
tls: certificate_file = "/usr/local/etc/raddb/certs/cert-srv.pem"
tls: CA_file = "/usr/local/etc/raddb/certs/demoCA/cacert.pem"
tls: private_key_password = "whatever"
tls: dh_file = "/usr/local/etc/raddb/certs/dh"
tls: random_file = "/usr/local/etc/raddb/certs/random"
tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = no
tls: check_cert_cn = "(null)"
tls: cipher_list = "(null)"
tls: check_cert_issuer = "(null)"
rlm_eap_tls: Loading the certificate file as a chain
rlm_eap: Loaded and initialized type tls
peap: default_eap_type = "mschapv2"
peap: copy_request_to_tunnel = no
peap: use_tunneled_reply = no
peap: proxy_tunneled_request_as_eap = yes
rlm_eap: Loaded and initialized type peap
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups"
preprocess: hints = "/usr/local/etc/raddb/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
preprocess: with_alvarion_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded detail
detail: detailfile = "/var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (auth_log)
Module: Loaded realm
realm: format = "suffix"
realm: delimiter = "@"
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded SQL
sql: driver = "rlm_sql_mysql"
sql: server = "localhost"
sql: port = ""
sql: login = "root"
sql: password = "xxxxxxxxxxxx"
sql: radius_db = "phpradmin"
sql: nas_table = "nas"
sql: sqltrace = yes
sql: sqltracefile = "/var/log/sqltrace.sql"
sql: readclients = yes
sql: deletestalesessions = yes
sql: num_sql_socks = 2
sql: sql_user_name = "%{Stripped-User-Name:-%{User-Name:-DEFAULT}}"
sql: default_user_profile = ""
sql: query_on_not_found = no
sql: authorize_check_query = "SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id"
sql: authorize_reply_query = "SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id"
sql: authorize_group_check_query = "SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '%{SQL-User-Name}' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id"
sql: authorize_group_reply_query = "SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '%{SQL-User-Name}' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id"
sql: accounting_onoff_query = "UPDATE radacct SET AcctStopTime='%S', AcctSessionTime=unix_timestamp('%S') - unix_timestamp(AcctStartTime), AcctTerminateCause='%{Acct-Terminate-Cause}', AcctStopDelay = '%{Acct-Delay-Time}' WHERE AcctSessionTime=0 AND AcctStopTime=0 AND NASIPAddress= '%{NAS-IP-Address}' AND AcctStartTime <= '%S'"
sql: accounting_update_query = "UPDATE radacct SET FramedIPAddress = '%{Framed-IP-Address}', AcctSessionTime = '%{Acct-Session-Time}', AcctInputOctets = '%{Acct-Input-Octets}', AcctOutputOctets = '%{Acct-Output-Octets}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND NASIPAddress= '%{NAS-IP-Address}'"
sql: accounting_update_query_alt = "INSERT into radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay) values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S',INTERVAL (%{Acct-Session-Time:-0} + %{Acct-Delay-Time:-0}) SECOND), '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{Acct-Input-Octets}', '%{Acct-Output-Octets}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0')"
sql: accounting_start_query = "INSERT into radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay) values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S', '0', '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '%{Acct-Delay-Time}', '0')"
sql: accounting_start_query_alt = "UPDATE radacct SET AcctStartTime = '%S', AcctStartDelay = '%{Acct-Delay-Time}', ConnectInfo_start = '%{Connect-Info}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND NASIPAddress = '%{NAS-IP-Address}'"
sql: accounting_stop_query = "UPDATE radacct SET AcctStopTime = '%S', AcctSessionTime = '%{Acct-Session-Time}', AcctInputOctets = '%{Acct-Input-Octets}', AcctOutputOctets = '%{Acct-Output-Octets}', AcctTerminateCause = '%{Acct-Terminate-Cause}', AcctStopDelay = '%{Acct-Delay-Time}', ConnectInfo_stop = '%{Connect-Info}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND NASIPAddress = '%{NAS-IP-Address}'"
sql: accounting_stop_query_alt = "INSERT into radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay) values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL (%{Acct-Session-Time:-0} + %{Acct-Delay-Time:-0}) SECOND), '%S', '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{Connect-Info}', '%{Acct-Input-Octets}', '%{Acct-Output-Octets}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Acct-Terminate-Cause}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0', '%{Acct-Delay-Time}')"
sql: group_membership_query = "SELECT GroupName FROM usergroup WHERE UserName='%{SQL-User-Name}'"
sql: connect_failure_retry_delay = 60
sql: simul_count_query = ""
sql: simul_verify_query = "SELECT RadAcctId, AcctSessionId, UserName, NASIPAddress, NASPortId, FramedIPAddress, CallingStationId, FramedProtocol FROM radacct WHERE UserName='%{SQL-User-Name}' AND AcctStopTime = 0"
sql: postauth_query = "INSERT into radpostauth (id, user, pass, reply, date) values ('', '%{User-Name}', '%{User-Password:-Chap-Password}', '%{reply:Packet-Type}', NOW())"
sql: safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
rlm_sql (sql): Attempting to connect to root@localhost:/phpradmin
rlm_sql (sql): starting 0
rlm_sql (sql): Attempting to connect rlm_sql_mysql #0
rlm_sql_mysql: Starting connect to MySQL server for #0
rlm_sql (sql): Connected new DB handle, #0
rlm_sql (sql): starting 1
rlm_sql (sql): Attempting to connect rlm_sql_mysql #1
rlm_sql_mysql: Starting connect to MySQL server for #1
rlm_sql (sql): Connected new DB handle, #1
rlm_sql (sql): - generate_sql_clients
rlm_sql (sql): Query: SELECT * FROM nas
rlm_sql (sql): Reserving sql socket id: 1
rlm_sql_mysql: query: SELECT * FROM nas
rlm_sql (sql): Read entry nasname=xxx.xxx.xxx.xxx,shortname=Localhost,secret=xxxxxxxx
rlm_sql (sql): Adding client xxx.xxx.xxx.xxx (Localhost) to clients list
rlm_sql (sql): Read entry nasname=xxx.xxx.xxx.xxx,shortname=AP01,secret=xxxxxxxx
rlm_sql (sql): Adding client xxx.xxx.xxx.xxx (AP01) to clients list
rlm_sql (sql): Released sql socket id: 1
Module: Instantiated sql (sql)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique)
detail: detailfile = "/var/log/radacct/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (pre_proxy_log)
detail: detailfile = "/var/log/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (reply_log)
Listening on authentication xxx.xxx.xxx.xxx:1812
Listening on accounting xxx.xxx.xxx.xxx:1813
Ready to process requests.
2
1
Ivan, nice to see that you're always there to provide support.
I've managed to have it working somehow. using nokia wifi enabled phones & laptops. All throughout the sessions, I've been using Sony Ericsson's P1i to test the setup (Chillispot + Freeradius + Mysql).
Now I'm checking the reason why it fails when I use Sony Ericsson.
----- Original Message ----
From: Ivan Kalik <tnt(a)kalik.net>
To: FreeRadius users mailing list <freeradius-users(a)lists.freeradius.org>
Sent: Tuesday, April 8, 2008 12:53:57
Subject: Re: Freeradius + CHAP
Server debug please.
Ivan Kalik
Kalik Informatika ISP
Dana 8/4/2008, "SANDY KALUGDAN" <sandykalugdan(a)yahoo.com> piše:
>[root@host SPECS]# radtest s sandy locahost 1645 testing123
>radclient: Failed to find IP address for host locahost: Success
>
>----- Original Message ----
>From: Ivan Kalik <tnt(a)kalik.net>
>To: FreeRadius users mailing list <freeradius-users(a)lists.freeradius.org>
>Sent: Monday, April 7, 2008 18:11:04
>Subject: Re: Freeradius + CHAP
>
>Can you do radtest from the machine on which chillispot is installed? If
>radtest does OK - it's a chilli bug. If radtest fails as well - crypto
>libraries on that machine are broken.
>
>Ivan Kalik
>Kalik Informatika ISP
>
>
>Dana 7/4/2008, "SANDY KALUGDAN" <sandykalugdan(a)yahoo.com> piĹĄe:
>
>>chillispot hotspotlogin.cgi contains
>>
>># Shared secret used to encrypt challenge with. Prevents dictionary attacks.
>># You should change this to your own shared secret.
>>$uamsecret = "testing123";
>>
>># Uncomment the following line if you want to use ordinary user-password
>># for radius authentication. Must be used together with $uamsecret.
>>$userpassword=1;
>>
>>nas table
>>>+----+-----------+-----------+------+-------+------------+-----------+-------------+
>>>| id | nasname | shortname | type | ports | secret | community | description |
>>>+----+-----------+-----------+------+-------+------------+-----------+-------------+
>>>| 1 | 127.0.0.1 | localhost | NULL | NULL | testing123 | NULL | NULL |
>>>+----+-----------+-----------+------+-------+------------+-----------+-------------+
>>
>>radcheck table
>>mysql> select * from radcheck;
>>+----+----------+--------------------+----+-------+
>>| id | UserName | Attribute | op | Value |
>>+----+----------+--------------------+----+-------+
>>| 1 | s | Cleartext-Password | := | sandy |
>>| 2 | steve | Cleartext-Password | := | s |
>>+----+----------+--------------------+----+-------+
>>2 rows in set (0.00 sec)
>>
>>clients.conf
>>client 192.168.182.1/24 {
>> secret = testing123
>> shortname = private-network
>>}
>>
>>
>>nas table and clients.conf are both on radius server. You need to make
>>testing123 secret on the portal that is sending those reqests.
>>
>>Ivan Kalik
>>Kalik Informatika ISP
>>
>>
>>Dana 7/4/2008, "SANDY KALUGDAN" <sandykalugdan(a)yahoo.com> piÄšÄe:
>>
>>>I've checked the clients.conf and it uses testing123 as the secret.
>>>I've created a record on nas
>>>mysql> select * from nas;
>>>+----+-----------+-----------+------+-------+------------+-----------+-------------+
>>>| id | nasname | shortname | type | ports | secret | community | description |
>>>+----+-----------+-----------+------+-------+------------+-----------+-------------+
>>>| 1 | 127.0.0.1 | localhost | NULL | NULL | testing123 | NULL | NULL |
>>>+----+-----------+-----------+------+-------+------------+-----------+-------------+
>>>
>>>here is a portion of the radiusd -X output
>>>
>>>rlm_pap: Found existing Auth-Type, not changing it.
>>>++[pap] returns noop
>>> rad_check_password: Found Auth-Type
>>>auth: type Local
>>>auth: user supplied User-Password does NOT match local User-Password
>>>auth: Failed to validate the user.
>>>Login incorrect: [s/\365\010\343\323] (from client localhost port 0 cli 00-1C-A4-6F-21-10)
>>> WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS!
>>> Found Post-Auth-Type Reject
>>>+- entering group REJECT
>>> expand: %{User-Name} -> s
>>> attr_filter: Matched entry DEFAULT at line 11
>>>
>>>
>>>
>>>----- Original Message ----
>>>From: Ivan Kalik <tnt(a)kalik.net>
>>>To: FreeRadius users mailing list <freeradius-users(a)lists.freeradius.org>
>>>Sent: Monday, April 7, 2008 16:22:38
>>>Subject: Re: Freeradius + CHAP
>>>
>>>> User-Password = "\340\334\351\234"
>>>
>>>Shared secret in clents.conf and on the NAS is not the same.
>>>
>>>Ivan Kalik
>>>Kalik Informatika ISP
>>>
>>>-
>>>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>>>
>>>
>>>
>>>
>>>Send instant messages to your online friends http://uk.messenger.yahoo.com
>>>
>>>-
>>>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>>>
>>>
>>
>>-
>>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>>
>>
>>
>>
>>Send instant messages to your online friends http://uk.messenger.yahoo.com
>>
>>-
>>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
>
>
>Send instant messages to your online friends http://uk.messenger.yahoo.com
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Send instant messages to your online friends http://uk.messenger.yahoo.com
1
0
[root@host SPECS]# radtest s sandy locahost 1645 testing123
radclient: Failed to find IP address for host locahost: Success
----- Original Message ----
From: Ivan Kalik <tnt(a)kalik.net>
To: FreeRadius users mailing list <freeradius-users(a)lists.freeradius.org>
Sent: Monday, April 7, 2008 18:11:04
Subject: Re: Freeradius + CHAP
Can you do radtest from the machine on which chillispot is installed? If
radtest does OK - it's a chilli bug. If radtest fails as well - crypto
libraries on that machine are broken.
Ivan Kalik
Kalik Informatika ISP
Dana 7/4/2008, "SANDY KALUGDAN" <sandykalugdan(a)yahoo.com> piše:
>chillispot hotspotlogin.cgi contains
>
># Shared secret used to encrypt challenge with. Prevents dictionary attacks.
># You should change this to your own shared secret.
>$uamsecret = "testing123";
>
># Uncomment the following line if you want to use ordinary user-password
># for radius authentication. Must be used together with $uamsecret.
>$userpassword=1;
>
>nas table
>>+----+-----------+-----------+------+-------+------------+-----------+-------------+
>>| id | nasname | shortname | type | ports | secret | community | description |
>>+----+-----------+-----------+------+-------+------------+-----------+-------------+
>>| 1 | 127.0.0.1 | localhost | NULL | NULL | testing123 | NULL | NULL |
>>+----+-----------+-----------+------+-------+------------+-----------+-------------+
>
>radcheck table
>mysql> select * from radcheck;
>+----+----------+--------------------+----+-------+
>| id | UserName | Attribute | op | Value |
>+----+----------+--------------------+----+-------+
>| 1 | s | Cleartext-Password | := | sandy |
>| 2 | steve | Cleartext-Password | := | s |
>+----+----------+--------------------+----+-------+
>2 rows in set (0.00 sec)
>
>clients.conf
>client 192.168.182.1/24 {
> secret = testing123
> shortname = private-network
>}
>
>
>nas table and clients.conf are both on radius server. You need to make
>testing123 secret on the portal that is sending those reqests.
>
>Ivan Kalik
>Kalik Informatika ISP
>
>
>Dana 7/4/2008, "SANDY KALUGDAN" <sandykalugdan(a)yahoo.com> piĹĄe:
>
>>I've checked the clients.conf and it uses testing123 as the secret.
>>I've created a record on nas
>>mysql> select * from nas;
>>+----+-----------+-----------+------+-------+------------+-----------+-------------+
>>| id | nasname | shortname | type | ports | secret | community | description |
>>+----+-----------+-----------+------+-------+------------+-----------+-------------+
>>| 1 | 127.0.0.1 | localhost | NULL | NULL | testing123 | NULL | NULL |
>>+----+-----------+-----------+------+-------+------------+-----------+-------------+
>>
>>here is a portion of the radiusd -X output
>>
>>rlm_pap: Found existing Auth-Type, not changing it.
>>++[pap] returns noop
>> rad_check_password: Found Auth-Type
>>auth: type Local
>>auth: user supplied User-Password does NOT match local User-Password
>>auth: Failed to validate the user.
>>Login incorrect: [s/\365\010\343\323] (from client localhost port 0 cli 00-1C-A4-6F-21-10)
>> WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS!
>> Found Post-Auth-Type Reject
>>+- entering group REJECT
>> expand: %{User-Name} -> s
>> attr_filter: Matched entry DEFAULT at line 11
>>
>>
>>
>>----- Original Message ----
>>From: Ivan Kalik <tnt(a)kalik.net>
>>To: FreeRadius users mailing list <freeradius-users(a)lists.freeradius.org>
>>Sent: Monday, April 7, 2008 16:22:38
>>Subject: Re: Freeradius + CHAP
>>
>>> User-Password = "\340\334\351\234"
>>
>>Shared secret in clents.conf and on the NAS is not the same.
>>
>>Ivan Kalik
>>Kalik Informatika ISP
>>
>>-
>>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>>
>>
>>
>>
>>Send instant messages to your online friends http://uk.messenger.yahoo.com
>>
>>-
>>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>>
>>
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
>
>
>Send instant messages to your online friends http://uk.messenger.yahoo.com
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Send instant messages to your online friends http://uk.messenger.yahoo.com
2
1
I want to authenticate users through using EAP authentication. I managed to
generate the client and root certs from Free Radius.
I have installed the client sert in my notebook. and managed to get
authenticated via AP to Radius.
But i cant seem to find them in the Free Radius accounting database.
There is no log event in the database. I want them to be authenticated in
the radcheck table so that i can set bandwidth to them.
Hope you can help me on this.
Would it be possible to also have monowall users to log into the captive
portal at the same time with EAP turned on in Free Radius.
I want private users to authenticate via certs and also go through captive
portal.
If i enable EAP TLS then users cant login using the captive portal login
page.
Regards,
--
Devinder
--
Devinder
2
2
> Message: 8
> Date: Sat, 05 Apr 2008 08:49:35 +0200
> From: Alan DeKok <aland(a)deployingradius.com>
> Subject: Re: EAP-TLS certificate
> To: FreeRadius users mailing list
> <freeradius-users(a)lists.freeradius.org>
> Message-ID: <47F720FF.3040406(a)deployingradius.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> xia sihua wrote:
> ...
> > CA_file = ${cadir}/ca.pem
> > ....
> >
> > The supplicant I use TeraDot1x Tester from Spirent communication.
> > ...
> > Configuration:
> ...
> > Root Certificate Filename: server.pem
>
> I think that should be "ca.pem".
Actually, it can only pass using server.pem provided by spirent
certificate. If replace ca.pem provided by spirent, it will fails.
>
> > rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal unknown_ca
> > TLS Alert read:fatal:unknown CA
>
> Yes, the client is telling you that it doesn't know anything about ca.pem.
>
> > If I change Root Certificate Filename from server.pem to ca.pem, will
> > come out following error.
> > ....
> > eaptls_verify returned 11
> > rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal bad_certificate
> > TLS Alert read:fatal:bad certificate
>
> Ask the supplicant vendor why they don't like the certificate we provide.
>
> > If I use those certificates provided by spirent, can pass. I donot know why?
> > Any ideas?
>
> Print out the spirent certificates, and post the result here. Maybe
> there's some extra magic needed.
>
> $ openssl x509 -text -in spirent.crt
I have print out ca.pem, server.pem, client.pem provided by spirent.
But server.pem and client.pem cannot verify pass uising openssl. pls
see the late.
[root@localhost test_spirent]# openssl x509 -text -in ca.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=US, ST=CA, L=Calabasas, O=Spirent, OU=Engn, CN=Ivan
Yeung/emailAddress=ivan.yeung(a)spirentcom.com
Validity
Not Before: Apr 29 01:15:25 2005 GMT
Not After : Apr 28 01:15:25 2008 GMT
Subject: C=US, ST=CA, L=Calabasas, O=Spirent, OU=Engn, CN=Ivan
Yeung/emailAddress=ivan.yeung(a)spirentcom.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:ab:b8:1a:5f:13:92:83:1e:29:af:f0:66:8d:7f:
7f:68:8f:40:0d:6b:8b:2d:52:ed:57:ec:97:f3:8a:
1b:8a:cb:87:8f:33:fe:bd:5a:ab:2a:e4:62:f0:bd:
98:28:2d:54:db:b2:34:fa:47:e7:18:02:86:e9:f3:
3c:dc:5c:d4:2b:81:f2:6e:82:2f:a5:5f:e7:94:dd:
86:02:6d:9c:e4:ed:2e:a5:9d:8a:bc:52:e2:e4:6d:
ed:30:07:57:bd:e9:1d:08:33:37:26:a9:27:a2:39:
71:cf:0f:63:0c:8e:6b:24:ee:c1:9a:09:aa:c8:d2:
dc:a1:b3:16:79:7e:37:1d:75:14:a3:28:eb:2c:bb:
cc:94:b0:a7:38:e7:0a:a9:45:60:02:95:23:59:00:
72:a7:c5:66:a5:7c:e9:01:83:bf:ec:5d:69:e2:f7:
d6:5b:97:b8:9a:35:bc:55:02:d1:3f:7d:c7:46:0b:
f9:fd:d3:b9:f5:ba:69:6d:e6:6b:e6:d2:c3:f4:ee:
a1:59:8b:c2:cc:db:22:7d:8e:90:f8:7e:33:fd:ac:
d0:00:14:d6:6d:5e:3b:fa:3e:84:3f:45:72:4b:ef:
19:63:4a:4e:aa:30:c2:c6:b4:6e:27:cc:03:29:5e:
01:2f:c3:e1:4d:cf:e7:ce:5d:7c:a5:8d:c0:ea:af:
b3:8b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
0F:5E:3D:62:CB:05:F2:02:9C:0D:74:B4:D7:98:CE:B5:15:3C:5F:9F
X509v3 Authority Key Identifier:
keyid:0F:5E:3D:62:CB:05:F2:02:9C:0D:74:B4:D7:98:CE:B5:15:3C:5F:9F
DirName:/C=US/ST=CA/L=Calabasas/O=Spirent/OU=Engn/CN=Ivan
Yeung/emailAddress=ivan.yeung(a)spirentcom.com
serial:00
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: md5WithRSAEncryption
a7:4b:cd:04:86:e1:cd:2f:3a:b8:68:6b:3a:0b:18:b7:c1:8c:
f0:88:b2:f7:9d:3f:f8:31:7c:6c:59:2c:61:1e:3e:0a:ac:52:
ae:d2:ca:42:5a:ff:46:89:12:80:75:e4:e1:89:3d:71:e3:d9:
31:05:f8:b9:02:c4:cc:a7:6e:73:52:ad:4a:74:30:01:3d:24:
97:93:6f:fb:8f:7b:2d:36:0a:a8:63:dc:35:31:0a:33:31:bb:
ff:0e:32:29:30:c3:76:bd:3f:13:8a:6b:35:af:99:5e:ea:5d:
5e:aa:49:ac:d3:8b:22:64:19:a8:48:e5:a2:54:9d:ea:a4:1c:
a4:e3:e4:ff:86:18:77:c1:c2:17:61:dd:9e:f4:d0:b8:4c:23:
95:f2:16:45:03:fa:9a:38:08:48:c7:d6:74:72:46:86:a3:93:
fe:df:d4:80:cd:d0:52:23:0b:61:f2:ad:6b:24:01:a6:31:ee:
17:49:b5:ee:27:f4:f8:15:eb:c1:51:25:c3:e5:94:09:20:93:
69:fa:31:3d:88:f7:50:bb:95:5d:92:91:7d:f7:6e:90:df:d1:
67:77:56:10:0f:79:dc:94:5e:ea:3e:39:73:28:a7:59:db:b8:
3e:a0:f4:7d:cf:9f:70:63:e0:3a:a0:6d:61:a3:1c:2a:50:dc:
38:51:9e:3c
-----BEGIN CERTIFICATE-----
MIIEiDCCA3CgAwIBAgIBADANBgkqhkiG9w0BAQQFADCBjjELMAkGA1UEBhMCVVMx
CzAJBgNVBAgTAkNBMRIwEAYDVQQHEwlDYWxhYmFzYXMxEDAOBgNVBAoTB1NwaXJl
bnQxDTALBgNVBAsTBEVuZ24xEzARBgNVBAMTCkl2YW4gWWV1bmcxKDAmBgkqhkiG
9w0BCQEWGWl2YW4ueWV1bmdAc3BpcmVudGNvbS5jb20wHhcNMDUwNDI5MDExNTI1
WhcNMDgwNDI4MDExNTI1WjCBjjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRIw
EAYDVQQHEwlDYWxhYmFzYXMxEDAOBgNVBAoTB1NwaXJlbnQxDTALBgNVBAsTBEVu
Z24xEzARBgNVBAMTCkl2YW4gWWV1bmcxKDAmBgkqhkiG9w0BCQEWGWl2YW4ueWV1
bmdAc3BpcmVudGNvbS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQCruBpfE5KDHimv8GaNf39oj0ANa4stUu1X7JfzihuKy4ePM/69Wqsq5GLwvZgo
LVTbsjT6R+cYAobp8zzcXNQrgfJugi+lX+eU3YYCbZzk7S6lnYq8UuLkbe0wB1e9
6R0IMzcmqSeiOXHPD2MMjmsk7sGaCarI0tyhsxZ5fjcddRSjKOssu8yUsKc45wqp
RWAClSNZAHKnxWalfOkBg7/sXWni99Zbl7iaNbxVAtE/fcdGC/n907n1umlt5mvm
0sP07qFZi8LM2yJ9jpD4fjP9rNAAFNZtXjv6PoQ/RXJL7xljSk6qMMLGtG4nzAMp
XgEvw+FNz+fOXXyljcDqr7OLAgMBAAGjge4wgeswHQYDVR0OBBYEFA9ePWLLBfIC
nA10tNeYzrUVPF+fMIG7BgNVHSMEgbMwgbCAFA9ePWLLBfICnA10tNeYzrUVPF+f
oYGUpIGRMIGOMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExEjAQBgNVBAcTCUNh
bGFiYXNhczEQMA4GA1UEChMHU3BpcmVudDENMAsGA1UECxMERW5nbjETMBEGA1UE
AxMKSXZhbiBZZXVuZzEoMCYGCSqGSIb3DQEJARYZaXZhbi55ZXVuZ0BzcGlyZW50
Y29tLmNvbYIBADAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBAUAA4IBAQCnS80E
huHNLzq4aGs6Cxi3wYzwiLL3nT/4MXxsWSxhHj4KrFKu0spCWv9GiRKAdeThiT1x
49kxBfi5AsTMp25zUq1KdDABPSSXk2/7j3stNgqoY9w1MQozMbv/DjIpMMN2vT8T
ims1r5le6l1eqkms04siZBmoSOWiVJ3qpByk4+T/hhh3wcIXYd2e9NC4TCOV8hZF
A/qaOAhIx9Z0ckaGo5P+39SAzdBSIwth8q1rJAGmMe4XSbXuJ/T4FevBUSXD5ZQJ
IJNp+jE9iPdQu5VdkpF9926Q39Fnd1YQD3nclF7qPjlzKKdZ27g+oPR9z59wY+A6
oG1hoxwqUNw4UZ48
-----END CERTIFICATE-----
[root@localhost test_spirent]#
[root@localhost test_spirent]# openssl x509 -text -in server.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=US, ST=CA, L=Calabasas, O=Spirent, OU=Engn,
CN=Radius/emailAddress=radius(a)spirentcom.com
Validity
Not Before: Apr 29 01:19:08 2005 GMT
Not After : Apr 28 01:19:08 2008 GMT
Subject: C=US, ST=CA, L=Calabasas, O=Spirent, OU=Engn,
CN=Radius/emailAddress=radius(a)spirentcom.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:b3:bf:e4:75:11:ac:b0:71:87:23:91:e7:f7:88:
35:98:dc:59:17:b8:30:3e:bc:6b:fa:93:5d:e1:50:
b7:02:aa:43:82:d5:95:71:c0:21:39:be:2b:2a:90:
bb:a7:58:42:7e:d9:1e:62:bd:77:1d:5e:ea:b9:92:
0f:8e:cd:e0:62:af:2f:02:c4:1e:b1:85:39:6c:df:
79:ca:c9:5d:72:22:bd:34:11:3b:42:2e:8e:a4:ce:
44:0d:0e:7c:74:11:3a:c0:ca:28:31:c1:50:67:6c:
e5:98:e6:b0:e2:37:55:9a:3d:ef:9d:37:b9:e3:dc:
9a:68:03:2b:f7:20:05:21:2a:65:6f:78:03:55:7e:
67:71:5c:af:e3:be:f8:20:56:01:4d:49:3e:9d:66:
1b:cf:35:08:b8:be:36:d3:63:65:22:1e:79:72:09:
e2:d6:d3:0c:7e:b7:e5:92:a3:91:fa:b2:08:55:f1:
87:6c:a7:35:7c:dc:d0:2f:a4:1a:fd:03:cb:1b:61:
6a:ee:48:96:4c:19:e3:30:88:f9:a0:57:04:e0:14:
da:d8:0d:0d:54:b6:cd:3a:67:d2:2e:85:aa:d7:b6:
14:7d:10:20:51:70:d6:63:e0:b3:08:70:6a:f7:d4:
3f:02:15:33:92:9d:56:19:2e:54:66:4b:8d:2b:50:
ac:e3
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
4E:72:80:A1:2E:2A:E0:0B:42:ED:B2:E0:3B:94:81:E4:6A:85:A2:FE
X509v3 Authority Key Identifier:
keyid:4E:72:80:A1:2E:2A:E0:0B:42:ED:B2:E0:3B:94:81:E4:6A:85:A2:FE
DirName:/C=US/ST=CA/L=Calabasas/O=Spirent/OU=Engn/CN=Radius/emailAddress=radius@spirentcom.com
serial:00
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: md5WithRSAEncryption
65:01:f8:58:99:69:8d:5f:cb:82:2b:38:23:72:ae:9f:fb:07:
51:c8:ca:b0:4e:43:49:35:41:f0:3d:aa:64:e5:04:9c:31:e1:
0d:d4:41:05:29:78:96:cd:51:b0:79:dc:f5:2f:a9:d7:8f:95:
db:9b:45:3b:ed:0d:e8:76:0c:b3:80:71:24:74:59:74:52:a6:
be:fd:a3:4c:7d:45:9f:38:b2:39:ca:02:80:f2:3e:ca:d2:4d:
f6:a4:59:38:d2:b3:ed:ba:a2:62:eb:6f:e2:29:44:21:87:fe:
01:b2:c3:f6:4b:38:fb:d0:5e:07:3e:8e:5e:ee:7d:05:02:51:
08:f2:1b:3a:cc:44:b6:9c:85:65:36:57:6c:b3:9b:ad:9a:6e:
eb:c1:5f:4d:a5:0d:4b:ce:12:a3:f4:41:d7:29:46:b5:b3:b7:
3d:e8:ae:5f:83:0d:e4:9b:8d:a9:c6:6e:c8:0c:16:4e:eb:c9:
d4:ec:98:27:23:34:8c:1f:40:84:cb:0d:ee:11:e6:c1:c6:4a:
46:ba:cb:1a:42:0e:39:1a:96:ca:82:36:86:e7:33:a7:29:22:
a7:e8:ac:c9:90:ed:48:5d:85:57:67:d8:58:0f:5c:3c:dc:4e:
9f:da:4c:fb:e6:e0:49:85:ea:f2:dc:cf:30:7c:04:e1:4e:d5:
e1:fa:c0:7c
-----BEGIN CERTIFICATE-----
MIIEcDCCA1igAwIBAgIBADANBgkqhkiG9w0BAQQFADCBhjELMAkGA1UEBhMCVVMx
CzAJBgNVBAgTAkNBMRIwEAYDVQQHEwlDYWxhYmFzYXMxEDAOBgNVBAoTB1NwaXJl
bnQxDTALBgNVBAsTBEVuZ24xDzANBgNVBAMTBlJhZGl1czEkMCIGCSqGSIb3DQEJ
ARYVcmFkaXVzQHNwaXJlbnRjb20uY29tMB4XDTA1MDQyOTAxMTkwOFoXDTA4MDQy
ODAxMTkwOFowgYYxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTESMBAGA1UEBxMJ
Q2FsYWJhc2FzMRAwDgYDVQQKEwdTcGlyZW50MQ0wCwYDVQQLEwRFbmduMQ8wDQYD
VQQDEwZSYWRpdXMxJDAiBgkqhkiG9w0BCQEWFXJhZGl1c0BzcGlyZW50Y29tLmNv
bTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALO/5HURrLBxhyOR5/eI
NZjcWRe4MD68a/qTXeFQtwKqQ4LVlXHAITm+KyqQu6dYQn7ZHmK9dx1e6rmSD47N
4GKvLwLEHrGFOWzfecrJXXIivTQRO0IujqTORA0OfHQROsDKKDHBUGds5ZjmsOI3
VZo97503uePcmmgDK/cgBSEqZW94A1V+Z3Fcr+O++CBWAU1JPp1mG881CLi+NtNj
ZSIeeXIJ4tbTDH635ZKjkfqyCFXxh2ynNXzc0C+kGv0Dyxthau5IlkwZ4zCI+aBX
BOAU2tgNDVS2zTpn0i6Fqte2FH0QIFFw1mPgswhwavfUPwIVM5KdVhkuVGZLjStQ
rOMCAwEAAaOB5jCB4zAdBgNVHQ4EFgQUTnKAoS4q4AtC7bLgO5SB5GqFov4wgbMG
A1UdIwSBqzCBqIAUTnKAoS4q4AtC7bLgO5SB5GqFov6hgYykgYkwgYYxCzAJBgNV
BAYTAlVTMQswCQYDVQQIEwJDQTESMBAGA1UEBxMJQ2FsYWJhc2FzMRAwDgYDVQQK
EwdTcGlyZW50MQ0wCwYDVQQLEwRFbmduMQ8wDQYDVQQDEwZSYWRpdXMxJDAiBgkq
hkiG9w0BCQEWFXJhZGl1c0BzcGlyZW50Y29tLmNvbYIBADAMBgNVHRMEBTADAQH/
MA0GCSqGSIb3DQEBBAUAA4IBAQBlAfhYmWmNX8uCKzgjcq6f+wdRyMqwTkNJNUHw
Papk5QScMeEN1EEFKXiWzVGwedz1L6nXj5Xbm0U77Q3odgyzgHEkdFl0Uqa+/aNM
fUWfOLI5ygKA8j7K0k32pFk40rPtuqJi62/iKUQhh/4BssP2Szj70F4HPo5e7n0F
AlEI8hs6zES2nIVlNldss5utmm7rwV9NpQ1LzhKj9EHXKUa1s7c96K5fgw3km42p
xm7IDBZO68nU7JgnIzSMH0CEyw3uEebBxkpGussaQg45GpbKgjaG5zOnKSKn6KzJ
kO1IXYVXZ9hYD1w83E6f2kz75uBJhery3M8wfAThTtXh+sB8
-----END CERTIFICATE-----
[root@localhost test_spirent]#
[root@localhost test_spirent]# openssl x509 -text -in client.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=US, ST=CA, L=Calabasas, O=Spirent, OU=Engn, CN=Ivan
Yeung/emailAddress=ivan.yeung(a)spirentcom.com
Validity
Not Before: Apr 29 01:15:25 2005 GMT
Not After : Apr 28 01:15:25 2008 GMT
Subject: C=US, ST=CA, L=Calabasas, O=Spirent, OU=Engn, CN=Ivan
Yeung/emailAddress=ivan.yeung(a)spirentcom.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:ab:b8:1a:5f:13:92:83:1e:29:af:f0:66:8d:7f:
7f:68:8f:40:0d:6b:8b:2d:52:ed:57:ec:97:f3:8a:
1b:8a:cb:87:8f:33:fe:bd:5a:ab:2a:e4:62:f0:bd:
98:28:2d:54:db:b2:34:fa:47:e7:18:02:86:e9:f3:
3c:dc:5c:d4:2b:81:f2:6e:82:2f:a5:5f:e7:94:dd:
86:02:6d:9c:e4:ed:2e:a5:9d:8a:bc:52:e2:e4:6d:
ed:30:07:57:bd:e9:1d:08:33:37:26:a9:27:a2:39:
71:cf:0f:63:0c:8e:6b:24:ee:c1:9a:09:aa:c8:d2:
dc:a1:b3:16:79:7e:37:1d:75:14:a3:28:eb:2c:bb:
cc:94:b0:a7:38:e7:0a:a9:45:60:02:95:23:59:00:
72:a7:c5:66:a5:7c:e9:01:83:bf:ec:5d:69:e2:f7:
d6:5b:97:b8:9a:35:bc:55:02:d1:3f:7d:c7:46:0b:
f9:fd:d3:b9:f5:ba:69:6d:e6:6b:e6:d2:c3:f4:ee:
a1:59:8b:c2:cc:db:22:7d:8e:90:f8:7e:33:fd:ac:
d0:00:14:d6:6d:5e:3b:fa:3e:84:3f:45:72:4b:ef:
19:63:4a:4e:aa:30:c2:c6:b4:6e:27:cc:03:29:5e:
01:2f:c3:e1:4d:cf:e7:ce:5d:7c:a5:8d:c0:ea:af:
b3:8b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
0F:5E:3D:62:CB:05:F2:02:9C:0D:74:B4:D7:98:CE:B5:15:3C:5F:9F
X509v3 Authority Key Identifier:
keyid:0F:5E:3D:62:CB:05:F2:02:9C:0D:74:B4:D7:98:CE:B5:15:3C:5F:9F
DirName:/C=US/ST=CA/L=Calabasas/O=Spirent/OU=Engn/CN=Ivan
Yeung/emailAddress=ivan.yeung(a)spirentcom.com
serial:00
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: md5WithRSAEncryption
a7:4b:cd:04:86:e1:cd:2f:3a:b8:68:6b:3a:0b:18:b7:c1:8c:
f0:88:b2:f7:9d:3f:f8:31:7c:6c:59:2c:61:1e:3e:0a:ac:52:
ae:d2:ca:42:5a:ff:46:89:12:80:75:e4:e1:89:3d:71:e3:d9:
31:05:f8:b9:02:c4:cc:a7:6e:73:52:ad:4a:74:30:01:3d:24:
97:93:6f:fb:8f:7b:2d:36:0a:a8:63:dc:35:31:0a:33:31:bb:
ff:0e:32:29:30:c3:76:bd:3f:13:8a:6b:35:af:99:5e:ea:5d:
5e:aa:49:ac:d3:8b:22:64:19:a8:48:e5:a2:54:9d:ea:a4:1c:
a4:e3:e4:ff:86:18:77:c1:c2:17:61:dd:9e:f4:d0:b8:4c:23:
95:f2:16:45:03:fa:9a:38:08:48:c7:d6:74:72:46:86:a3:93:
fe:df:d4:80:cd:d0:52:23:0b:61:f2:ad:6b:24:01:a6:31:ee:
17:49:b5:ee:27:f4:f8:15:eb:c1:51:25:c3:e5:94:09:20:93:
69:fa:31:3d:88:f7:50:bb:95:5d:92:91:7d:f7:6e:90:df:d1:
67:77:56:10:0f:79:dc:94:5e:ea:3e:39:73:28:a7:59:db:b8:
3e:a0:f4:7d:cf:9f:70:63:e0:3a:a0:6d:61:a3:1c:2a:50:dc:
38:51:9e:3c
-----BEGIN CERTIFICATE-----
MIIEiDCCA3CgAwIBAgIBADANBgkqhkiG9w0BAQQFADCBjjELMAkGA1UEBhMCVVMx
CzAJBgNVBAgTAkNBMRIwEAYDVQQHEwlDYWxhYmFzYXMxEDAOBgNVBAoTB1NwaXJl
bnQxDTALBgNVBAsTBEVuZ24xEzARBgNVBAMTCkl2YW4gWWV1bmcxKDAmBgkqhkiG
9w0BCQEWGWl2YW4ueWV1bmdAc3BpcmVudGNvbS5jb20wHhcNMDUwNDI5MDExNTI1
WhcNMDgwNDI4MDExNTI1WjCBjjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRIw
EAYDVQQHEwlDYWxhYmFzYXMxEDAOBgNVBAoTB1NwaXJlbnQxDTALBgNVBAsTBEVu
Z24xEzARBgNVBAMTCkl2YW4gWWV1bmcxKDAmBgkqhkiG9w0BCQEWGWl2YW4ueWV1
bmdAc3BpcmVudGNvbS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQCruBpfE5KDHimv8GaNf39oj0ANa4stUu1X7JfzihuKy4ePM/69Wqsq5GLwvZgo
LVTbsjT6R+cYAobp8zzcXNQrgfJugi+lX+eU3YYCbZzk7S6lnYq8UuLkbe0wB1e9
6R0IMzcmqSeiOXHPD2MMjmsk7sGaCarI0tyhsxZ5fjcddRSjKOssu8yUsKc45wqp
RWAClSNZAHKnxWalfOkBg7/sXWni99Zbl7iaNbxVAtE/fcdGC/n907n1umlt5mvm
0sP07qFZi8LM2yJ9jpD4fjP9rNAAFNZtXjv6PoQ/RXJL7xljSk6qMMLGtG4nzAMp
XgEvw+FNz+fOXXyljcDqr7OLAgMBAAGjge4wgeswHQYDVR0OBBYEFA9ePWLLBfIC
nA10tNeYzrUVPF+fMIG7BgNVHSMEgbMwgbCAFA9ePWLLBfICnA10tNeYzrUVPF+f
oYGUpIGRMIGOMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExEjAQBgNVBAcTCUNh
bGFiYXNhczEQMA4GA1UEChMHU3BpcmVudDENMAsGA1UECxMERW5nbjETMBEGA1UE
AxMKSXZhbiBZZXVuZzEoMCYGCSqGSIb3DQEJARYZaXZhbi55ZXVuZ0BzcGlyZW50
Y29tLmNvbYIBADAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBAUAA4IBAQCnS80E
huHNLzq4aGs6Cxi3wYzwiLL3nT/4MXxsWSxhHj4KrFKu0spCWv9GiRKAdeThiT1x
49kxBfi5AsTMp25zUq1KdDABPSSXk2/7j3stNgqoY9w1MQozMbv/DjIpMMN2vT8T
ims1r5le6l1eqkms04siZBmoSOWiVJ3qpByk4+T/hhh3wcIXYd2e9NC4TCOV8hZF
A/qaOAhIx9Z0ckaGo5P+39SAzdBSIwth8q1rJAGmMe4XSbXuJ/T4FevBUSXD5ZQJ
IJNp+jE9iPdQu5VdkpF9926Q39Fnd1YQD3nclF7qPjlzKKdZ27g+oPR9z59wY+A6
oG1hoxwqUNw4UZ48
-----END CERTIFICATE-----
[root@localhost test_spirent]#
[root@localhost test_spirent]# openssl verify -CApath . client.pem
client.pem: /C=US/ST=CA/L=Calabasas/O=Spirent/OU=Engn/CN=Ivan
Yeung/emailAddress=ivan.yeung(a)spirentcom.com
error 18 at 0 depth lookup:self signed certificate
OK
[root@localhost test_spirent]#
[root@localhost test_spirent]# openssl verify -CAfile ca.pem server.pem
server.pem: /C=US/ST=CA/L=Calabasas/O=Spirent/OU=Engn/CN=Radius/emailAddress=radius(a)spirentcom.com
error 18 at 0 depth lookup:self signed certificate
OK
[root@localhost test_spirent]#
>
> Alan DeKok.
--
Best regards!
walter
***************************************
Nothing is impossible!
***************************************
1
0
I am attempting an rpmbuild of freeradius due to the version included in
Centos (1.14)- We are experiencing issues with windows vista, and read
something in an earlier post regarding such a bug that 1.17 and later
will fix.
However, during the build, I receive this error:
See any operating system documentation about shared libraries for
more information, such as the ld(1) and ld.so(8) manual pages.
----------------------------------------------------------------------
+ RADDB=/var/tmp/freeradius-server-root/etc/raddb
+ perl -i -pe 's/^#user =.*$/user = radiusd/'
/var/tmp/freeradius-server-root/etc/raddb/radiusd.conf
+ perl -i -pe 's/^#group =.*$/group = radiusd/'
/var/tmp/freeradius-server-root/etc/raddb/radiusd.conf
+ perl -i -pe 's/# shadow =/shadow =/'
/var/tmp/freeradius-server-root/etc/raddb/radiusd.conf
+ rm -f /var/tmp/freeradius-server-root/usr/sbin/rc.radiusd
+ install -m 0644 CREDITS
/var/tmp/freeradius-server-root/usr/share/doc/freeradius-server-2.0.3
+ install -m 0644 COPYRIGHT
/var/tmp/freeradius-server-root/usr/share/doc/freeradius-server-2.0.3
+ install -m 0644 LICENSE
/var/tmp/freeradius-server-root/usr/share/doc/freeradius-server-2.0.3
+ cd redhat
+ install -m 755 rc.radiusd-redhat
/var/tmp/freeradius-server-root/etc/rc.d/init.d/radiusd
+ install -m 644 radiusd-logrotate
/var/tmp/freeradius-server-root/etc/logrotate.d/radiusd
+ install -m 644 radiusd-pam
/var/tmp/freeradius-server-root/etc/pam.d/radius
+ cd ..
+ /usr/lib/rpm/brp-compress
+ /usr/lib/rpm/brp-strip
+ /usr/lib/rpm/brp-strip-static-archive
strip: Unable to recognise the format of the input file
`/var/tmp/freeradius-server-root/usr/lib64/rlm_perl.a(DynaLoader.a)'
strip: Unable to recognise the format of the input file
`/var/tmp/freeradius-server-root/usr/lib64/rlm_perl.a(DynaLoader.a)'
+ /usr/lib/rpm/brp-strip-comment-note
Processing files: freeradius-server-2.0.3-0
error: File not found:
/var/tmp/freeradius-server-root/usr/share/freeradius-server
error: File must begin with "/": %{_incdir}/freeradius/*
RPM build errors:
File not found:
/var/tmp/freeradius-server-root/usr/share/freeradius-server
File must begin with "/": %{_incdir}/freeradius/*
ANY assistance in this issue would be wonderful!
Thank you,
Austin G. Smith, A+, MCP
Digital Son, I.T. Services
www.digitalson.com
678.213.0550 x:101 Office
678.213.0535 Fax
Need reliable hosting?
www.digitalsonhosting.com
6
21
chillispot hotspotlogin.cgi contains
# Shared secret used to encrypt challenge with. Prevents dictionary attacks.
# You should change this to your own shared secret.
$uamsecret = "testing123";
# Uncomment the following line if you want to use ordinary user-password
# for radius authentication. Must be used together with $uamsecret.
$userpassword=1;
nas table
>+----+-----------+-----------+------+-------+------------+-----------+-------------+
>| id | nasname | shortname | type | ports | secret | community | description |
>+----+-----------+-----------+------+-------+------------+-----------+-------------+
>| 1 | 127.0.0.1 | localhost | NULL | NULL | testing123 | NULL | NULL |
>+----+-----------+-----------+------+-------+------------+-----------+-------------+
radcheck table
mysql> select * from radcheck;
+----+----------+--------------------+----+-------+
| id | UserName | Attribute | op | Value |
+----+----------+--------------------+----+-------+
| 1 | s | Cleartext-Password | := | sandy |
| 2 | steve | Cleartext-Password | := | s |
+----+----------+--------------------+----+-------+
2 rows in set (0.00 sec)
clients.conf
client 192.168.182.1/24 {
secret = testing123
shortname = private-network
}
nas table and clients.conf are both on radius server. You need to make
testing123 secret on the portal that is sending those reqests.
Ivan Kalik
Kalik Informatika ISP
Dana 7/4/2008, "SANDY KALUGDAN" <sandykalugdan(a)yahoo.com> piše:
>I've checked the clients.conf and it uses testing123 as the secret.
>I've created a record on nas
>mysql> select * from nas;
>+----+-----------+-----------+------+-------+------------+-----------+-------------+
>| id | nasname | shortname | type | ports | secret | community | description |
>+----+-----------+-----------+------+-------+------------+-----------+-------------+
>| 1 | 127.0.0.1 | localhost | NULL | NULL | testing123 | NULL | NULL |
>+----+-----------+-----------+------+-------+------------+-----------+-------------+
>
>here is a portion of the radiusd -X output
>
>rlm_pap: Found existing Auth-Type, not changing it.
>++[pap] returns noop
> rad_check_password: Found Auth-Type
>auth: type Local
>auth: user supplied User-Password does NOT match local User-Password
>auth: Failed to validate the user.
>Login incorrect: [s/\365\010\343\323] (from client localhost port 0 cli 00-1C-A4-6F-21-10)
> WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS!
> Found Post-Auth-Type Reject
>+- entering group REJECT
> expand: %{User-Name} -> s
> attr_filter: Matched entry DEFAULT at line 11
>
>
>
>----- Original Message ----
>From: Ivan Kalik <tnt(a)kalik.net>
>To: FreeRadius users mailing list <freeradius-users(a)lists.freeradius.org>
>Sent: Monday, April 7, 2008 16:22:38
>Subject: Re: Freeradius + CHAP
>
>> User-Password = "\340\334\351\234"
>
>Shared secret in clents.conf and on the NAS is not the same.
>
>Ivan Kalik
>Kalik Informatika ISP
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
>
>
>Send instant messages to your online friends http://uk.messenger.yahoo.com
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Send instant messages to your online friends http://uk.messenger.yahoo.com
2
1
I've checked the clients.conf and it uses testing123 as the secret.
I've created a record on nas
mysql> select * from nas;
+----+-----------+-----------+------+-------+------------+-----------+-------------+
| id | nasname | shortname | type | ports | secret | community | description |
+----+-----------+-----------+------+-------+------------+-----------+-------------+
| 1 | 127.0.0.1 | localhost | NULL | NULL | testing123 | NULL | NULL |
+----+-----------+-----------+------+-------+------------+-----------+-------------+
here is a portion of the radiusd -X output
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type
auth: type Local
auth: user supplied User-Password does NOT match local User-Password
auth: Failed to validate the user.
Login incorrect: [s/\365\010\343\323] (from client localhost port 0 cli 00-1C-A4-6F-21-10)
WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS!
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} -> s
attr_filter: Matched entry DEFAULT at line 11
----- Original Message ----
From: Ivan Kalik <tnt(a)kalik.net>
To: FreeRadius users mailing list <freeradius-users(a)lists.freeradius.org>
Sent: Monday, April 7, 2008 16:22:38
Subject: Re: Freeradius + CHAP
> User-Password = "\340\334\351\234"
Shared secret in clents.conf and on the NAS is not the same.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Send instant messages to your online friends http://uk.messenger.yahoo.com
2
1