Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
April 2008
- 161 participants
- 323 discussions
Alan, the certificates that i need to take from my old version are the
/certs/*.* ?
Thanks.
------------------------------
Message: 3
Date: Fri, 4 Apr 2008 09:13:47 +0100
From: A.L.M.Buxey(a)lboro.ac.uk
Subject: Re: Users cant connect Freeradius 2.0.2
To: FreeRadius users mailing list
<freeradius-users(a)lists.freeradius.org>
Message-ID: <20080404081347.GD10891(a)lboro.ac.uk>
Content-Type: text/plain; charset=iso-8859-1
Hi,
> Hi Alan.
>
> In old version I don't to create SSL certificates. Just to configure file
> radius.conf, eap.conf, users, clients.conf and when I run the program it
> work fine.
>
> With a new versions I make same configurations but not work.
>
> ?I think that the SSL certificates can be create alone by the server?
take the certificates from the old version and put them on the new version.
alan
2
1
Hi all im pretty new to Freeradius,
We want to centralize authentification in our envirronement.
I have search on google but i did'nt find any "how to" about the
configuration of FreeRadius server Vs Nortel Baystack switch's. Some one
can point me in good direction for documentation to set this up?
Thanks all.
Francis Provencher
Ministère de la Sécurité publique du Québec
Direction des technologies de l'information
Division de la sécurité informatique
Tél: 1 418 646-3258
BlackBery; 1 418 473 6419
Courriel: Francis.provencher(a)Msp.gouv.qc.ca
CEH - Certified Ethical Hackers
SSCP - System Security Certified Practitionner
Sec+ - Security +
2
2
Hi, I want to configure my freeradius to authorize my user with an sql
database or if the user isn't present it would check in AD.
Here is my conf for now.
authorize {
preprocess
sql
if (notfound) {
ntlm_auth
}
eap
expiration
logintime
}
authenticate {
ntlm_auth
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
unix
eap
}
And here is my radiusd.conf
modules {
exec ntlm_auth {
wait = no
program = "/usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name:-None}
--domain=%{mschap:NT-Domain:-intranet}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}"
}
$INCLUDE eap.conf
mschap {
with_ntdomain_hack = yes
}
}
And here the log with radiusd -X if I try an user who's in AD.
rlm_sql (sql): sql_set_user escaped user --> 'gchartra'
rlm_sql (sql): Reserving sql socket id: 1
expand: SELECT id,UserName,Attribute,Value,op FROM radcheck
WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT
id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'gchartra'
ORDER BY id
query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE
Username = 'gchartra' ORDER BY id
rlm_sql (sql): Released sql socket id: 1
rlm_sql (sql): User gchartra not found
++[sql] returns notfound
++? if (notfound)
? Evaluating "notfound" -> TRUE
++? if (notfound) -> TRUE
++- entering if (notfound)
expand: --username=%{mschap:User-Name:-None} ->
--username=gchartra
rlm_mschap: No NT-Domain was found in the User-Name.
expand: --domain=%{mschap:NT-Domain:-intranet} ->
--domain=intranet
rlm_mschap: No MS-CHAP-Challenge in the request.
expand: --challenge=%{mschap:Challenge:-00} -> --challenge=00
rlm_mschap: No MS-CHAP-Response or MS-CHAP2-Response was found in the
request.
expand: --nt-response=%{mschap:NT-Response:-00} ->
--nt-response=00
+++[ntlm_auth] returns ok
++- if (notfound) returns ok
rlm_eap: EAP packet type response id 7 length 90
rlm_eap: Continuing tunnel setup.
++[eap] returns ok
++[expiration] returns noop
++[logintime] returns noop
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: EAP type mschapv2
PEAP: Setting User-Name to gchartra
+- entering group authorize
++[preprocess] returns ok
expand: %{User-Name} -> gchartra
rlm_sql (sql): sql_set_user escaped user --> 'gchartra'
rlm_sql (sql): Reserving sql socket id: 0
expand: SELECT id,UserName,Attribute,Value,op FROM radcheck
WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT
id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'gchartra'
ORDER BY id
query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE
Username = 'gchartra' ORDER BY id
rlm_sql (sql): Released sql socket id: 0
rlm_sql (sql): User gchartra not found
++[sql] returns notfound
++? if (notfound)
? Evaluating "notfound" -> TRUE
++? if (notfound) -> TRUE
++- entering if (notfound)
expand: --username=%{mschap:User-Name:-None} ->
--username=gchartra
rlm_mschap: No NT-Domain was found in the User-Name.
expand: --domain=%{mschap:NT-Domain:-intranet} ->
--domain=intranet
rlm_mschap: No MS-CHAP-Challenge in the request.
expand: --challenge=%{mschap:Challenge:-00} -> --challenge=00
rlm_mschap: No MS-CHAP-Response or MS-CHAP2-Response was found in the
request.
expand: --nt-response=%{mschap:NT-Response:-00} ->
--nt-response=00
+++[ntlm_auth] returns ok
++- if (notfound) returns ok
rlm_eap: EAP packet type response id 7 length 67
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[expiration] returns noop
++[logintime] returns noop
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/mschapv2
rlm_eap: processing type mschapv2
+- entering group MS-CHAP
rlm_mschap: No Cleartext-Password configured. Cannot create
LM-Password.
rlm_mschap: No Cleartext-Password configured. Cannot create
NT-Password.
rlm_mschap: Told to do MS-CHAPv2 for gchartra with NT-Password
rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication.
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
rlm_eap: Freeing handler
++[eap] returns reject
auth: Failed to validate the user.
PEAP: Tunneled authentication was rejected.
rlm_eap_peap: FAILURE
So the last part if I understand is when the authentification section is
call, he try to authentification with my module ntlm_auth but it fail
and I don't know why.
If in the radius.conf mschap section module I insert the same ntlm_auth
line of the exec. The sql don't work but AD work. If I put nothing in
mschap section. The SQL works but not AD. So what I did make wrong
Thank
----------------------------
Guillaume Chartrand
3
3
Good afternoon!
After upgrade 1.1.7 to 2.0.3+ freeradius
I have noticed, that that is brought in the table
has ceased to be processed
Select * from radgroupcheck where groupname='blackholed';
1 181 blackholed Auth-Type := Reject
2 182 blackholed Fall-Through = No
select * from usergroup where clid='250092020001115' and
groupname='blackholed';
1 17651 250092020001115 blackholed 10
radiusd -X:
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 23903, id=228,
length=69
User-Name = "mobile"
User-Password = "internet"
Calling-Station-Id = "250092020001115"
NAS-IP-Address = 83.217.24.21
+- entering group authorize
expand: simbirsk -> simbirsk
SIMBIRSK-ULN: Does not match: User-Name = mobile
++[SIMBIRSK-ULN] returns ok
expand: uuuuuuuuuu -> uuuuuuuuuu
UUU: Does not match: User-Name = mobile
++[UUU] returns ok
expand: %{Calling-Station-Id} -> 250092020001115
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "mobile", looking up realm NULL
rlm_realm: Found realm "NULL"
rlm_realm: Proxying request from user mobile to realm NULL
rlm_realm: Adding Realm = "NULL"
rlm_realm: Authentication realm is LOCAL.
++[suffix] returns noop
users: Matched entry DEFAULT at line 10
++[files] returns ok
expand: %{User-Name} -> mobile
rlm_sql (sqlauth): sql_set_user escaped user --> 'mobile'
rlm_sql (sqlauth): Reserving sql socket id: 4
expand: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE
Username = '%{SQL-User-Name}' ORDER BY id -> SELECT
id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'mobile' ORDER
BY id
rlm_sql (sqlauth): User found in radcheck table
expand: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE
Username = '%{SQL-User-Name}' ORDER BY id -> SELECT
id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'mobile' ORDER
BY id
expand: SELECT GroupName FROM usergroup WHERE
UserName='%{SQL-User-Name}' OR CLID='%{Calling-Station-Id}' order by
priority -> SELECT GroupName FROM usergroup WHERE UserName='mobile' OR
CLID='250092020001115' order by priority
expand: SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche
ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
(usergroup.Username = '%{SQL-User-Name}' or usergroup.CLID =
'%{Calling-Station-Id}') AND usergroup.GroupName = radgroupcheck.GroupName
ORDER BY usergroup.PRIORITY,radgroupcheck.id -> SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche
ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
(usergroup.Username = 'mobile' or usergroup.CLID = '250092020001115') AND
usergroup.GroupName = radgroupcheck.GroupName ORDER BY
usergroup.PRIORITY,radgroupcheck.id
rlm_sql (sqlauth): User found in group mppc
expand: SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep
ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
(usergroup.Username = '%{SQL-User-Name}' OR usergroup.CLID =
'%{Calling-Station-Id}') AND usergroup.GroupName = radgroupreply.GroupName
ORDER BY radgroupreply.id -> SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep
ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
(usergroup.Username = 'mobile' OR usergroup.CLID = '250092020001115') AND
usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id
rlm_sql (sqlauth): Released sql socket id: 4
++[sqlauth] returns ok
rad_check_password: Found Auth-Type Accept
rad_check_password: Auth-Type = Accept, accepting the user
Login OK: [mobile/internet] (from client localhost port 0 cli
250092020001115)
Sending Access-Accept of id 228 to 127.0.0.1 port 23903
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-Compression = Stac-LZS
Framed-Compression += Van-Jacobson-TCP-IP
Filter-Id = "fw-simbirsk.out"
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 228 with timestamp +2
Ready to process requests.
Why radius say that Found Auth-Type Accept when Auth-Type := Reject?
3
8
3. blackholed in radgroupcheck an blackholed in usergroup are not the
same. There is space or some character in that field in usergroup table
so GroupName.radgroupcheck doesn't match GroupName.usergroup. Copy the
radgroupcheck statement from the debug and see if that returns anything.
Ivan Kalik
Kalik Informatika ISP
2
7
Hi,
I have a problem configuring wireless 802.1x authentication with FR and a
Windows client. I use version FR 2.0.3 and think I configured everything
quite well.
FR sends out the Access-Challenge but my windows client does not answer it. I
recreated the default certificates to be sure that the nessesary OIDs (see
xpentenstions) are included. But still no success. Any idea? Thanks.
--
Config:
modules {
pap {
auto_header = no
}
chap {
authtype = CHAP
}
pam {
pam_auth = radiusd
}
unix {
radwtmp = ${logdir}/radwtmp
}
$INCLUDE eap.conf
mschap {
authtype=MS-CHAP
use_mppe=yes
require_encryption = yes
require_strong = yes
}
$INCLUDE sites-enabled/
eap.conf:
eap {
default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
md5 {
}
leap {
}
gtc {
auth_type = PAP
}
tls {
certdir=/usr/local/etc/raddb/certs
cadir=/usr/local/etc/raddb/certs
private_key_password = whatever
private_key_file = ${certdir}/server.pem
certificate_file = ${certdir}/server.pem
CA_file = ${cadir}/ca.pem
dh_file = ${certdir}/dh
random_file = ${certdir}/random
cipher_list = "DEFAULT"
make_cert_command = "${certdir}/bootstrap"
}
ttls {
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
}
peap {
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
}
mschapv2 {
}
}
sites-enabled/default.conf
authorize {
preprocess
chap
mschap
suffix
eap {
ok = return
}
unix
files
expiration
logintime
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschapv2
}
unix
eap
}
Thanks for any hint.
Michael Schwartzkopff
1
1
RE: Re: Missing NAS-Port in Access request with respect to RFC 2865
by Ramm-Ericson, Johannes 04 Apr '08
by Ramm-Ericson, Johannes 04 Apr '08
04 Apr '08
Alan DeKok wrote:
>Ramm-Ericson, Johannes wrote:
>> OK. However, access requests from that particular NAS are in effect
>> not processed the way I expect because of the lacking NAS-Port which
>> still leaves me with a problem I need to understand and fix.
>
> There is likely nothing that you can do. This is the reality of
working with different
> RADIUS implementations and administrators.
OK, thanks! Then I'll use that as my working basis.
> Just to clarify; I may very well be wrong about all this but I have a
> workaround that I think is just that: a workaround, rather than a
> correct solution. My hope is that either someone on the mailinglist
> can explain why I'm getting it all wrong or that I actually have found
> a bug and that it in that case hopefully can be squashed.
>
> It is not a bug. It is perfectly valid for different modules in the
server to do different
> things with a RADIUS packet. Does that make sense to you?
>
> If you would have it your way, *every* module in the server would
enforce *all* of the RFC > requirements. This is nonsense. You would
not require the PAP module to accept CHAP,
> MS-CHAP, etc. So why make the radutmp module understand
NAS-Port-Type?
I was never trying to imply that - all I was trying to do was find an
explanation for behaviour that didn't make sense to me.
Your answer above stating that this is the way things are, works fine
for me.
Thanks & Regards,
J.
1
0
Hi to all.
I'm tryng to set up "freeradius_1.1.7 + AP_Cisco_1130 + PEAP".
Freeradius is configured to use a database mysql, and I launch
freeradius by "radiusd -x"
When my client windows XP (configured to use 802.1x) is connecting to AP
Cisco, it receive a request "username + password + domain", I type
"username + password", but in radius log I obtain:
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql (sql): User pippo not found in radcheck
rlm_sql (sql): User pippo not found in radgroupcheck
rlm_sql (sql): Released sql socket id: 4
rlm_sql (sql): User not found
rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.
Login incorrect: [pippo/<no User-Password attribute>] (from client
ap-pippo port 257 cli 0002.2d1d.5eb7)
Thank you
enrico
My configuration is:
[root@zaphod raddb]# cat *radiusd.conf* | grep -v \#
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = /usr/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
db_dir = ${localstatedir}/lib/radiusd
log_file = ${logdir}/radius.log
libdir = /usr/lib
pidfile = ${run_dir}/radiusd.pid
user = radiusd
group = radiusd
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log_stripped_names = no
log_auth = yes
log_auth_badpass = yes
log_auth_goodpass = yes
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
proxy_requests = yes
$INCLUDE ${confdir}/proxy.conf
$INCLUDE ${confdir}/clients.conf
snmp = no
$INCLUDE ${confdir}/snmp.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
pap {
auto_header = yes
}
chap {
authtype = CHAP
}
pam {
pam_auth = radiusd
}
unix {
cache = no
cache_reload = 600
shadow = /etc/shadow
radwtmp = ${logdir}/radwtmp
}
$INCLUDE ${confdir}/eap.conf
mschap {
authtype = MS-CHAP
use_mppe = yes
require_encryption = yes
require_strong = yes
}
ldap {
server = "ldap.your.domain"
basedn = "o=My Org,c=UA"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
start_tls = no
access_attr = "dialupAccess"
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
edir_account_policy_check=no
timeout = 4
timelimit = 3
net_timeout = 1
}
realm IPASS {
format = prefix
delimiter = "/"
ignore_default = no
ignore_null = no
}
realm suffix {
format = suffix
delimiter = "@"
ignore_default = no
ignore_null = no
}
realm realmpercent {
format = suffix
delimiter = "%"
ignore_default = no
ignore_null = no
}
realm ntdomain {
format = prefix
delimiter = "\\"
ignore_default = no
ignore_null = no
}
checkval {
item-name = Calling-Station-Id
check-name = Calling-Station-Id
data-type = string
}
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
}
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
preproxy_usersfile = ${confdir}/preproxy_users
compat = no
}
detail {
detailfile =
${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
detailperm = 0600
}
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
}
$INCLUDE ${confdir}/sql.conf
radutmp {
filename = ${logdir}/radutmp
username = %{User-Name}
case_sensitive = yes
check_with_nas = yes
perm = 0600
callerid = "yes"
}
radutmp sradutmp {
filename = ${logdir}/sradutmp
perm = 0644
callerid = "no"
}
attr_filter {
attrsfile = ${confdir}/attrs
}
counter daily {
filename = ${db_dir}/db.daily
key = User-Name
count-attribute = Acct-Session-Time
reset = daily
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
allowed-servicetype = Framed-User
cache-size = 5000
}
sqlcounter dailycounter {
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
reply-name = Session-Timeout
sqlmod-inst = sql
key = User-Name
reset = daily
query = "SELECT SUM(AcctSessionTime - \
GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \
FROM radacct WHERE UserName='%{%k}' AND \
UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"
}
sqlcounter monthlycounter {
counter-name = Monthly-Session-Time
check-name = Max-Monthly-Session
reply-name = Session-Timeout
sqlmod-inst = sql
key = User-Name
reset = monthly
query = "SELECT SUM(AcctSessionTime - \
GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \
FROM radacct WHERE UserName='%{%k}' AND \
UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"
}
always fail {
rcode = fail
}
always reject {
rcode = reject
}
always ok {
rcode = ok
simulcount = 0
mpp = no
}
expr {
}
digest {
}
exec {
wait = yes
input_pairs = request
}
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = request
output_pairs = reply
}
ippool main_pool {
range-start = 192.168.1.1
range-stop = 192.168.3.254
netmask = 255.255.255.0
cache-size = 800
session-db = ${db_dir}/db.ippool
ip-index = ${db_dir}/db.ipindex
override = no
maximum-timeout = 0
}
}
instantiate {
exec
expr
}
authorize {
sql
pap
preprocess
mschap
suffix
eap
}
authenticate {
Auth-Type MS-CHAP {
mschap
}
unix
eap
}
preacct {
preprocess
acct_unique
suffix
files
}
accounting {
detail
unix
radutmp
sql
}
session {
radutmp
}
post-auth {
}
pre-proxy {
}
post-proxy {
eap
}
[root@zaphod raddb]# cat *eap.conf *| grep -v \#
eap {
default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
leap {
}
gtc {
auth_type = PAP
}
tls {
private_key_password = pippo
private_key_file = ${raddbdir}/certs/cert-srv.pem
certificate_file = ${raddbdir}/certs/cert-srv.pem
CA_file = ${raddbdir}/certs/cacert.pem
dh_file = ${raddbdir}/certs/dh1024.pem
random_file = /dev/urandom
}
peap {
default_eap_type = mschapv2
}
mschapv2 {
}
}
The log file is:
[root@zaphod raddb]# radiusd -X
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/proxy.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/snmp.conf
Config: including file: /etc/raddb/eap.conf
Config: including file: /etc/raddb/sql.conf
main: prefix = "/usr"
main: localstatedir = "/var"
main: logdir = "/var/log/radius"
main: libdir = "/usr/lib"
main: radacctdir = "/var/log/radius/radacct"
main: hostname_lookups = no
main: snmp = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/var/log/radius/radius.log"
main: log_auth = yes
main: log_auth_badpass = yes
main: log_auth_goodpass = yes
main: pidfile = "/var/run/radiusd/radiusd.pid"
main: user = "radiusd"
main: group = "radiusd"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = no
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/lib
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = yes
mschap: require_strong = yes
mschap: with_ntdomain_hack = no
mschap: passwd = "(null)"
mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = "(null)"
unix: shadow = "/etc/shadow"
unix: group = "(null)"
unix: radwtmp = "/var/log/radius/radwtmp"
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = "peap"
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type leap
gtc: challenge = "Password: "
gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized type gtc
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = "(null)"
tls: pem_file_type = yes
tls: private_key_file = "/etc/raddb/certs/cert-srv.pem"
tls: certificate_file = "/etc/raddb/certs/cert-srv.pem"
tls: CA_file = "/etc/raddb/certs/cacert.pem"
tls: private_key_password = "pippo"
tls: dh_file = "/etc/raddb/certs/dh1024.pem"
tls: random_file = "/dev/urandom"
tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = no
tls: check_cert_cn = "(null)"
tls: cipher_list = "(null)"
tls: check_cert_issuer = "(null)"
rlm_eap_tls: Loading the certificate file as a chain
rlm_eap: Loaded and initialized type tls
peap: default_eap_type = "mschapv2"
peap: copy_request_to_tunnel = no
peap: use_tunneled_reply = no
peap: proxy_tunneled_request_as_eap = yes
rlm_eap: Loaded and initialized type peap
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded SQL
sql: driver = "rlm_sql_mysql"
sql: server = "10.0.0.81"
sql: port = ""
sql: login = "radius"
sql: password = "radius"
sql: radius_db = "radius"
sql: nas_table = "nas"
sql: sqltrace = no
sql: sqltracefile = "/var/log/radius/sqltrace.sql"
sql: readclients = yes
sql: deletestalesessions = yes
sql: num_sql_socks = 5
sql: sql_user_name = "%{User-Name}"
sql: default_user_profile = ""
sql: query_on_not_found = no
sql: authorize_check_query = "select distinct
u.id,u.UserName,u.Attribute,u.Value,u.op from radcheck u,user_nas un,nas
n where u.username=un.user and (un.nas is null or un.nas=n.id ) and
u.username='%{SQL-User-Name}' and n.nasname='%{NAS-IP-Address}';"
sql: authorize_reply_query = "SELECT id, UserName, Attribute, Value,
op FROM radreply WHERE Username =
'%{SQL-User-Name}' ORDER BY id"
sql: authorize_group_check_query = "SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE usergroup.Username =
'%{SQL-User-Name}' AND usergroup.GroupName = radgroupcheck.GroupName
ORDER BY radgroupcheck.id"
sql: authorize_group_reply_query = "SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE usergroup.Username =
'%{SQL-User-Name}' AND usergroup.GroupName = radgroupreply.GroupName
ORDER BY radgroupreply.id"
sql: accounting_onoff_query = "UPDATE radacct SET AcctStopTime='%S',
AcctSessionTime=unix_timestamp('%S') - unix_timestamp(AcctStartTime),
AcctTerminateCause='%{Acct-Terminate-Cause}', AcctStopDelay =
'%{Acct-Delay-Time}' WHERE AcctSessionTime=0 AND AcctStopTime=0 AND
NASIPAddress= '%{NAS-IP-Address}' AND AcctStartTime <= '%S'"
sql: accounting_update_query = " UPDATE radacct
SET FramedIPAddress = '%{Framed-IP-Address}',
AcctSessionTime = '%{Acct-Session-Time}',
AcctInputOctets = '%{Acct-Input-Gigawords:-0}' << 32
|
'%{Acct-Input-Octets:-0}', AcctOutputOctets =
'%{Acct-Output-Gigawords:-0}' << 32 |
'%{Acct-Output-Octets:-0}' WHERE AcctSessionId =
'%{Acct-Session-Id}' AND UserName =
'%{SQL-User-Name}' AND NASIPAddress = '%{NAS-IP-Address}'"
sql: accounting_update_query_alt = " INSERT INTO
radacct (AcctSessionId, AcctUniqueId,
UserName, Realm, NASIPAddress,
NASPortId, NASPortType, AcctStartTime,
AcctSessionTime, AcctAuthentic, ConnectInfo_start,
AcctInputOctets, AcctOutputOctets, CalledStationId,
CallingStationId, ServiceType, FramedProtocol,
FramedIPAddress, AcctStartDelay,
XAscendSessionSvrKey) VALUES
('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',
'%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}',
'%{NAS-Port}', '%{NAS-Port-Type}',
DATE_SUB('%S', INTERVAL (%{Acct-Session-Time:-0}
+ %{Acct-Delay-Time:-0})
SECOND), '%{Acct-Session-Time}',
'%{Acct-Authentic}', '', '%{Acct-Input-Gigawords:-0}' << 32
| '%{Acct-Input-Octets:-0}',
'%{Acct-Output-Gigawords:-0}' << 32 |
'%{Acct-Output-Octets:-0}', '%{Called-Station-Id}',
'%{Calling-Station-Id}', '%{Service-Type}',
'%{Framed-Protocol}', '%{Framed-IP-Address}',
'0', '%{X-Ascend-Session-Svr-Key}')"
sql: accounting_start_query = " INSERT INTO
radacct (AcctSessionId, AcctUniqueId,
UserName, Realm, NASIPAddress,
NASPortId, NASPortType, AcctStartTime,
AcctStopTime, AcctSessionTime, AcctAuthentic,
ConnectInfo_start, ConnectInfo_stop, AcctInputOctets,
AcctOutputOctets, CalledStationId, CallingStationId,
AcctTerminateCause, ServiceType, FramedProtocol,
FramedIPAddress, AcctStartDelay, AcctStopDelay,
XAscendSessionSvrKey) VALUES
('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',
'%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}',
'%{NAS-Port}', '%{NAS-Port-Type}', '%S', '0',
'0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0',
'0', '%{Called-Station-Id}', '%{Calling-Station-Id}',
'', '%{Service-Type}', '%{Framed-Protocol}',
'%{Framed-IP-Address}', '%{Acct-Delay-Time:-0}', '0',
'%{X-Ascend-Session-Svr-Key}')"
sql: accounting_start_query_alt = "UPDATE radacct SET AcctStartTime =
'%S', AcctStartDelay = '%{Acct-Delay-Time}', ConnectInfo_start =
'%{Connect-Info}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND
UserName = '%{SQL-User-Name}' AND NASIPAddress = '%{NAS-IP-Address}'"
sql: accounting_stop_query = " UPDATE radacct
SET AcctStopTime = '%S',
AcctSessionTime = '%{Acct-Session-Time}',
AcctInputOctets = '%{Acct-Input-Gigawords:-0}' << 32
|
'%{Acct-Input-Octets:-0}', AcctOutputOctets =
'%{Acct-Output-Gigawords:-0}' << 32 |
'%{Acct-Output-Octets:-0}', AcctTerminateCause =
'%{Acct-Terminate-Cause}', AcctStopDelay =
'%{Acct-Delay-Time:-0}', ConnectInfo_stop =
'%{Connect-Info}' WHERE AcctSessionId =
'%{Acct-Session-Id}' AND UserName =
'%{SQL-User-Name}' AND NASIPAddress = '%{NAS-IP-Address}'"
sql: accounting_stop_query_alt = " INSERT INTO
radacct (AcctSessionId, AcctUniqueId, UserName,
Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime,
AcctStopTime, AcctSessionTime, AcctAuthentic,
ConnectInfo_start, ConnectInfo_stop, AcctInputOctets,
AcctOutputOctets, CalledStationId, CallingStationId,
AcctTerminateCause, ServiceType, FramedProtocol,
FramedIPAddress, AcctStartDelay, AcctStopDelay)
VALUES ('%{Acct-Session-Id}',
'%{Acct-Unique-Session-Id}',
'%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}',
'%{NAS-Port}', '%{NAS-Port-Type}',
DATE_SUB('%S', INTERVAL (%{Acct-Session-Time:-0}
+ %{Acct-Delay-Time:-0}) SECOND), '%S',
'%{Acct-Session-Time}', '%{Acct-Authentic}', '',
'%{Connect-Info}', '%{Acct-Input-Gigawords:-0}' << 32
| '%{Acct-Input-Octets:-0}',
'%{Acct-Output-Gigawords:-0}' << 32 |
'%{Acct-Output-Octets:-0}', '%{Called-Station-Id}',
'%{Calling-Station-Id}',
'%{Acct-Terminate-Cause}', '%{Service-Type}',
'%{Framed-Protocol}', '%{Framed-IP-Address}', '0',
'%{Acct-Delay-Time:-0}')"
sql: group_membership_query = "SELECT GroupName FROM usergroup WHERE
UserName='%{SQL-User-Name}'"
sql: connect_failure_retry_delay = 60
sql: simul_count_query = ""
sql: simul_verify_query = "SELECT RadAcctId, AcctSessionId,
UserName, NASIPAddress, NASPortId,
FramedIPAddress, CallingStationId,
FramedProtocol FROM
radacct WHERE
UserName='%{SQL-User-Name}' AND
AcctStopTime = 0"
sql: postauth_query = "INSERT into radpostauth (user, pass, reply,
date) values ('%{User-Name}', '%{User-Password:-Chap-Password}',
'%{reply:Packet-Type}', NOW())"
sql: safe-characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
rlm_sql (sql): Attempting to connect to radius@10.0.0.81:/radius
rlm_sql (sql): starting 0
rlm_sql (sql): Attempting to connect rlm_sql_mysql #0
rlm_sql_mysql: Starting connect to MySQL server for #0
rlm_sql (sql): Connected new DB handle, #0
rlm_sql (sql): starting 1
rlm_sql (sql): Attempting to connect rlm_sql_mysql #1
rlm_sql_mysql: Starting connect to MySQL server for #1
rlm_sql (sql): Connected new DB handle, #1
rlm_sql (sql): starting 2
rlm_sql (sql): Attempting to connect rlm_sql_mysql #2
rlm_sql_mysql: Starting connect to MySQL server for #2
rlm_sql (sql): Connected new DB handle, #2
rlm_sql (sql): starting 3
rlm_sql (sql): Attempting to connect rlm_sql_mysql #3
rlm_sql_mysql: Starting connect to MySQL server for #3
rlm_sql (sql): Connected new DB handle, #3
rlm_sql (sql): starting 4
rlm_sql (sql): Attempting to connect rlm_sql_mysql #4
rlm_sql_mysql: Starting connect to MySQL server for #4
rlm_sql (sql): Connected new DB handle, #4
rlm_sql (sql): - generate_sql_clients
rlm_sql (sql): Query: SELECT * FROM nas
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql (sql): Read entry
nasname=10.0.0.253,shortname=ap-pippo,secret=test123
rlm_sql (sql): Adding client 10.0.0.253 (ap-pippo) to clients list
rlm_sql (sql): Released sql socket id: 4
Module: Instantiated sql (sql)
Module: Loaded PAP
pap: encryption_scheme = "crypt"
pap: auto_header = yes
Module: Instantiated pap (pap)
Module: Loaded preprocess
preprocess: huntgroups = "/etc/raddb/huntgroups"
preprocess: hints = "/etc/raddb/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
preprocess: with_alvarion_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = "suffix"
realm: delimiter = "@"
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded files
files: usersfile = "/etc/raddb/users"
files: acctusersfile = "/etc/raddb/acct_users"
files: preproxy_usersfile = "/etc/raddb/preproxy_users"
files: compat = "no"
Module: Instantiated files (files)
Module: Loaded detail
detail: detailfile =
"/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = "/var/log/radius/radutmp"
radutmp: username = "%{User-Name}"
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on authentication *:1812
Listening on accounting *:1813
Ready to process requests.
rad_recv: Access-Request packet from host 10.0.0.253:1645, id=17, length=128
User-Name = "pippo"
Framed-MTU = 1400
Called-Station-Id = "001e.f7ea.1730"
Calling-Station-Id = "0002.2d1d.5eb7"
Service-Type = Login-User
Message-Authenticator = 0xb2a34d2479aabe20cc3ded46555ee1a6
EAP-Message = 0x0202000a01706970706f
NAS-Port-Type = Wireless-802.11
NAS-Port = 259
NAS-Port-Id = "259"
NAS-IP-Address = 10.0.0.253
NAS-Identifier = "ap"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
radius_xlat: 'pippo'
rlm_sql (sql): sql_set_user escaped user --> 'pippo'
radius_xlat: 'select distinct u.id,u.UserName,u.Attribute,u.Value,u.op
from radcheck u,user_nas un,nas n where u.username=un.user and (un.nas
is null or un.nas=n.id ) and u.username='pippo' and n.nasname='10.0.0.253';'
rlm_sql (sql): Reserving sql socket id: 3
rlm_sql (sql): User pippo not found in radcheck
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE usergroup.Username = 'pippo' AND
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE usergroup.Username = 'pippo' AND
usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql (sql): User pippo not found in radgroupcheck
rlm_sql (sql): Released sql socket id: 3
rlm_sql (sql): User not found
modcall[authorize]: module "sql" returns notfound for request 0
rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.
modcall[authorize]: module "pap" returns noop for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "pippo", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_eap: EAP packet type response id 2 length 10
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 0
modcall: leaving group authorize (returns updated) for request 0
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns handled for request 0
modcall: leaving group authenticate (returns handled) for request 0
Sending Access-Challenge of id 17 to 10.0.0.253 port 1645
EAP-Message = 0x010300061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa402c6c099bb47a440a8c0f0095c61b2
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.0.0.253:1645, id=18, length=216
User-Name = "pippo"
Framed-MTU = 1400
Called-Station-Id = "001e.f7ea.1730"
Calling-Station-Id = "0002.2d1d.5eb7"
Service-Type = Login-User
Message-Authenticator = 0x709ea0c08e0e5d2ef590c6fc5830afb3
EAP-Message =
0x0203005019800000004616030100410100003d030147f48088fce05c262610990ce4c149c5460907e7ceb6d20e4f2ec7e629c864b900001600040005000a000900640062000300060013001200630100
NAS-Port-Type = Wireless-802.11
NAS-Port = 259
NAS-Port-Id = "259"
State = 0xa402c6c099bb47a440a8c0f0095c61b2
NAS-IP-Address = 10.0.0.253
NAS-Identifier = "ap"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
radius_xlat: 'pippo'
rlm_sql (sql): sql_set_user escaped user --> 'pippo'
radius_xlat: 'select distinct u.id,u.UserName,u.Attribute,u.Value,u.op
from radcheck u,user_nas un,nas n where u.username=un.user and (un.nas
is null or un.nas=n.id ) and u.username='pippo' and n.nasname='10.0.0.253';'
rlm_sql (sql): Reserving sql socket id: 2
rlm_sql (sql): User pippo not found in radcheck
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE usergroup.Username = 'pippo' AND
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE usergroup.Username = 'pippo' AND
usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql (sql): User pippo not found in radgroupcheck
rlm_sql (sql): Released sql socket id: 2
rlm_sql (sql): User not found
modcall[authorize]: module "sql" returns notfound for request 1
rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.
modcall[authorize]: module "pap" returns noop for request 1
modcall[authorize]: module "preprocess" returns ok for request 1
modcall[authorize]: module "mschap" returns noop for request 1
rlm_realm: No '@' in User-Name = "pippo", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 1
rlm_eap: EAP packet type response id 3 length 80
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 1
modcall: leaving group authorize (returns updated) for request 1
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
(other): before/accept initialization
TLS_accept: before/accept initialization
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello
TLS_accept: SSLv3 read client hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
TLS_accept: SSLv3 write server hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 065e], Certificate
TLS_accept: SSLv3 write certificate A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
TLS_accept: SSLv3 write server done A
TLS_accept: SSLv3 flush data
TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
modcall[authenticate]: module "eap" returns handled for request 1
modcall: leaving group authenticate (returns handled) for request 1
Sending Access-Challenge of id 18 to 10.0.0.253 port 1645
EAP-Message =
0x0104040a19c0000006bb160301004a02000046030147f47fc1ba931d020e933aff03fc71fd91ac470102f120af36ca0be4fed95caa20737de654ccff43442f20381c04c54171e60319dcf3516a050d41b0686df06bad000400160301065e0b00065a0006570002b1308202ad30820216a003020102020101300d06092a864886f70d0101050500308191310b3009060355040613024954310d300b06035504081304526f6d61310d300b06035504071304526f6d613111300f060355040a1308416c7465726e65743111300f060355040b1308416c7465726e6574311b301906035504031312436c69656e742063657274696669636174653121301f06
EAP-Message =
0x092a864886f70d0109011612636c69656e74406578616d706c652e636f6d301e170d3038303332373231313330305a170d3039303332373231313330305a30818d310b3009060355040613024954310d300b06035504081304526f6d61310d300b06035504071304526f6d613111300f060355040a1308416c7465726e65743111300f060355040b1308416c7465726e65743119301706035504031310526f6f74206365727469666963617465311f301d06092a864886f70d0109011610726f6f74406578616d706c652e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100c182f362d5491a660356870c7866faa413af
EAP-Message =
0x93139d2db77b4570397578eb62feac4637800cacd5d66d4f25d241e7ae93d12dc3ae8d0588115d85bd48e3e540650fcddec65aab9f94b5c6eda2ea1ef03912653d61b9ff25fd0ddf0022656f805e7e35059c115415f3ba2812fd2ead5cfd0df3ca5663a6fbac33636a07ab8a6eeb0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010505000381810090ebad1fcb48ecb8277873866678c36f06d0ae5e6fe99ad59be65836a17e76708b8120a8f5f870fc4e9f5562f8f3e3513eb78403aa7de2a024bf907add6925ab0b1683f658bb1af307b5c304026561affd0ced7fe98840744f85d01539cd
EAP-Message =
0xc55bed9bff4b9e081a184e8e1c25ced964a6ef9ab2d8f27781b175792db2d7d711640003a03082039c30820305a0030201020209008dda5bd3a7f50e3e300d06092a864886f70d0101050500308191310b3009060355040613024954310d300b06035504081304526f6d61310d300b06035504071304526f6d613111300f060355040a1308416c7465726e65743111300f060355040b1308416c7465726e6574311b301906035504031312436c69656e742063657274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c652e636f6d301e170d3038303332373231313031335a170d31303033323732313130
EAP-Message = 0x31335a308191310b3009060355040613024954310d30
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x4ae44370934a98b82a152f86c9de1662
Finished request 1
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.0.0.253:1645, id=19, length=142
User-Name = "pippo"
Framed-MTU = 1400
Called-Station-Id = "001e.f7ea.1730"
Calling-Station-Id = "0002.2d1d.5eb7"
Service-Type = Login-User
Message-Authenticator = 0x66a27d85a1c426f22ba11e90306202dc
EAP-Message = 0x020400061900
NAS-Port-Type = Wireless-802.11
NAS-Port = 259
NAS-Port-Id = "259"
State = 0x4ae44370934a98b82a152f86c9de1662
NAS-IP-Address = 10.0.0.253
NAS-Identifier = "ap"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
radius_xlat: 'pippo'
rlm_sql (sql): sql_set_user escaped user --> 'pippo'
radius_xlat: 'select distinct u.id,u.UserName,u.Attribute,u.Value,u.op
from radcheck u,user_nas un,nas n where u.username=un.user and (un.nas
is null or un.nas=n.id ) and u.username='pippo' and n.nasname='10.0.0.253';'
rlm_sql (sql): Reserving sql socket id: 1
rlm_sql (sql): User pippo not found in radcheck
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE usergroup.Username = 'pippo' AND
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE usergroup.Username = 'pippo' AND
usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql (sql): User pippo not found in radgroupcheck
rlm_sql (sql): Released sql socket id: 1
rlm_sql (sql): User not found
modcall[authorize]: module "sql" returns notfound for request 2
rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.
modcall[authorize]: module "pap" returns noop for request 2
modcall[authorize]: module "preprocess" returns ok for request 2
modcall[authorize]: module "mschap" returns noop for request 2
rlm_realm: No '@' in User-Name = "pippo", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 2
rlm_eap: EAP packet type response id 4 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 2
modcall: leaving group authorize (returns updated) for request 2
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 2
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake fragment handler
eaptls_verify returned 1
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
modcall[authenticate]: module "eap" returns handled for request 2
modcall: leaving group authenticate (returns handled) for request 2
Sending Access-Challenge of id 19 to 10.0.0.253 port 1645
EAP-Message =
0x010502c119000b06035504081304526f6d61310d300b06035504071304526f6d613111300f060355040a1308416c7465726e65743111300f060355040b1308416c7465726e6574311b301906035504031312436c69656e742063657274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c652e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100e043ea45805c838b5f0ea632de1f91c528ea375dfb1b5269281cd5a4a7e786a2fb4a7f939c57d660d82445ab5202bd079da379260518ede8561258d359185bcdd953dd57e13e0409fa1e8243bd03c51065c1e4b7ce76c79f11
EAP-Message =
0xfeb3b1d67457dead53ff75d426cb491ef2817f61decf4822025ecbf124c2044577497c909d2ee70203010001a381f93081f6301d0603551d0e04160414d68d66dbf69735b51808d00818fb0726216a8ab43081c60603551d230481be3081bb8014d68d66dbf69735b51808d00818fb0726216a8ab4a18197a48194308191310b3009060355040613024954310d300b06035504081304526f6d61310d300b06035504071304526f6d613111300f060355040a1308416c7465726e65743111300f060355040b1308416c7465726e6574311b301906035504031312436c69656e742063657274696669636174653121301f06092a864886f70d0109011612
EAP-Message =
0x636c69656e74406578616d706c652e636f6d8209008dda5bd3a7f50e3e300c0603551d13040530030101ff300d06092a864886f70d010105050003818100dc40f83c65cddd61b12275e28cc78c8e0438ffecf645610c730ea82db816fe3ae135b8081465723bbf0e5d8320012d5976829acf36017145daaecfb9f7878c2e507ec1134cac341d74cdcd026f623701025d99b7b1612f93ca2cbcb3d198defd1d1344f3450add5c8c0149c52926b61cf43555617bbba12273e0f6c2949a109e16030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xf664a3688107dff0aeb06e99c3cd0bad
Finished request 2
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.0.0.253:1645, id=20, length=328
User-Name = "pippo"
Framed-MTU = 1400
Called-Station-Id = "001e.f7ea.1730"
Calling-Station-Id = "0002.2d1d.5eb7"
Service-Type = Login-User
Message-Authenticator = 0xc0a846d3c40d94b590cd81769fac71b0
EAP-Message =
0x020500c01980000000b61603010086100000820080a7911d4bf396087ca352da5907f6f14a56a6c5f50897434de14ea03e7b928bf33678b6f672ebdef6122cf1ab9976dd4db07061dce0c139a863956257532e66ce06213c66f19cb59ed3be366fe300b5586815f9b92f52b47d5e84aeba8768490f54c5600cf095f987eb8702e67de57322b7e54243ce772b4faa6a1f7270a8c942140301000101160301002040df7461db493cfdcfd14352506fd4827a33ec9924550896304c85147d08b741
NAS-Port-Type = Wireless-802.11
NAS-Port = 259
NAS-Port-Id = "259"
State = 0xf664a3688107dff0aeb06e99c3cd0bad
NAS-IP-Address = 10.0.0.253
NAS-Identifier = "ap"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 3
radius_xlat: 'pippo'
rlm_sql (sql): sql_set_user escaped user --> 'pippo'
radius_xlat: 'select distinct u.id,u.UserName,u.Attribute,u.Value,u.op
from radcheck u,user_nas un,nas n where u.username=un.user and (un.nas
is null or un.nas=n.id ) and u.username='pippo' and n.nasname='10.0.0.253';'
rlm_sql (sql): Reserving sql socket id: 0
rlm_sql (sql): User pippo not found in radcheck
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE usergroup.Username = 'pippo' AND
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE usergroup.Username = 'pippo' AND
usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql (sql): User pippo not found in radgroupcheck
rlm_sql (sql): Released sql socket id: 0
rlm_sql (sql): User not found
modcall[authorize]: module "sql" returns notfound for request 3
rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.
modcall[authorize]: module "pap" returns noop for request 3
modcall[authorize]: module "preprocess" returns ok for request 3
modcall[authorize]: module "mschap" returns noop for request 3
rlm_realm: No '@' in User-Name = "pippo", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 3
rlm_eap: EAP packet type response id 5 length 192
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 3
modcall: leaving group authorize (returns updated) for request 3
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 3
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
TLS_accept: SSLv3 read client key exchange A
rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001]
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 read finished A
rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001]
TLS_accept: SSLv3 write change cipher spec A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 write finished A
TLS_accept: SSLv3 flush data
(other): SSL negotiation finished successfully
SSL Connection Established
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
modcall[authenticate]: module "eap" returns handled for request 3
modcall: leaving group authenticate (returns handled) for request 3
Sending Access-Challenge of id 20 to 10.0.0.253 port 1645
EAP-Message =
0x01060031190014030100010116030100208a0f62e4e86855ae5176b5310b0471e1564120af45eb4b3ad937e85c6ae6b179
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x3a6b732983a33b1899a25d3ea3341f2f
Finished request 3
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.0.0.253:1645, id=21, length=142
User-Name = "pippo"
Framed-MTU = 1400
Called-Station-Id = "001e.f7ea.1730"
Calling-Station-Id = "0002.2d1d.5eb7"
Service-Type = Login-User
Message-Authenticator = 0xd0748ad7c38ea512eaebc9f6f0fd10d6
EAP-Message = 0x020600061900
NAS-Port-Type = Wireless-802.11
NAS-Port = 259
NAS-Port-Id = "259"
State = 0x3a6b732983a33b1899a25d3ea3341f2f
NAS-IP-Address = 10.0.0.253
NAS-Identifier = "ap"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 4
radius_xlat: 'pippo'
rlm_sql (sql): sql_set_user escaped user --> 'pippo'
radius_xlat: 'select distinct u.id,u.UserName,u.Attribute,u.Value,u.op
from radcheck u,user_nas un,nas n where u.username=un.user and (un.nas
is null or un.nas=n.id ) and u.username='pippo' and n.nasname='10.0.0.253';'
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql (sql): User pippo not found in radcheck
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE usergroup.Username = 'pippo' AND
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE usergroup.Username = 'pippo' AND
usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql (sql): User pippo not found in radgroupcheck
rlm_sql (sql): Released sql socket id: 4
rlm_sql (sql): User not found
modcall[authorize]: module "sql" returns notfound for request 4
rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.
modcall[authorize]: module "pap" returns noop for request 4
modcall[authorize]: module "preprocess" returns ok for request 4
modcall[authorize]: module "mschap" returns noop for request 4
rlm_realm: No '@' in User-Name = "pippo", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 4
rlm_eap: EAP packet type response id 6 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 4
modcall: leaving group authorize (returns updated) for request 4
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 4
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake is finished
eaptls_verify returned 3
eaptls_process returned 3
rlm_eap_peap: EAPTLS_SUCCESS
modcall[authenticate]: module "eap" returns handled for request 4
modcall: leaving group authenticate (returns handled) for request 4
Sending Access-Challenge of id 21 to 10.0.0.253 port 1645
EAP-Message =
0x01070020190017030100154b864fbf6fd1b72f1c09297a0820f894cb11d281c1
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x7cb4be32fe088632b3aaea0292a9fe5a
Finished request 4
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.0.0.253:1645, id=22, length=169
User-Name = "pippo"
Framed-MTU = 1400
Called-Station-Id = "001e.f7ea.1730"
Calling-Station-Id = "0002.2d1d.5eb7"
Service-Type = Login-User
Message-Authenticator = 0x87f7a371b175e6799019de4a74358073
EAP-Message =
0x02070021190017030100165f30375832ec81e3e1046d0b8e7d2b6d2afad47b4a85
NAS-Port-Type = Wireless-802.11
NAS-Port = 259
NAS-Port-Id = "259"
State = 0x7cb4be32fe088632b3aaea0292a9fe5a
NAS-IP-Address = 10.0.0.253
NAS-Identifier = "ap"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 5
radius_xlat: 'pippo'
rlm_sql (sql): sql_set_user escaped user --> 'pippo'
radius_xlat: 'select distinct u.id,u.UserName,u.Attribute,u.Value,u.op
from radcheck u,user_nas un,nas n where u.username=un.user and (un.nas
is null or un.nas=n.id ) and u.username='pippo' and n.nasname='10.0.0.253';'
rlm_sql (sql): Reserving sql socket id: 3
rlm_sql (sql): User pippo not found in radcheck
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE usergroup.Username = 'pippo' AND
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE usergroup.Username = 'pippo' AND
usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql (sql): User pippo not found in radgroupcheck
rlm_sql (sql): Released sql socket id: 3
rlm_sql (sql): User not found
modcall[authorize]: module "sql" returns notfound for request 5
rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.
modcall[authorize]: module "pap" returns noop for request 5
modcall[authorize]: module "preprocess" returns ok for request 5
modcall[authorize]: module "mschap" returns noop for request 5
rlm_realm: No '@' in User-Name = "pippo", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 5
rlm_eap: EAP packet type response id 7 length 33
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 5
modcall: leaving group authorize (returns updated) for request 5
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 5
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: Identity - pippo
rlm_eap_peap: Tunneled data is valid.
PEAP: Got tunneled EAP-Message
EAP-Message = 0x0207000a01706970706f
PEAP: Got tunneled identity of pippo
PEAP: Setting default EAP type for tunneled EAP session.
PEAP: Setting User-Name to pippo
PEAP: Sending tunneled request
EAP-Message = 0x0207000a01706970706f
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "pippo"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 5
radius_xlat: 'pippo'
rlm_sql (sql): sql_set_user escaped user --> 'pippo'
radius_xlat: 'select distinct u.id,u.UserName,u.Attribute,u.Value,u.op
from radcheck u,user_nas un,nas n where u.username=un.user and (un.nas
is null or un.nas=n.id ) and u.username='pippo' and n.nasname='';'
rlm_sql (sql): Reserving sql socket id: 2
rlm_sql (sql): User pippo not found in radcheck
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE usergroup.Username = 'pippo' AND
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE usergroup.Username = 'pippo' AND
usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql (sql): User pippo not found in radgroupcheck
rlm_sql (sql): Released sql socket id: 2
rlm_sql (sql): User not found
modcall[authorize]: module "sql" returns notfound for request 5
rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.
modcall[authorize]: module "pap" returns noop for request 5
modcall[authorize]: module "preprocess" returns ok for request 5
modcall[authorize]: module "mschap" returns noop for request 5
rlm_realm: No '@' in User-Name = "pippo", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 5
rlm_eap: EAP packet type response id 7 length 10
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 5
modcall: leaving group authorize (returns updated) for request 5
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 5
rlm_eap: EAP Identity
rlm_eap: processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
modcall[authenticate]: module "eap" returns handled for request 5
modcall: leaving group authenticate (returns handled) for request 5
PEAP: Got tunneled reply RADIUS code 11
EAP-Message =
0x0108001f1a0108001a10692271dc5ffef6c67e921e617f35bd44706970706f
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xfbf140869867914eb407f821c62352d9
PEAP: Processing from tunneled session code 0xb9a52d68 11
EAP-Message =
0x0108001f1a0108001a10692271dc5ffef6c67e921e617f35bd44706970706f
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xfbf140869867914eb407f821c62352d9
PEAP: Got tunneled Access-Challenge
modcall[authenticate]: module "eap" returns handled for request 5
modcall: leaving group authenticate (returns handled) for request 5
Sending Access-Challenge of id 22 to 10.0.0.253 port 1645
EAP-Message =
0x010800361900170301002b783d3cfeb437e7157bdc93c45d997969fd7ce0da45ea00e2504527d85bcb06b55fe1af8f83089a3bdc0ee8
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x478bc73d756deba5e30aa269915543c0
Finished request 5
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.0.0.253:1645, id=23, length=223
User-Name = "pippo"
Framed-MTU = 1400
Called-Station-Id = "001e.f7ea.1730"
Calling-Station-Id = "0002.2d1d.5eb7"
Service-Type = Login-User
Message-Authenticator = 0x5bc9dce8637cac8dc607ed96f2a5ade3
EAP-Message =
0x020800571900170301004ca8bfafc60bc2da57a97e692239a652dc92a7f403a50b1780fe30b2530e4f2884acf5cf08f3e27d0894d40bbbab40bd45ceae5b5d78ed29991826fff6f9edc7b32b1dbe332070b199672b83f9
NAS-Port-Type = Wireless-802.11
NAS-Port = 259
NAS-Port-Id = "259"
State = 0x478bc73d756deba5e30aa269915543c0
NAS-IP-Address = 10.0.0.253
NAS-Identifier = "ap"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 6
radius_xlat: 'pippo'
rlm_sql (sql): sql_set_user escaped user --> 'pippo'
radius_xlat: 'select distinct u.id,u.UserName,u.Attribute,u.Value,u.op
from radcheck u,user_nas un,nas n where u.username=un.user and (un.nas
is null or un.nas=n.id ) and u.username='pippo' and n.nasname='10.0.0.253';'
rlm_sql (sql): Reserving sql socket id: 1
rlm_sql (sql): User pippo not found in radcheck
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE usergroup.Username = 'pippo' AND
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE usergroup.Username = 'pippo' AND
usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql (sql): User pippo not found in radgroupcheck
rlm_sql (sql): Released sql socket id: 1
rlm_sql (sql): User not found
modcall[authorize]: module "sql" returns notfound for request 6
rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.
modcall[authorize]: module "pap" returns noop for request 6
modcall[authorize]: module "preprocess" returns ok for request 6
modcall[authorize]: module "mschap" returns noop for request 6
rlm_realm: No '@' in User-Name = "pippo", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 6
rlm_eap: EAP packet type response id 8 length 87
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 6
modcall: leaving group authorize (returns updated) for request 6
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 6
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: EAP type mschapv2
rlm_eap_peap: Tunneled data is valid.
PEAP: Got tunneled EAP-Message
EAP-Message =
0x020800401a0208003b310f0c5303ac12a988a638309df8423ece0000000000000000b3fa1bdf79b86558001612c3dc345c33b22807c60abb47fc00706970706f
PEAP: Setting User-Name to pippo
PEAP: Adding old state with fb f1
PEAP: Sending tunneled request
EAP-Message =
0x020800401a0208003b310f0c5303ac12a988a638309df8423ece0000000000000000b3fa1bdf79b86558001612c3dc345c33b22807c60abb47fc00706970706f
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "pippo"
State = 0xfbf140869867914eb407f821c62352d9
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 6
radius_xlat: 'pippo'
rlm_sql (sql): sql_set_user escaped user --> 'pippo'
radius_xlat: 'select distinct u.id,u.UserName,u.Attribute,u.Value,u.op
from radcheck u,user_nas un,nas n where u.username=un.user and (un.nas
is null or un.nas=n.id ) and u.username='pippo' and n.nasname='';'
rlm_sql (sql): Reserving sql socket id: 0
rlm_sql (sql): User pippo not found in radcheck
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE usergroup.Username = 'pippo' AND
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE usergroup.Username = 'pippo' AND
usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql (sql): User pippo not found in radgroupcheck
rlm_sql (sql): Released sql socket id: 0
rlm_sql (sql): User not found
modcall[authorize]: module "sql" returns notfound for request 6
rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.
modcall[authorize]: module "pap" returns noop for request 6
modcall[authorize]: module "preprocess" returns ok for request 6
modcall[authorize]: module "mschap" returns noop for request 6
rlm_realm: No '@' in User-Name = "pippo", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 6
rlm_eap: EAP packet type response id 8 length 64
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 6
modcall: leaving group authorize (returns updated) for request 6
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 6
rlm_eap: Request found, released from the list
rlm_eap: EAP/mschapv2
rlm_eap: processing type mschapv2
Processing the authenticate section of radiusd.conf
modcall: entering group MS-CHAP for request 6
rlm_mschap: No User-Password configured. Cannot create LM-Password.
rlm_mschap: No User-Password configured. Cannot create NT-Password.
rlm_mschap: Told to do MS-CHAPv2 for pippo with NT-Password
rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication.
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
modcall[authenticate]: module "mschap" returns reject for request 6
modcall: leaving group MS-CHAP (returns reject) for request 6
rlm_eap: Freeing handler
modcall[authenticate]: module "eap" returns reject for request 6
modcall: leaving group authenticate (returns reject) for request 6
auth: Failed to validate the user.
Login incorrect: [pippo/<no User-Password attribute>] (from client
localhost port 0)
PEAP: Got tunneled reply RADIUS code 3
MS-CHAP-Error = "\010E=691 R=1"
EAP-Message = 0x04080004
Message-Authenticator = 0x00000000000000000000000000000000
PEAP: Processing from tunneled session code 0xb9a2fa90 3
MS-CHAP-Error = "\010E=691 R=1"
EAP-Message = 0x04080004
Message-Authenticator = 0x00000000000000000000000000000000
PEAP: Tunneled authentication was rejected.
rlm_eap_peap: FAILURE
modcall[authenticate]: module "eap" returns handled for request 6
modcall: leaving group authenticate (returns handled) for request 6
Sending Access-Challenge of id 23 to 10.0.0.253 port 1645
EAP-Message =
0x010900261900170301001b72d325127b5973100fa8d098c2feafb32854c21b372063c6c7d38c
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x6fa3216d86c09c9b58f1234472c012fb
Finished request 6
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.0.0.253:1645, id=24, length=174
User-Name = "pippo"
Framed-MTU = 1400
Called-Station-Id = "001e.f7ea.1730"
Calling-Station-Id = "0002.2d1d.5eb7"
Service-Type = Login-User
Message-Authenticator = 0x131d0a57d2d876d229fe260152d069fe
EAP-Message =
0x020900261900170301001b8af7f8e0d25d7d407367ae789fe7347e77a0e2972d56a9c6385e43
NAS-Port-Type = Wireless-802.11
NAS-Port = 259
NAS-Port-Id = "259"
State = 0x6fa3216d86c09c9b58f1234472c012fb
NAS-IP-Address = 10.0.0.253
NAS-Identifier = "ap"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 7
radius_xlat: 'pippo'
rlm_sql (sql): sql_set_user escaped user --> 'pippo'
radius_xlat: 'select distinct u.id,u.UserName,u.Attribute,u.Value,u.op
from radcheck u,user_nas un,nas n where u.username=un.user and (un.nas
is null or un.nas=n.id ) and u.username='pippo' and n.nasname='10.0.0.253';'
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql (sql): User pippo not found in radcheck
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE usergroup.Username = 'pippo' AND
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE usergroup.Username = 'pippo' AND
usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql (sql): User pippo not found in radgroupcheck
rlm_sql (sql): Released sql socket id: 4
rlm_sql (sql): User not found
modcall[authorize]: module "sql" returns notfound for request 7
rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.
modcall[authorize]: module "pap" returns noop for request 7
modcall[authorize]: module "preprocess" returns ok for request 7
modcall[authorize]: module "mschap" returns noop for request 7
rlm_realm: No '@' in User-Name = "pippo", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 7
rlm_eap: EAP packet type response id 9 length 38
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 7
modcall: leaving group authorize (returns updated) for request 7
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 7
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: Received EAP-TLV response.
rlm_eap_peap: Tunneled data is valid.
rlm_eap_peap: Had sent TLV failure. User was rejcted rejected
earlier in this session.
rlm_eap: Handler failed in EAP/peap
rlm_eap: Failed in EAP select
modcall[authenticate]: module "eap" returns invalid for request 7
modcall: leaving group authenticate (returns invalid) for request 7
auth: Failed to validate the user.
Login incorrect: [pippo/<no User-Password attribute>] (from client
ap-pippo port 259 cli 0002.2d1d.5eb7)
Delaying request 7 for 1 seconds
Finished request 7
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.0.0.253:1645, id=24, length=174
Sending Access-Reject of id 24 to 10.0.0.253 port 1645
EAP-Message = 0x04090004
Message-Authenticator = 0x00000000000000000000000000000000
--- Walking the entire request list ---
Waking up in 2 seconds...
--- Walking the entire request list ---
3
8
Hi Alan.
In old version I don't to create SSL certificates. Just to configure file
radius.conf, eap.conf, users, clients.conf and when I run the program it
work fine.
With a new versions I make same configurations but not work.
¿I think that the SSL certificates can be create alone by the server?
Message: 1
Date: Thu, 3 Apr 2008 19:55:03 +0100
From: A.L.M.Buxey(a)lboro.ac.uk
Subject: Re: Users cant connect Freeradius 2.0.2
To: FreeRadius users mailing list
<freeradius-users(a)lists.freeradius.org>
Message-ID: <20080403185503.GF7572(a)lboro.ac.uk>
Content-Type: text/plain; charset=us-ascii
Hi,
> I'm configuring the freeradius as old version, I don't copy the
> configurations files, I configure again the files.
> But when I to run radiusd -X my clients not connect.
>
> Sends an error of authentification.
you've configured and copied the SSL certificates etc correctly?
by default a plain install will generate some dummy ones
the first time its run....
alan
2
1
RE: Re: Missing NAS-Port in Access request with respect to RFC 2865
by Ramm-Ericson, Johannes 04 Apr '08
by Ramm-Ericson, Johannes 04 Apr '08
04 Apr '08
Alan DeKok wrote:
>Ramm-Ericson, Johannes wrote:
>>>From what I understand the current Freeradius code interprets the RFC
>> statement so that if the NAS-Port attribute is not sent then the
access
>> request is not processed and subsequently denied (in rlm_radutmp.c -
>> line 404).
>
> No.
>
> The *radutmp* module requires the NAS port for it's proper operation.
> The *server* does not.
Fair enough, from my usage perspective the server and module are one
unit. They are however separate entities and I could have been more
explicit in my description.
> The request is *not* denied if there is no NAS-Port.
OK. However, access requests from that particular NAS are in effect not
processed the way I expect because of the lacking NAS-Port which still
leaves me with a problem I need to understand and fix.
The NAS admins on the other end refuse to forward the NAS-Port because
their experience with other Radius servers has never made the presence
of NAS-Port a requirement earlier. I suspect that the terminology of the
RFC actually confirms their point of view.
>> However; shouldn't the statement from the RFC be intertpreted such
that
>> if *neither* the NAS-Port or the NAS-Port-Type is set then the access
>> request should not be processed and subsequently denied?
>
> No. I have no idea why you think the request is being denied.
I apologise; I should rather have said that the request is not being
processed further as I am hoping it would.
>> I'm thinking
>> something along the lines of changing line 404 of rlm_radutmp.c to:
>>
>> if (!port_seen && !nas_port_type) {
>
> No. The radutmp module needs a NAS-Port to put into the radutmp data
> structure. The NAS-Port-Type attribute cannot be used for this
purpose.
OK. But what I was trying to say was that I think the if statement in
rlm_radutmp is not correctly interpreting the RFC. From my understanding
the RFC says that "either NAS-Port or NAS-Port-Type or both" must be
present. However:
if (!port_seen) {
looks to be saying that NAS-Port *must* always be present, which isn't
quite the same thing.
Just to clarify; I may very well be wrong about all this but I have a
workaround that I think is just that: a workaround, rather than a
correct solution. My hope is that either someone on the mailinglist can
explain why I'm getting it all wrong or that I actually have found a bug
and that it in that case hopefully can be squashed.
>> I'll apologise in advance if my all too rusty programming skills are
>> making me misunderstand the situation entirely...
>
> I think you're confusing "server" with "module".
Absolutely. I should have put more effort into explaining what I'm
thinking is wrong.
Cheers,
J.
2
1